ISO 27001 Management Review is an ISO 27001 clause and a requirement of ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems to get ISO 27001 certification.
What is ISO 27001 Clause 9.3?
ISO 27001:2022 Clause 9.3.1 General – New clause
Top management shall review the organisation’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.ISO 27001:2022 Clause 9.3.1 General
ISO 27001:2022 Clause 9.3.2 Management Review Inputs – New clause
The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) changes in needs and expectations of interested parties that are relevant to the information security management system;
d) feedback on the information security performance, including trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
3) audit results;
4) fulfilment of information security objectives
e) feedback from interested parties;
f) results of risk assessment and status of risk treatment plan;
g) opportunities for continual improvement.ISO 27001:2022 Clause 9.3.2 Management Review Inputs
ISO 27001:2022 Clause 9.3.3 Management Review Results – New clause
The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
Documented information shall be available as evidence of the results of management reviews.ISO 27001:2022 Clause 9.3.3 Management Review Results
ISO 27001:2022 Clause 9.3 Management Review