Document ID: ISMS-MGT-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Chief Information Security Officer
Purpose
This template structures the annual (or more frequent) Management Review of the ISMS required by ISO/IEC 27001:2022 Clause 9.3. The Management Review is a formal meeting of Top Management that evaluates the performance of the ISMS, reviews all required inputs, and produces decisions and actions to drive continual improvement.
This template is completed by the ISM in advance of the meeting and presented by the CISO. Minutes are taken by the ISM and circulated to attendees within 5 business days. The completed minutes are a mandatory ISMS record.
Meeting Details
| Item | Details |
|---|---|
| Meeting Date | [Date] |
| Meeting Time | [Time and timezone] |
| Location / Platform | [Office boardroom / Microsoft Teams] |
| Chair | [CISO Name], Chief Information Security Officer |
| Minutes Taker | [ISM Name], Information Security Manager |
| Attendees | [Name, Role] β [Name, Role] β [Name, Role] |
| Apologies | [Name, Role] |
| Previous Meeting Date | [Date of last Management Review] |
| Next Meeting Date | [Proposed date β maximum 12 months hence] |
1. Agenda
| Item | Topic | Presenter | Time Allocation |
|---|---|---|---|
| 1 | Opening, quorum confirmation, and agenda approval | Chair | 5 minutes |
| 2 | Review and approval of previous meeting minutes | ISM | 5 minutes |
| 3 | Status of actions from previous review | ISM | 10 minutes |
| 4 | Changes in external and internal issues relevant to the ISMS | CISO | 10 minutes |
| 5 | Performance review: KPIs and information security objectives | ISM / CISO | 15 minutes |
| 6 | Information security incident summary and trends | ISM | 10 minutes |
| 7 | Nonconformities and corrective action status | ISM | 10 minutes |
| 8 | Internal audit results summary | Lead Auditor / ISM | 10 minutes |
| 9 | Risk register review and risk appetite confirmation | CISO | 15 minutes |
| 10 | Supplier security summary | ISM | 10 minutes |
| 11 | Review of Information Security Policy and objectives | CISO | 10 minutes |
| 12 | Resource requirements and investment decisions | CISO / CFO | 15 minutes |
| 13 | Continual improvement opportunities | All | 10 minutes |
| 14 | Any other business; decisions required; close | Chair | 10 minutes |
2. Required Inputs β ISO/IEC 27001:2022 Clause 9.3
The following inputs are required by the standard. Each must be addressed during the review. The ISM prepares a summary for each input prior to the meeting.
| Input Item (per Clause 9.3) | Source Document / Owner | Summary for This Review | Trend |
|---|---|---|---|
| Status of actions from previous management review | Action tracker (ISMS-MGT-000) | Example: 8 of 10 actions from the previous review are complete. 2 actions are carried forward: (1) PAM tool procurement β delayed by budget approval; new target June 2026. (2) Supplier contract addendum β in legal review; target May 2026. | Improving |
| Changes in external and internal issues | CISO brief | Example: External β GDPR enforcement activity increased around AI data processing; new NIS2 Directive requirements may affect one EU client contract under review. Internal β headcount grew by 4 (2 analysts, 1 cloud consultant, 1 developer); new AWS region added to production environment. | Monitor |
| Changes in needs and expectations of interested parties | Client feedback; contract review; legal | Example: Two clients have requested confirmation of ISO 27001 certification scope to include cloud consulting services. One client added a security incident notification clause (24-hour requirement) to their contract at renewal β stricter than our current 72-hour policy. | Action required |
| Information security performance and KPIs | KPI dashboard (Section 3 below) | Example: MTTD and MTTR are within target. Patch compliance is below target (89% vs 95% for High severity patches). Training completion is on track at 87% against 100% target due by June 2026. | Mixed |
| Nonconformity and corrective action status | NC register (ISMS-NC-001) | Example: 5 NCs raised since last review. 2 closed. 3 in progress and on track. 0 overdue. NC-2026-004 (Major β supplier contracts) is the most significant open item. | Improving |
| Monitoring and measurement results | Internal reports; SIEM dashboard | Example: 100% of Tier 1 systems are logging to SIEM. 2 systems (dev environment build server, legacy test VM) are not yet logging. MFA enforcement is at 97% of users β 3 service accounts are exempt pending technical review. | Action needed |
| Audit results | Internal audit report 2026-01 | Example: Audit 2026-01 completed March 2026. 2 Minor Nonconformities and 1 Observation raised. Auditee management accepted all findings. Corrective actions raised (CA-2026-001, CA-2026-002). No Major Nonconformities. | Positive |
| Performance of external providers (suppliers) | Supplier register; Tier 1 reviews | Example: AWS and Microsoft reviews completed β both retained current ISO 27001 certification. HR SaaS vendor review overdue by 3 months β ISM to schedule within 30 days (action raised below). SIEM vendor contract addendum in progress (R-012). | Action required |
| Adequacy of resources for the ISMS | CISO resource review | Example: Current ISM headcount (1 FTE) is below recommended level for organisation size. CISO to propose part-time security analyst appointment (0.5 FTE or dedicated contractor). Budget request: $40,000/yr. | Action required |
| Effectiveness of actions taken to address risks and opportunities | Risk register; treatment plan | Example: 3 Critical risks moved to High following treatment completion (R-002, R-005, R-009). 1 new Medium risk identified (third-party SaaS dependency β R-016 to be added post-meeting). Overall risk profile is improving. | Improving |
| Opportunities for continual improvement | CISO and team submissions | Example: (1) Automate quarterly access reviews using Entra ID Access Reviews β reduce manual effort by 8 hours per quarter. (2) Implement SIEM use case library to improve detection coverage. (3) Move from annual to biannual BCP tabletop exercises. | β |
3. KPI Dashboard
Complete the KPI table below from the most recent measurement period. RAG = Red / Amber / Green status.
| KPI | Target | Current Period | Previous Period | Trend | RAG Status |
|---|---|---|---|---|---|
| Security awareness training completion | 100% by June 2026 | 87% | 72% | Improving | Amber |
| Critical patch deployment within 7 days | 100% | 100% | 98% | Improving | Green |
| High patch deployment within 14 days | 95% | 89% | 91% | Declining | Red |
| Mean Time to Detect (MTTD) incidents | Less than 15 minutes | 12 minutes | 14 minutes | Improving | Green |
| Mean Time to Respond (MTTR) β P1/P2 | Less than 60 minutes | 45 minutes | 52 minutes | Improving | Green |
| Access reviews completed on time (quarterly) | 100% | 75% | 67% | Improving | Red |
| Risk register reviewed and current | Reviewed quarterly | Current (March 2026) | Current (December 2025) | Stable | Green |
| Supplier Tier 1 reviews completed on time | 100% by due date | 80% (1 of 5 overdue) | 100% | Declining | Amber |
| Security incidents P1/P2 in period | 0 | 0 | 0 | Stable | Green |
| Security incidents P3/P4 in period | Report all | 3 P3; 8 P4 | 2 P3; 6 P4 | Monitor | Amber |
| Internal audit programme on track | 100% | 100% (Audit 2026-01 complete) | N/A | Stable | Green |
| ISMS policy review cycle compliance | All policies reviewed within 12 months | 11 of 13 policies current | 9 of 13 | Improving | Amber |
| Exceptions register β open exceptions | Under 5 | 3 | 4 | Improving | Green |
| MFA enforcement across in-scope users | 100% | 97% | 94% | Improving | Amber |
4. Incident Summary
| Period | P1 Incidents | P2 Incidents | P3 Incidents | P4 Incidents | Notable Events |
|---|---|---|---|---|---|
| Q4 2025 | 0 | 0 | 2 | 6 | Phishing campaign targeting staff (Dec 2025) β 3 reports, 0 clicks; brute force on VPN portal (blocked by lockout policy) |
| Q1 2026 | 0 | 0 | 3 | 8 | Suspicious login from overseas IP (Jan) β investigated, confirmed legitimate travel; misconfigured S3 bucket discovered via Security Hub (Feb) β remediated within 4 hours; laptop reported stolen at airport (Mar) β remote wiped within 30 minutes |
Trend analysis: No P1 or P2 incidents in the past 6 months. P3/P4 incident count is slightly elevated compared to the same period last year, driven by increased phishing activity consistent with industry threat trends. No incidents resulted in data breach or client impact.
5. Risk Appetite Confirmation
The Board / Top Management is asked to confirm or adjust the organisationβs information security risk appetite:
Current approved risk appetite statement: The organisation will not accept any residual risk rated Critical (15β25). Risks rated High (10β14) require CISO-approved treatment plans with target completion within 30 days. Risks rated Medium (5β9) are accepted if no cost-effective treatment exists, with annual review. Risks rated Low (1β4) are accepted with no mandatory treatment.
CISOβs recommended change (if any): [CISO to state whether any change to risk appetite is recommended and the rationale]
Board decision: [Confirmed unchanged / Adjusted as follows: β¦]
6. Decisions and Actions
All decisions made and actions agreed at the Management Review must be recorded in this table.
| # | Decision / Action | Owner | Due Date | Priority | Status |
|---|---|---|---|---|---|
| MR-2026-01 | Approve revised Information Security Policy v1.1 (updated scope to include cloud consulting) | Top Management β Chair | This meeting | High | [Approved / Deferred β reason] |
| MR-2026-02 | Approve budget for part-time security analyst (0.5 FTE or contractor, $40K/yr) | CFO + CISO | 2026-05-31 | High | Open |
| MR-2026-03 | ISM to schedule overdue HR SaaS Tier 1 supplier review | ISM | 2026-04-30 | Medium | Open |
| MR-2026-04 | IT Manager to remediate High patch compliance gap β achieve 95% target | IT Manager | 2026-05-31 | High | Open |
| MR-2026-05 | Confirm ISMS scope remains appropriate; note new AWS region added | Top Management | This meeting | High | [Confirmed unchanged / Change required: β¦] |
| MR-2026-06 | ISM to implement Entra ID Access Reviews for automated quarterly access certification | ISM | 2026-06-30 | Medium | Open |
| MR-2026-07 | CISO to confirm and document risk appetite at next Management Review if appetite adjustment made today | CISO | Next review | Medium | Open |
| MR-2026-08 | Add new risk (third-party SaaS dependency) to risk register as R-016 | ISM | 2026-04-15 | Low | Open |
7. Policy and Objectives Review
Information Security Policy review:
- Current version: 1.0 (March 2026)
- ISM recommendation: Minor update required β amend scope statement to explicitly include cloud consulting services (new service line added Q1 2026); no changes to principles or objectives.
- Action: [Approved for update / Deferred / No change required]
Information Security Objectives review:
- Objective 1 (Protect client data): On track β no client data breaches in period.
- Objective 2 (Maintain availability): On track β SOC SLA met 99.8% uptime; no Tier 1 SLA breaches.
- Objective 3 (Regulatory compliance): On track β GDPR and Privacy Act obligations met; no regulatory findings.
- Objective 4 (Manage risk within appetite): Improving β 3 Critical risks moved to High; no open Critical risks.
- Objective 5 (Security culture): Improving β incident reporting culture improving; P4 report volume up 33% (good sign); training completion at 87%.
8. Sign-off
| Role | Name | Signature | Date |
|---|---|---|---|
| Chair (CISO) | [Name] | [Signature] | [Date] |
| Top Management Representative | [Name] | [Signature] | [Date] |
| ISM (Minutes) | [Name] | [Signature] | [Date] |
Next Management Review scheduled: [Date]
These minutes were circulated to attendees on: [Date β within 5 business days]
9. Review History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | [ISM Name] | Initial template issue |