We refer to the content of ISO 27001 – Chapter 9.3:
The Management Review is a mandatory annual activity that must be documented. Top management must be included in the process.
The management review shall include consideration of:
a) The status of actions from previous management reviews;
b) Changes in external and internal issues that are relevant to the information security management system;
c) Feedback on the information security performance, including trends in:
1. nonconformities and corrective actions;
2. monitoring and measurement results;
3. audit results; and
4. fulfillment of information security objectives;
d) Feedback from interested parties;
e) Results of risk assessment and status of risk treatment plan; and
f) Opportunities for continual improvement.
The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews.
- A management review is performed on an annual basis – plan approximately 1-2 months before your external audit,
preferably before the internal audit.
- Assign a person who is responsible for the management review; that person will take the lead in generating the report from Compleye Online.
- After the draft is ready, suggestions for improvements are defined and will need to be approved.
- MT/CEO meeting is planned to discuss all topics and suggestions for improvement.
- MT/CEO defines and accepts final improvements.
- MT/CEO finalizes and approves the management review report to be shown as evidence during external audit.
- Make sure all the suggested improvements have been added as new improvements in Compleye Online and new ISMS objectives have been updated in Compleye Online and in the statement.
Where to start
We have created an automated process for generating the management review report. These are the steps you need to follow:
1. Start by looking at the closed improvements from Compleye Online. There is a field with content “Management Review Topic” and “Text for the Management Review”. Use this to build the content of your management review concept. Read more about Improvements on Wiki.
2. Creation of the management review report starts at the ‘Closed Improvement’ section. Click the “Management Review Report” button. A window with all closed improvements will pop up.
3. Select improvements you would like to include in your management review report. From these selected improvements, only content entered in the evaluation field relating to the management review will be pre-populated in the generated report.
4. When ready , select “start the management review report”. You will be redirected to the management review subsection. Be aware that from this point you won’t be able to add more content from improvements to the report draft you are creating. But you can attach documents to your management Review report.
5. Enter the title, person reviewing the management review report, and the date of creation of the management report. Topics will be pre-filled from selected improvements. Add or review content as needed, fill in suggestions for improvement on that topic and indicate when management accepts the suggested improvements.
There are 2 topics that need to be manually filled in as they are not part of the closed improvements card -‘Effectiveness of entire ISMS’ and ‘Security and Compliance Objectives’ for the next year.
6. Evaluate and write about the effectiveness of the entire ISMS framework in the open text field of the section. Mention any suggested improvements and indicate when management accepts the suggested improvements.
7. Update the topic ‘Security and Compliance Objectives’ for next year – check your last year’s objectives by clicking on the suggested link and indicate whether the objectives from last year have been met. Make sure you note any suggestions for the improvement.
8. After the management review meeting (where content is reviewed, adjusted and approved by the management team), you can either finalize the report by clicking ‘Finalise the Report’ button or you can save it and continue later.
9. A management review report preview is generated and this can be either approved or saved for later. When it’s ready for approval, type the name of the person approving the report in the pop up window.
10. The finalized and approved management review report can be downloaded. Also once the report is finalized the attachments can not be deleted, but you can still download them.
Tips for writing the mandatory topics in the Management Review:
– Make a habit of double-checking whether the evaluation of the closed improvement you want to add has included the content for the management review.
– Read under “What?” for examples of content that often relates to the mandatory topics of the management review; this will help you to choose which improvements to include and to add content where needed.
Note: Next to the closed improvements, you can also find input in other sections of Compleye Online.
For each of these topics, suggestions for improvements and management’s decisions regarding the improvement should be documented.
- Periodic assessment policy
Check if you’ve made any new versions of Policies & Procedures and/or new documentation.
- Assess the outcome of the supplier assessment
Check the section Supplier Assessment for high risk suppliers – do you have any new high risk suppliers since last year? Has anything changed concerning suppliers that is worth mentioning (end of contract, security incident, changes in services, changes in SLAs etc)?
- Status actions of previous management reviews
Check in last year’s management review whether you’ve addressed and closed all improvements. If this is your first year, add ‘Not Applicable’.
- Changes in external and internal topics that are relevant to the ISMS
If you don’t have any improvements for this topic, check if you’ve made changes in your organisation, your product or services that may have an impact on security and/or privacy, and if you have any new stakeholders with new legal requirements. Check the Global Impact sections; perhaps you’ve entered new markets/countries that are relevant.
- Feedback and trends on incidents
Check the security metrics – have you had any incidents this year or can you spot trends in certain incidents (security, privacy or quality)? Should you add some new security metrics?
- Feedback and trends on measure & control
Review the controls; were they performed on time, have any changes been made? Review the results of the controls.
- Feedback and trends on audit results (internal/external)
Review the findings / improvements reported and compare with previous years; are there any trends that repeat or did you make good progress?
- Feedback and trends in meeting security objectives
In the section ‘ISMS Objectives’, you defined your objectives and – if you have added them to the security metrics overview – you’ve monitored them on a regular basis. What can you conclude? Have you achieved them? If yes, explain how they’ve been achieved. If not, why is that and what can you change to achieve them (e.g. make them smarter, more measurable)?
- Feedback from stakeholders that concerns the availability, integrity and retransmission of information.
Stakeholders are not only customers, but also all stakeholders that you have added to your stakeholder overview (Interested Parties & Legal requirements ). What feedback did you receive from them? Do you have plans in place to check on that feedback e.g., customer satisfaction reviews, employee satisfaction questionnaires etc.?
- Results of the risk assessment and the status of the risk treatment plan
Every risk assessment finding has been transferred into an improvement, so this section should be properly completed.
- Opportunities for continuous improvement (leadership, communication, resources, organisation architecture, people and processes) You’ve probably defined specific improvements that you encountered during operations during the year (apart from assessments and audits). If not, please make sure that next year you define improvements during your security meetings. You can always check your meeting notes and closed calls-to-action for improvements. You’ll be surprised by small things that you have improved over the year.
- Total effectiveness of ISMS framework (content needs to be written, it is not part of the closed improvements card)
You’ve already addressed the effectiveness of every individual improvement. Check the high level contributions of the improvements, e.g., more focus on documentation, awareness, technical improvements, training or any other effect that you have experienced over the past year, working as an ISMS team.
- Security & Compliance Objectives (content needs to be written, it is not part of the closed improvements card)
Now it’s time to define your new ISMS objectives and to make sure you have added these in the section Strategy & Ambition – ISMS Objectives .
If you’ve added information to all topics and if you’ve discussed and evaluated them with your ISMS Team , someone on C-Level (management) should approve the final document (preferably with date and signature).
Oh… and don’t forget that all new improvements that are accepted in the management review need to be transferred to new improvements cards in Compleye Online.
|Title||Free text field||Management Review 2022|
|Reviewed By||List of team members. Select those involved in the review process and attending the management review meeting.||Selected team member names|
|Text for Management Review||Short description of the issue that needs improvement.||Technical or non-technical issues|
|Suggestions for Management Review||Short description of the intended improvement.||One or more suggestions to solve, mitigate or eliminate the problem or the risk.|
|Management accepts suggestions for improvements||If the solutions provided are accepted or not||Yes / No|