The management review: what goes in it and who takes part?
One of the clause-9 requirements of ISO 27001. Annual, with senior management, 2 hours. Here is the agenda that an auditor will accept — and that works as a practical exercise for you.
The management review is not a ceremony — it is the one mandatory moment each year at which senior management explicitly commits to the ISMS. 2 hours, once a year.
Who is involved?
- Senior management (ultimately responsible for the ISMS)
- CISO / security lead (which may also be the director themselves in an SMB)
- Data protection officer (where relevant for GDPR)
- Compliance officer (where applicable)
Agenda (fixed)
- Review of the previous management review — what was decided, what was acted upon?
- Changes in external context (legislation, customer requirements, threat landscape).
- Changes in internal context (reorganisation, new systems, growth).
- Risk management — status of the risk register, top-5 residual risks.
- Results of internal audits and external audits (stage audits, surveillance).
- Incident overview — number, categories, lessons learned.
- Status of controls and access reviews.
- Objective assessment — have security goals been met?
- Resources — is the ISMS adequately staffed and funded?
- Improvement initiatives for the coming year.
- Action and decision log.
Evidence
Minutes with clear decisions, names, dates, and actions. Signed or digitally confirmed by senior management. This is the key artefact every auditor will ask to see.
See also: PDCA cycle, pre-audit checklist.
Volledige gids: ISO 27001 para pymes sin gastar €50k en consultores
Dit artikel is onderdeel van onze uitgebreide Compliance-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →