Management review

1 view
Skip to first unread message

Gary Hinson

unread,
Apr 5, 2026, 10:16:31 PMApr 5
to hyperg...@googlegroups.com
Friends,

Ages ago, I noticed that the term "management review" isn't formally defined in ISO/IEC 27001 or the other ISO management systems standards, as far as I can tell.  Odd that!  So, I thought I'd give it a go.

In the ISO management systems context, management reviews are specified in section 9.3:

9.3 Management review 

9.3.1 General 
Top management shall review the organization's information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. 

9.3.2 Management review inputs 
The management review shall include consideration of: 
a) the status of actions from previous management reviews; 
b) changes in external and internal issues that are relevant to the information security management system; 
c) changes in needs and expectations of interested parties that are relevant to the information security management system; 
d) feedback on the information security performance, including trends in: 
1) nonconformities and corrective actions; 
2) monitoring and measurement results; 
3) audit results; 
4) fulfilment of information security objectives; 
e) feedback from interested parties; 
f) results of risk assessment and status of risk treatment plan; 
g) opportunities for continual improvement. 

9.3.3 Management review results 
The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
Documented information shall be available as evidence of the results of management reviews  

So, simplified and generalising a little, a management review could be defined as "a review conducted by or on behalf of management, that is scoped, resourced and directed by, and reported to, management."  

An alternative meaning might be "a review, assessment, evaluation or audit of managerial activities, governance arrangements, strategies, performance etc."   I'm thinking here of the due diligence ahead of, say, a corporate merger, acquisition or substantial investment. 

What do you think?  Feedback welcome, of course.

Kind regards/Ngā mihi,

____________________________________________

Gary Hinson

unread,
Apr 7, 2026, 12:47:03 AMApr 7
to hyperg...@googlegroups.com
Thanks both.

As an undefined term, 'management review' didn't make it in to the book so far, Dan, but it's one I'm working on.  I'm interested in other perspectives and interpretations, refining my own and hopefully converging on a useful definition.

Krag: I like general (albeit 'cybersecurity-related') definitions for the hyperglossary.  Having said that, in ISO-land, 'requirement' refers to something specific and explicitly mandated by the standards, against which conformity can be formally determined and confirmed or denied (it's binary!) ... so I'm leaning more towards 'objectives'.   

'Objective' is already defined on page 508, without mentioning the 'risk stuff, specific capabilities, uptime, etc.':

image.png

So, how's this?

image.png

[In parallel, we're debating the definition on the ISO27k Forum, trying to pin down the intended (but undefined) meaning of 'management review' in ISO-land.]   

Kind regards/Ngā mihi,

____________________________________________



On Tue, 7 Apr 2026 at 04:24, Krag Brotby <in...@valleyvistavillage.com> wrote:
My thoughts go to " review of requirements and extent they have have been met". Separates out the infinite variety of specific requirements which may include
risk stuff, specific capabilities, uptime, etc.


____________________________________________

--
You received this message because you are subscribed to the Google Groups "Cybersecurity hyperglossary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hyperglossar...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPRmHF7vaLTT3KK7797H6xfkcP4HSMPzE9zMApdOpTTk9%3DAwuA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages