(Clause 9.3 : Management Review)
Use this checklist to prepare for and conduct a management review of your Information Security Management System (ISMS) in line with ISO/IEC 27001:2022 requirements. It covers all mandatory review inputs and outputs and includes practical steps for continual improvement. The checklist is organized into four sections: Preparation, Meeting Execution, Documentation, and Follow-up, to ensure a comprehensive and efficient review. During the meeting, use the key questions to prompt discussion and record decisions and actions.
Preparation
Before the management review meeting, complete the following preparatory steps:
Preparation Steps | Completed |
Schedule the management review meeting: Ensure top management and relevant ISMS team members are invited. Set a date/time (at planned intervals, e.g, annually or quarterly) and define the meeting duration. | ☐ |
Distribute agenda and materials in advance: Prepare an agenda covering all required topics (see Meeting Execution). Send the agenda and any pertinent reports or data to participants beforehand so they have time to review. | ☐ |
Review the outcomes of the last management review: Obtain the minutes or report from the previous management review. Note all action items that were decided and check their current status (completed or pending). | ☐ |
Gather status of previous actions: For each action item from the last review, collect evidence of completion or an explanation for any delays. Be ready to report on these in the meeting. | ☐ |
Identify changes in external issues: Identify any external changes since the last review that could affect the ISMS (e.g., new laws/regulations, emerging threats, market or industry changes). | ☐ |
Identify changes in internal issues: Identify any internal changes within the organization that are relevant to the ISMS, such as organizational structure, strategy, or process changes, new projects, or systems. | ☐ |
Identify changes in interested parties’ needs: Check for changes in the needs and expectations of interested parties (e.g., clients, partners, regulators, employees) related to information security. | ☐ |
Compile ISMS performance data: Gather up-to-date metrics and reports on ISMS performance, including trends in nonconformities and corrective actions, security incident statistics, monitoring and measurement results, internal/external audit findings, and the status of ISMS objectives. | ☐ |
Collect feedback from interested parties: Gather any feedback received regarding information security from stakeholders, such as policy updates, client complaints, supplier feedback, and comments from auditors or regulators. | ☐ |
Update risk assessment results: Review the latest risk assessment to note any new or changed risks, and verify the current status of the risk treatment plan (are risk treatments implemented as planned?). | ☐ |
Note opportunities for improvement: List any potential improvements identified since the last review (e.g., from audits, incidents, staff suggestions, new technologies, or process ideas) so they can be discussed and addressed. | ☐ |
Optional: Prepare additional inputs: Consider any other relevant compliance or business items to include. For example, align the review with other frameworks (e.g., cybersecurity programs, ISO 9001) or plan to discuss the focus of upcoming audits. | ☐ |
Meeting Execution
During the management review meeting, address the following topics. Use the questions to guide discussion:
Discussion Topic | Key Questions & Considerations | Done |
Status of Previous Actions: Review the status of actions from the last management review. | Have all action items from the last review been completed? If not, what is the reason and the plan to address any pending items? | ☐ |
Changes in external & internal context: Consider changes in external and internal issues that shall include relevant climate changes or considerations since the last review. | What significant external changes (e.g. new laws, regulations, threat landscape) or internal changes (e.g. organizational or strategy changes) have occurred? Do any of these changes require adjustments to the ISMS? | ☐ |
Changes in the needs and expectations of relevant interested parties: Consider changes in the needs and expectations of these parties. | Have there been any changes in stakeholder requirements or expectations (customers, partners, regulators, employees)? For example, new contractual security requirements or regulatory obligations that need to be addressed? | ☐ |
ISMS performance: Nonconformities & corrective actions: Evaluate information security performance, focusing on nonconformities and corrective actions. | Have any significant nonconformities or security incidents occurred since the last review? Are corrective actions for past issues effective in preventing recurrence? | ☐ |
ISMS performance: Monitoring and metrics - Assess results from monitoring and measuring controls and key security metrics. | What are the essential security metrics and monitoring results showing (e.g., incident rates, system alerts, compliance scores)? Are there any concerning trends or notable improvements to reports? | ☐ |
ISMS performance: Audit findings: Review the results of recent internal and external audits. | What were the main findings from internal/external audits or assessments? Have all audit non-conformities been addressed, and did audits reveal any systemic issues that need management attention? | ☐ |
ISMS performance: Objective attainment: Check the fulfillment of information security objectives. | Are we meeting our ISMS objectives and targets? If objectives have not been met, what obstacles exist? If objectives have been achieved easily, should we set more challenging goals or new objectives? | ☐ |
Feedback from interested parties: Review feedback from relevant interested parties on the effectiveness of the Information Security Management System (ISMS). | Have we received any feedback or complaints from customers, partners, or regulators regarding information security? Are there any concerns or suggestions from employees or other stakeholders? | ☐ |
Risk Assessment and Treatment Status: Review the results of the most recent risk assessment and the current status of risk treatment plans. | Have any new risks emerged or have risk levels changed since the last review? Is the risk treatment plan on track? Are risk mitigation actions being implemented and effective? | ☐ |
Opportunities for improvement: Identify and discuss opportunities for continuous improvement of the ISMS. | What potential improvements or innovations can we implement to enhance the ISMS? Consider process improvements, new controls or technologies, training needs, or other ways to strengthen information security. | ☐ |
Optional: Plan upcoming audits or reviews (if time permits): Discuss plans for upcoming audits or compliance reviews. | Do we need to adjust our internal audit program or plan any focused reviews based on today’s discussion? Agree on any audit focus areas for the coming period to support continual monitoring. | ☐ |
Conclude and confirm next steps: Summarize decisions and ensure clarity on actions. | What are the key decisions made today for improving the ISMS or addressing issues? Confirm who will be responsible for each agreed-upon action and by when, so everyone is clear on the path forward. | ☐ |
(Note: The topics above (a:g) represent all mandatory inputs required by ISO/IEC 27001:2022 clause 9.3.2 for management reviews. Ensure each is covered during the meeting. The “Conclude” step helps transition into documenting the outputs.)
Documentation
After the meeting, document the review and its outcomes:
Documentation Tasks | Completed |
Record meeting minutes : Document the discussions and decisions from the management review. Ensure that all topics from the agenda (inputs) are noted, along with any conclusions for each. Include the list of attendees, meeting date, and duration. | ☐ |
Document decisions and actions (outputs): Clearly record the outputs of the management review, including decisions made regarding improvements and any necessary changes to the Information Security Management System (ISMS). For each decision or action, note what will be done, who is responsible, and the target deadline. | ☐ |
Maintain evidence of review: Ensure to include a list of attendees, and keep the meeting minutes as well as any presented materials as documented evidence of the management review. Ensure that this documentation is stored in accordance with your document control procedures and is readily available for audits or inspections. | ☐ |
Distribute report: Circulate the meeting minutes or a summary of key outcomes to relevant stakeholders (e.g., attendees and other concerned parties). This helps ensure everyone is aware of the decisions and their responsibilities. | ☐ |
Follow-up
Finally, carry out post-review actions to implement decisions and sustain improvement:
Follow-up Actions | Completed |
Assign and communicate action items: Assign each action item or improvement task to a responsible person or team and communicate these assignments. Ensure each owner understands the task and deadline. | ☐ |
Track progress on actions: Monitor the progress of all action items identified during the review. Use an action log or similar tool. Ensure that tasks are completed by their due dates, and report status in subsequent management meetings (or earlier if issues arise). | ☐ |
Implement ISMS changes: Execute the agreed-upon changes to the ISMS, such as updating policies, procedures, and controls, or allocating additional resources and training. Ensure these changes are implemented effectively and update the ISMS documentation as applicable. | ☐ |
Communicate changes: Inform relevant personnel and interested parties about any significant changes or improvements resulting from the review. For example, if new controls are implemented or policies are updated, ensure that affected staff are notified and understand the changes. | ☐ |
Continuous Improvement Culture: Encourage ongoing improvement outside of formal reviews. Address minor issues or improvements promptly through regular ISMS operations. Don’t wait for the next review meeting to fix known problems : use the review as a milestone, but maintain continuous oversight and enhancement of the ISMS. | ☐ |
Plan next review : Confirm the next management review schedule. Ensure that reviews continue at planned intervals, adjusting the frequency as needed based on organizational risk and changes. You may set a tentative date or reminder for the next review to maintain momentum. | ☐ |