ISO 27001 Clause 9.3 Management Review is a performance evaluation control that requires top management to review the organisation’s ISMS at planned intervals. This process ensures the continued suitability, adequacy, and effectiveness of the security framework while aligning it with the strategic direction of the business.
ISO 27001:2022 Attributes
| Attribute | Value |
|---|---|
| Control Type | Administrative / Governance |
| Information Security Properties | Confidentiality, Integrity, Availability |
| Cybersecurity Concepts | Identify, Protect, Detect, Respond, Recover |
| Operational Capabilities | Governance, Performance Evaluation |
Implementation Difficulty & Cost
| Metric | Rating | Details |
|---|---|---|
| Difficulty | 3/5 | Requires high-level leadership engagement. |
| Implementation Cost | Low | Primary cost is executive and staff time. |
| Primary Owner | CISO / ISMS Manager | Prepares data and facilitates the review. |
| Accountability | CEO / Board | Ultimately accountable for ISMS effectiveness. |
ISO 27002 Control Guidance
In my experience, physical security trends should be a standard part of your review. You must evaluate the frequency of unauthorised access attempts or physical breaches. I often find that organisations ignore maintenance reports for security hardware during these meetings. Management should review if physical controls like locks and CCTV still meet the current threat level of the office.
Technical performance evaluation requires looking at system availability and incident response times. I look for data that shows if your technical controls, such as firewalls or encryption, are performing as expected. You should present a summary of vulnerability scan results to the board. This allows leaders to understand the technical risks and approve budgets for necessary hardware or software upgrades.
Behavioural aspects of security are often the most overlooked in management reviews. You must analyse the results of your awareness programmes and phishing simulations. I find that staff negligence is a frequent root cause of incidents. Management must review these trends to decide if current training is effective. If behaviour does not improve, the review should trigger a change in the training strategy.
The Auditor’s Eye: Expert Insight
I often find that management reviews are treated as a box-ticking exercise by the CISO. When I audit this clause, I look for meeting minutes that show actual debate and challenge from the senior leaders. If the minutes are a simple “copy-paste” of the standard’s agenda without detail, I will likely issue a non-conformity. I want to see that the Board asked about the risk register or questioned why an audit was failed. I frequently perform “Camera Walkthroughs” of your minutes to see if decisions led to real resource changes.
10 Steps to Implement Clause 9.3 Management Review
-
Define the Review Frequency
You must decide how often management will review the ISMS. While many firms choose an annual cycle, I find that quarterly reviews are more effective for fast-moving businesses. I look for this frequency documented in your ISMS Manual. Ensure you stick to the planned intervals to avoid a finding during your certification audit.
-
Construct a Standard Agenda
Your agenda must include every mandatory input from Clause 9.3.2. This includes audit results, feedback from interested parties, and the status of actions from previous reviews. In my experience, using the ISO standard clauses as headers in your meeting minutes is the best way to prove compliance. I check that no mandatory topic is skipped.
-
Identify Required Attendees
Top management must be present for the review to be valid. This usually includes the CEO, CTO, and heads of major business units. I look for an attendee list that matches your “Top Management” definition in Clause 5.1. If only the CISO attends, it is not a management review; it is just a security meeting.
-
Compile Performance Data
Gather metrics from your security tools like Microsoft Intune or Jira. You should show trends in incidents, patch management, and system uptime. I often find that managers prefer visual charts over long lists of text. Ensure the data is accurate and reflects the period since the last review. This data forms the basis of management decisions.
-
Review Risk Changes
Assess whether internal or external issues have changed your risk profile. I look for evidence that management reviewed the risk register. You should discuss new threats, such as emerging AI risks or changes in the legal environment. Management must confirm they are still comfortable with the current level of residual risk in the organisation.
-
Evaluate Resource Adequacy
Discuss whether the security team has enough staff, budget, and tools. I find that many CISOs fail to ask for what they need during this meeting. You must document management’s decision on resource allocation. If a major project is delayed due to lack of staff, this must be recorded here to satisfy the auditor.
-
Document Management Decisions
The standard requires “outputs” from the review. These must include decisions related to continual improvement and changes to the ISMS. I look for clear statements like “The Board decided to increase the cloud security budget.” Without documented decisions, you cannot prove that the review was effective. I search for these in your meeting minutes.
-
Assign Actions and Deadlines
Every decision that requires work should be assigned to an owner with a target date. I recommend using Jira or a similar task manager to track these. In my experience, actions from management reviews often get forgotten until the next year. I will check the status of these actions during your next audit to ensure they were completed.
-
Distribute Meeting Minutes
Send the final minutes to all attendees and relevant stakeholders. This ensures everyone is aware of the decisions made and their responsibilities. I check your email logs or SharePoint folders to verify that the information was shared. Clear communication is a hallmark of a mature security culture and an effective ISMS.
-
Update the ISMS
Implement the changes agreed upon during the review. This might include updating policies, changing roles, or adding new controls. I look for the “feedback loop” where the management review leads to actual system updates. If the ISMS never changes after a review, it suggests the process is not driving improvement as intended.
Requirements by Environment
- Office: Focus on physical security incident reports, facility maintenance, and local network performance.
- Home: Review trends in remote access security, home-working compliance, and endpoint protection status.
- Cloud: Evaluate the performance of SaaS providers, uptime of cloud services, and the results of shared responsibility reviews.
The “Checkbox Compliance” Trap
| Requirement | SaaS Tool Trap | Auditor Reality |
|---|---|---|
| Management Review | Uploading a blank template to a portal. | I want to see the actual minutes of the meeting with named attendees. |
| Action Tracking | Marking items as “Done” without proof. | I will ask to see the physical or digital evidence of the completed action. |
| Resource Adequacy | Assuming budget is fine if no one complains. | I look for explicit management confirmation that resources are sufficient. |
10 Steps to Audit Clause 9.3 (Internal Audit Guide)
- Check the Schedule: Verify that the review took place at the planned interval defined in your policy.
- Verify Attendance: Check if senior leadership (as defined in the ISMS) actually attended the meeting.
- Review the Agenda: Compare the meeting agenda against the requirements in Clause 9.3.2.
- Check Previous Actions: Verify that the status of actions from the last review was discussed first.
- Look for Objective Data: Ensure the review was based on facts and metrics, not just opinions.
- Verify Risk Oversight: Check that management reviewed changes in the risk environment and objectives.
- Examine the Outputs: Look for specific decisions and actions recorded in the minutes.
- Trace Resource Approval: Verify that any resource requests were formally considered by management.
- Check Distribution: Confirm that the results of the review were communicated to the right people.
- Validate Improvement: See if the review led to any updates in the Corrective Action or Improvement logs.
Clause 9.3 Audit Evidence Checklist
| Evidence Item | Pass/Fail Criteria | Owner |
|---|---|---|
| Meeting Minutes | Must cover all mandatory inputs and include specific decisions. | CEO / CISO |
| Attendee List | Must prove Top Management participation. | ISMS Manager |
| Action Tracker | Must show assigned owners, deadlines, and current status. | ISMS Manager |
Required Policy Content: A Lead Auditor’s Checklist
- Review Interval: You must state how often the management review occurs.
- Attendee Requirements: You must list the specific roles required to form a “quorum” for the review.
- Mandatory Agenda: Your policy should list the 9.3.2 inputs to ensure they are never forgotten.
- Documentation Standards: Define how minutes and actions are recorded and where they are stored.
- Enforcement Clause: Must define the specific disciplinary path for non-compliance with management decisions.
What to Teach Employees
- Leadership Commitment: Inform staff that the ISMS is backed by the CEO and Board.
- The Purpose of the Review: Explain that it is a tool for improvement, not a performance appraisal.
- Reporting Upwards: Teach staff how their local data feeds into the high-level management reports.
Enforcement and Consequences
Failure to conduct a management review is a Major Non-Conformity. I follow a path of verbal warning followed by a formal written finding if evidence is missing. Continued failure to engage leadership leads to the suspension of your ISO 27001 certificate. Management must take an active role; delegation to the IT team alone is not sufficient.
Common Implementation Challenges
| Challenge | Root Cause | Solution |
|---|---|---|
| Disengaged Leaders | Security seen as an IT problem. | Present security as a business enabler and risk mitigator. |
| Vague Minutes | Poor administrative support. | Use a structured template that follows the ISO 27001 clauses. |
| Forgotten Actions | No centralized task tracking. | Integrate review actions into your existing Jira or project tools. |
Sample Statement of Applicability (SoA) Entry
“Clause 9.3 is applicable as it ensures our top management maintains oversight of ISMS effectiveness. We conduct reviews at six-monthly intervals, covering all mandatory inputs and recording decisions in formal minutes. This process drives our strategic security direction and ensures resources are allocated to the areas of highest risk.”
Changes from ISO 27001:2013
| 2013 Version | 2022 Version |
|---|---|
| Less emphasis on external issues. | Explicitly requires considering changes in external and internal issues. |
| Focused on the status of actions. | Adds “feedback from interested parties” as a more prominent input. |
How to Measure Effectiveness (KPIs)
- Review Completion Rate: 100% of planned management reviews held on schedule.
- Action Closure Rate: Percentage of actions from the review closed by the target date (Target: >90%).
- Executive Attendance: Percentage of required senior leaders present at each review meeting.
Related ISO 27001 Controls
- ISO 27001 Annex A 5.1: Management review ensures that your security policies stay relevant and effective.
- ISO 27001 Annex A 5.2: The review verifies that security roles are correctly assigned and functioning.
- ISO 27001 Annex A 5.37: Leaders review incident trends to improve the overall response capability.
Clause 9.3 FAQ
Can we perform the management review via email?
No. In my experience, email does not allow for the interactive debate and challenge that auditors look for. A formal meeting (physical or virtual) is required.
What if the CEO cannot attend?
A delegated authority with budget power can attend, but the CEO should review and sign the minutes to show their commitment.
How long should the meeting last?
There is no set time, but it must be long enough to cover the agenda thoroughly. Usually, 1 to 2 hours is sufficient for most SMEs.
Do we need a separate policy for this?
Not necessarily. You can include the management review process within your main ISMS Manual or Governance Policy.
Can an auditor ask to see our meeting minutes?
Yes. These are mandatory records. If you have confidential business items, you can redact them, but you must show the security-related decisions.