ISO 27001 management reviews are a requirement of ISO 27001 under Clause 9.3 of the system requirements. While meetings are not mandatory, it is often easier to schedule management review meetings periodically to sit down with relevant stakeholders and review ISMS performance at defined intervals.
But what needs to be included in an ISO 27001 management review agenda? How often should these be undertaken? And what needs to be discussed? We explore these questions and more in this article.
How regularly should management meetings be conducted?
Management review meetings should be held periodically in order to measure the effectiveness of the management system. While ISO 27001 does not define the time frame required between meetings, they should be held at regular intervals to review progress against actions required to improve the system. This enables continuous improvement and, if nothing else, ensures that progress is reviewed with action owners regularly.
While some organisations tend to conduct these meetings quarterly, a monthly meeting may be a sufficient time frame when the system has just been implemented. It is often the case that a large number of actions will be identified at the start, and these will decrease as the system becomes more mature. Therefore, time frames between meetings may start as monthly then move to bi-monthly and ultimately to quarterly.
Who needs to attend management meetings?
The attendees of management review meetings will obviously be management level staff that have an input or interest to the ISMS. Typically, this will consist of managers that may have actions against their names or risk owners in the business. This could include operational managers, HR managers, IT Directors, Information Security Managers and even Quality Managers.
ISO 27001 Management Reviews should only be attended by interested parties at management level. Ensuring the right audience is key to a successful ISMS meeting.
Many organisations find that this can be a long list of individuals, especially for a large scope. If this is the case, the attendee list should be cut down to only include those managers that have risks, actions or inputs/outputs from the meeting. This may change from meeting to meeting dependent on what risks have been identified, to what assets and what actions are being tracked.
Try to restrict management meetings to interested parties only, and do not include senior or top management that may not be interested in the operational aspects of the system. If necessary, set up separate annual meetings with top management to provide a high level overview of how the system is operating.
ISO 27001 Management Review Agenda
A typical ISO 27001 Management Review agenda may consist of the following items:
1. Introduction – Purpose of the meeting
- Review attendee list, ensure key individuals are present
2. Review Actions from Minutes – Review minutes from previous meetings – Check status of actions with attendees – Record RAG status against on-going actions
- Close completed actions
3. ISMS and Risk Management – Review/confirm ISMS scope and objectives – Review ISMS performance and continual improvement
- Review resourcing constraints, budgets and other issues – Review risk register and open/closed risks
- Discuss information security policies and procedures
4. Performance Metrics / KPI’s – Review performance metrics and KPI’s
- Discuss results of recent incidents and response
5. Meeting Close – Confirm actions and action owners – Confirm timescales for actions – Confirm date and time of next meeting
- AOB
The above represents what a typical ISO 27001 Management Review agenda might look like. There are no right or wrong answers on this, but as part of ISO 27001 the auditor will likely want to see evidence that management reviews have taken place and this can be achieved through the use of minutes or ISMS task lists.
Whatever approach you decide to take for management reviews, you should ensure that all levels of management have been engaged and are aware of the ISMS and its purpose.