Like some other clauses in ISO 27001 and ISO 22301, clause 9.3, which defines requirements for management review, is one of the most misunderstood and most underappreciated elements of these standards.
In practice, this review is usually done only to satisfy the certification auditor, but by doing so a great opportunity for your top management to participate actively in information security is lost.
The purpose of management review
The point of clause 9.3 in ISO 27001 and ISO 22301 is to ask your executives to make crucial decisions that will have a major impact on your ISMS or BCMS. And this has to be done in a systematic way.
So, for instance, your information security may need a larger budget, or your existing alternative location may not be appropriate – all such issues need decisions from the top, and management review is exactly the place to make such decisions. You can consider this management review to be nothing more than a regular meeting of your top executives with a specific topic: information security and/or business continuity.
Alternative approaches to management review
Management review does not have to be performed in the same way in all companies – there are many different approaches on how to do it:
Frequency. The minimum is to perform management review once a year, or more often if any major change happens that can influence information security or business continuity (e.g., there is a new client who has very particular requests regarding the confidentiality or availability of your systems). However, it could be done more often (e.g., quarterly) if the management wants to be more involved in operational issues.
Merge with other management reviews. If you implemented both ISO 27001 and ISO 22301, or also ISO 9001, you might be tempted to have all those management reviews done together; however, I wouldn’t recommend that – e.g., business continuity is a big enough topic on its own and it needs 30 or so minutes of undivided attention of your top management, and the same goes for information security or quality management. You could place all the management reviews on the same day, but place them in sequence, not in the same time slot.
Where to document the results. In most cases, simple meeting minutes will do; however, some larger corporations will require formal proceedings to be made, together with formalized decisions.
How to communicate the results. The company can send email notification to all the relevant employees and third parties, organize a meeting, or something similar.
Who will prepare the materials. Since there is a great deal of input information the management needs to consider at the meeting, someone has to prepare those materials for them – usually, this is the Chief Information Security Officer or Business Continuity Coordinator; however, in larger companies these materials will be prepared by several department heads.
Which inputs are needed
The materials for performing your management review are numerous: Internal audit reports, corrective actions and their status, the status of tasks that were decided during the last management review, overall changes (internal and external) that could influence the level of security, results of measurements (if the objectives have been achieved), new required resources (including financial), lessons learned (from testing, or from real incidents), proposals on how to improve the system, etc.
What is to be discussed at the management review
So, finally, what is it that should be discussed at these management reviews? Your executives need to make at least the following decisions: whether the ISMS or BCMS has fulfilled its objectives, which improvements are needed, changes to the scope, approval of the required resources, modification to the main documents (e.g., top-level policies), etc.
But, of course, you don’t need to limit the discussion to those topics only – management review is the perfect opportunity to educate your executives on the basics of information security / business continuity. You can discuss alternative strategies on how they can be implemented, you can present which issues you are struggling with the most so that you can get their support, etc.
In short, you can use this requirement of ISO 27001 and ISO 22301 to do much more than mere compliance. Use it for building a relationship with your decision makers.
You can download here a free preview of a Management Review Minutes template.