Management Review for ISO 27001 Information Security
ISO 27001 Clause 9.3
This sub-clause requires top management to review the ISMS at planned intervals to confirm continuing suitability, adequacy and effectiveness, with structured inputs and outputs.
ISO 27001 Clause 9.3 - Management Review
Management review is the formal mechanism by which top management stays engaged with the ISMS. Clause 9.3 sets out what the review has to consider, what decisions it has to produce, and the documented information that has to be retained. It is one of the most prescriptive clauses in the standard.
What ISO 27001 Clause 9.3 Requires
Top management must review the ISMS at planned intervals to make sure it remains suitable, adequate and effective. The review must consider specific inputs and produce specific outputs, with documented information retained as evidence.
The Inputs to the Management Review
The standard requires the review to consider: the status of actions from previous management reviews; changes in external and internal issues relevant to the ISMS; changes in the needs and expectations of interested parties relevant to the ISMS; feedback on the information security performance, including trends in nonconformities and corrective actions, monitoring and measurement results, audit results, and fulfilment of information security objectives; feedback from interested parties; the results of risk assessment and the status of the risk treatment plan; and opportunities for continual improvement.
That is a long list. Most management reviews work through it section by section, with each section supported by a summary of the underlying records - a summary of internal audits rather than the audit reports themselves, a summary of incidents rather than every incident record. The review draws on the operational documentation without recreating it.
The Outputs of the Management Review
The outputs of the management review must include decisions related to continual improvement opportunities and any need for changes to the ISMS. These can be captured as a list of actions in the review record, fed into the issues and actions register and tracked through to closure.
The standard requires documented information to be retained as evidence of the results of management reviews. The review record covers who attended, what was discussed against each input, what was decided, and what actions were created.
How Often and How Long
The clause requires planned intervals. For most organisations annual works for the full review, with shorter management meetings in between covering operational items. The full review needs enough time for top management to engage with each input properly - typically a half-day or full-day meeting depending on the size and complexity of the system.
The review is for the suitability, adequacy and effectiveness of the ISMS. Suitability is whether the ISMS still fits what the organisation does. Adequacy is whether it covers all the requirements. Effectiveness is whether it is actually achieving the intended outcomes. Each review touches all three, although the emphasis can vary year to year.
The biggest mistake I see is treating management review as a formality. It is meant to be a real conversation about whether the management system is doing what it should. If everyone leaves the room with no decisions to action, the review has not achieved its purpose. A short meeting that produces three real decisions is worth more than a long meeting that produces minutes nobody reads.
I check the review record against the required inputs and outputs. Each input needs to be addressed somehow - even if just briefly. Each output decision needs to be traceable through to follow-up. If the record says 'improvement opportunities discussed' but there are no improvement actions in the issues register, the link is broken and the audit will dig further.
Practical Compliance Guidance
The management review template structures the review around the inputs required by Clause 9.3, with space to record the discussion and decisions against each input. The output actions are transferred to the issues and actions register for tracking.
The documents below support the planning, conducting and recording of the management review.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | Complete documentation set for ISO 27001:2022 including the management review template and the issues and actions register. |
| F-Q3 Management Review | Management review template covering all the inputs required by Clause 9.3, with space to record discussion, decisions and follow-up actions. |
| ER1 Issues and Actions Register | Tracks the actions arising from management review through to closure, including effectiveness reviews. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
No UK legislation directly governs management review of an information security management system. UK GDPR requires senior management to demonstrate accountability for personal data processing, which the management review naturally supports.
