Earning your ISO 27001 certification is a time-consuming and robust process. To earn your certificate, you must undergo lengthy documentation, auditing, and more - all of which are vital to the process. Some of these procedures are optional, meant only to help you specify your ISMS and prepare you for later steps. But, the majority are mandatory components of the certification that must be completed carefully and accurately. One mandatory, yet often overlooked practice is the management review, detailed in clause 9.3 of the ISO 27001 list of standards. While this review is mandatory, it is one of the most misunderstood and underappreciated elements of these standards. We will discuss what the management review entails, and why it is important so that you may better understand and appreciate the process.
ISO 27001 clause 9.3 explains that it is the responsibility of senior management to conduct the management review. These reviews should be pre-planned and be often enough that it verifies the continued effectiveness of an organization’s ISMS, ensuring that it achieves the aims of the business. ISO states that this review should be conducted at planned interviews, which tends to be once per year and within an external audit surveillance period. While this is the minimum requirement, it is recommended that you perform it more often. A more frequent management review will allow for your ISMS to keep up with the ever-changing pace of information security threats. The review should be viewed as a continuous practice to maintain and monitor your ISMS. While often underestimated, the management review should not be perceived as merely checking off a box for ISO compliance. For organizations looking to live and breathe information security practice, the role of the management review is invaluable.
Before you can come to better understand and appreciate the importance of the management review, you must learn its purpose. While the review is primarily only conducted to satisfy the certification auditor, it can also serve as an excellent opportunity for top management to actively participate in information security. The purpose of clause 9.3, which outlines the management review, is to ask your executives to make crucial decisions that will significantly impact your ISMS. This may not sound too complex, but it must be performed in a systematic manner. Overall, your management review should ensure that the ISMS and its objectives continue to remain adequate and effectives given your company’s purpose, issues, and risks around your information assets. The work leading up to and around the management review will enable senior management to make informed and strategic decisions surrounding your ISMS and how it is managed.
What is Included?
The first order of business is to revisit any ongoing actions that were decided upon in previous management reviews. If you requested any statistical analysis or decided to adjust a process now is the time to check them and get further review. Next, you should discuss any internal or external issues relevant to the ISMS. This may include information assets, people, products, and systems, in addition to political problems, new technologies, and economic fluctuations. Following this, you will move on to the overall performance of your ISMS and ISO 27001 requirements.
At minimum, the management review will follow the standard ISO 27001 format laid out in clause 9.3, but it can be beneficial for your organization to include more. The formal review agenda at minimum should include;
- The status of actions from previous reviews
- Changes in internal and external issues relevant to the ISMS
- Feedback on information security performance including nonconformities and corrective actions, monitoring and measurement results, audit results, and fulfillment of information security objectives
- Feedback from interested parties
- Results of the risk assessment and status of risk treatment plan
- Opportunities for continual improvement
Including other compliance regimes and best practices can be resourceful in facilitating effective reviews and informed decision making. You can tie the 9.3 information security aspects into broaden senior management meetings or formal board meetings to further its reach and effectiveness. Including the agreement on audit focus for a coming period is also a great addition. While this is optional, external auditors want as much clarity as possible into your organization and this can provide that.
Regardless of what you include, it must document the results and actions from the reviews. For organizations in the implementation phase of their ISMS, it is recommended to conduct weekly management reviews as part of habit building. This should include implementation lessons, next period goals, and identifying issues alongside the formal management agenda. If you are preparing for your external audit, these are excellent practices for impressing your auditor and demonstrating how devoted your company is to information security. The outputs of the management review should include any corrective actions and continual improvement opportunities to ensure the utmost effectiveness of your security processes. Practicing effective management from the start is key to the maintenance of a success and robust ISMS.
Maximizing your Management Review
As the name suggests, senior management will play a significant role in the management review. This may take the form of an ISMS board, generally including the CISO, department heads, and other executives. To ensure that you are maximizing the effectiveness of your review, we will go through some best practices. It is important to keep attendees to a minimum. While it is important that the entire organization be involved and aware of your ISMS practices, too many opinions can complicate the process. For this reason, it’s best to keep only a small group involved with the review. It is also beneficial to keep management reviews and management meetings separate. It is likely that senior management already meet on a regular basis to address day-to-day operations, so it is best to keep the two separate to avoid conflict or overlooked information security concerns. You should be sure to keep minutes during your review. Not only is it required by ISO 27001 to document the content and results of your reviews, but it also helps to remind you of topics that came up and the corresponding decisions made. Finally, provide a summary of your management review. This is helpful for attendees to have a brief overview of what was discussed.
What is the Misunderstanding?
Now that you are an expert in the ISO 27001 management review it’s hard to understand how it could ever be overlooked. The review process is instrumental in strengthening your information security from the top down. While it can be easy to simply view the review as ticking off a box, there is so much value in a thorough and virtuous review. Not only will this simplify your ISO 27001 implementation process and help you pass your audit with flying colors, but it will ensure the continual improvement and success of your ISMS. The management review is about so much more than compliance, use this practice to build a relationship with your decision makers and strengthen your ISMS.