Example of Procedure for ISO 27001:2022 Management Review


This procedure applies to all the activities within the scope of the XXX Information System Management System.(ISO 27001:2022 )


2.1 To ensure that top management systematically reviews the ISMS and its performance in accordance with the established operating procedures.

2.2 To review the adequacy. suitability. and effectiveness of previous corrective and preventive actions including those related to outsourced service and supplier performance.

3.3 To identify strengths and opportunities for improvement and make recommendations for continual improvement.


3.1 XXX Information Security Management system Manual,
3.2 Procedure for Internal ISMS Audit.
3.3 Procedure for Non Conformity & Corrective Action


4.1 Management Review: cross-functional review by an organization’s top management which takes place at regular intervals aimed to assess the organization’s success at achieving objectives established thus ensuring its continued suitability, adequacy, and effectiveness and to take action to correct it when necessary.

4.2 ISMS Objective: A statement describes what should be achieved within the time frame and available resources. It shall be consistent with the evidence-based practice and the visions that the institution creates itself to achieve.

4.3 Audit: A systematic, independent, and documented process for obtaining audit evidence (records, statements of fact, or other information which are relevant and verifiable) and evaluating it objectively to determine the extent to which the audit criteria (set of policies. procedures, or requirements) are fulfilled.


The following will be responsible for the process of preparing for the Management Review Meeting :
5.1 CEO :
5.1.1 Assure the implementation of the MR policy
5.1.2 Chair the MR meeting
5.1.3 Invite members of the top management to the meeting
5.1.4 invite other categories of staff as per necessity (e.g. quality focal points, internal auditors)
5.2 CISO and Staff of department:
5.2.1 Set in coordination with the Director, the date and time of the meeting.
5.2.2 Prepare and present the agenda of the meeting according to the agenda stated above.
5.2.3 Take the list of attendance.
5.2.4 Make minutes of the meeting that includes discussion points raised with the suggestions as well as the decisions that have made during the output session.
5.2.5 Follow-up the decisions that have been taken during the output discussion.
5.2.6 Follow-up the implementation of the MR.


6.1 Attendants:

6.1.1 Top management review meeting shall be held once a year . The meeting is allocated a maximum of 2:30 hours. The distribution is according to the following:

1 hour: presenting the review input.
30 minutes: questions and answers
1 hour: review output (it is recommended that this section is attended by the CEO, CISO, directors, and  heads of departments)

6.1.2 The Management review meeting to be chaired by CEO or CISO in case CEO is not available. In case CEO is not available, CISO must brief the CEO the finding and the output of the meeting with the CEO.

6.2 Agenda of MR:

6.2.1 Review Input: this part of the review shall include information on:

  1. Follow-up actions from previous management reviews.:This refers to all issues raised or resolved since the last review to make sure problems are being resolved properly. and to look for trends in the data. The action which was taken as result of the previous MRM must be reviewed. It must be verified that all the actions have been taken and also the effectiveness of the action taken must be verified. In case the the action was not completed or was found not to be effective, the root cause must identified and corrective action should be taken.
  2. Changes in external and internal issues that are relevant to the Information Security management system.
  3. Changes in needs and expectations of interested parties that are relevant to the information security management system;
  4. Status of non conformity and corrective actions. This refers to reporting of steps that have been taken to manage failures detected as well as steps to avoid the occurrence of any potential problems that are likely to rise.
  5. Process and result of performance monitoring and measurement. This refers to reporting whether XXX is reaching and/or maintaining performance targets.
  6. Results of audits. By reporting the results of audits carried during the previous period (internal and external). It should include the presentation of data analysis showing strengths and opportunities for improvement in the system.
  7. Information Security objectives: This refers to the Information Security objectives which was established during the previous MRM. The review must verify if the objectives were met and incase they were not met what was the root cause that it was not met and what corrective action was taken . Also the Information Security objective for the next year must be established based on the audit findings and the result of the performance monitoring and measurement.
  8. Feedback from Interested parties . Through analysis of reporting results of feedback from Interested parties that have been collected through various channels such as satisfaction surveys and compliments and complaints system. The reporting should look closely at both the negative and positive feedback.
  9. The result of the Event and Incident Reporting System and analysis.
  10. The effectiveness of actions taken to address risks as a result of risk assessment and the status of the risk treatment plan:
  11. Opportunities for continual improvement. This refers to proposing corrective and preventative actions to be taken based on the outcome of the review of the system carried out since the last MR in order to improve the quality of ISMS.

6.2.2 Review Output: This part of the review shall be allocated to discuss and decide on actions to be taken to improve the management system, services/ processes. and resource needed. The output shall include any decisions and actions related to:

  1. Improvement of the effectiveness of the Information management system and its processes. This refers to the fact that based on the information that has been discussed whether there are areas where worthwhile improvements can be made.
  2. Any need for change in Information Security Management System

6.3 Forms and records of the review:

The record of the review will be maintained by the IT department and a summary report of the meeting will be sent to the Management Representative.


7.1 Management Review record (ISMS F027)
7.2 Data analysis reports. (ISMS F028)
7.3 Management review agenda and minutes(ISMS F029)

Leave a Reply