The basics
ISO 27001 sub-clause 9.3 is called “Management review” — it requires the management to regularly review the ISMS so that is continuously suitable, adequate, and effective to support the information security objectives.
Documentation
ISO 27001 clause 9.3 Management review requires writing the following document:
The following document is not mandatory, and companies can decide whether to write it:
- Procedure for management review
Implementation
To comply with clause 9.3 Management review, you should follow these steps:
- Define who is going to participate in the management review.
- Define when is the management review going to take place.
- Prepare the input materials that need to be discussed during the management review.
- Prepare which decisions need to be made during the management review.
- After the management review is completed, record the results through Management review minutes.
Audit evidence
During the audit, an auditor might ask for the following evidence regarding clause 9.3 Management review:
- To show the mandatory document – Management review minutes.
- If at least one member of the top management has participated in the management review.
- If the management review is performed regularly.
- If all the required inputs were presented at the management review.
- If adequate decisions were made at the management review.
