Management Review Pack
Confluence page header
Page title: Management Review Pack
Parent: EV-A · Management System → Management Reviews
SCM variant: isms-management (primary)
isms-security (full access — CISO prepares and maintains)
isms-all-staff: NOT visible
isms-it-staff: NOT visible
Page owner: CISO
Last reviewed: [DATE]
Structure of this page
This page contains four things: the standing agenda template that is used for every annual management review; the inputs pack guide that the CISO prepares and distributes one week before the review; the decisions that management must make and document; and the minutes template that becomes EV-A01 once signed. Below those, a section covers how the outputs of the review feed the corrective action register and the broader ISMS governance cycle.
Individual management review records are filed as child pages of this page, one per year:
EV-A · Management System → Management Reviews
│
├── Management Review Pack [this page — standing templates]
├── 2024
│ ├── Pre-Review Inputs Pack — 2024
│ ├── EV-A01 Management Review Minutes — 2024 [signed]
│ └── Actions and Decisions Register — 2024
├── 2025
│ ├── Pre-Review Inputs Pack — 2025
│ ├── EV-A01 Management Review Minutes — 2025 [signed]
│ └── Actions and Decisions Register — 2025
└── [continues annually]
Why this matters — the ISO 27001 clause 9.3 requirement
ISO 27001 clause 9.3 requires that top management reviews the organisation's ISMS at planned intervals. Clause 9.3.1 specifies the purpose: to ensure the ISMS's continuing suitability, adequacy, and effectiveness. Clause 9.3.2 specifies nine required inputs that must be addressed. Clause 9.3.3 specifies the required outputs.
An ISO 27001 certification body auditor at a surveillance audit will ask for the management review minutes, will check that top management attended (not just the CISO), will verify that each of the nine required inputs was discussed and documented, and will cross-reference the required outputs against the corrective action register and the ISMS objectives for the coming year. A management review where any of the nine inputs was not addressed, or where outputs were not documented and tracked, is a major or minor nonconformity depending on severity.
NIST SP 800-171 control 3.12.3 (monitor security controls on an ongoing basis) and 3.12.1 (periodically assess security controls) are both evidenced partly through the management review — it is the governance event where monitoring outputs are formally reviewed and decisions are made about corrective actions and resources. CMMC assessors expect to see that the POA&M is reviewed at management level, not just by the CISO.
DEFSTAN Profile 2 §Governance expects a documented governance mechanism through which security performance is reviewed by senior management. The management review satisfies this.
Part 1 — Annual management review agenda template
This is the standing agenda. It is used unchanged each year. The pre-review inputs pack (Part 2) provides the content that fills each agenda item. Do not modify the agenda structure without CISO approval — changes affect whether ISO 27001 clause 9.3.2 inputs are all addressed.
ANNUAL ISMS MANAGEMENT REVIEW — [YEAR]
AGENDA
Date: [DATE]
Time: [START TIME] — [END TIME] (allow 120 minutes minimum)
Location: [ROOM / VIDEO CONFERENCE LINK]
Chair: [Director name — not the CISO. ISO 27001 clause 5.1 requires
top management to demonstrate leadership. The CISO presents;
a director or equivalent chairs and makes decisions.]
Minute-taker: CISO (or designated delegate — not the same person as the chair)
REQUIRED ATTENDEES
[Director / MD / Chair — the CMMC senior official if applicable]
[Other Directors or Heads of Function as relevant]
CISO
IT Manager
HR Manager (for agenda items 6 and 8)
[Other risk owners as relevant to items 4 and 5]
Minimum quorum for the meeting to proceed:
At least one Director or equivalent (not CISO alone)
CISO
If quorum cannot be met: reschedule. A management review attended only
by IT staff does not satisfy ISO 27001 clause 9.3 regardless of how
well it is documented.
PRE-READING (distributed 1 week before — see Pre-Review Inputs Pack):
□ CISO briefing paper (8 pages maximum)
□ Annual security metrics summary (EV-F02 12-month aggregation)
□ Risk register executive summary (top 10 risks, residual ratings, treatment status)
□ Prior year management review minutes and actions status
□ Policy review log (which policies need re-approval at this meeting)
□ Internal audit findings summary
□ Proposed security objectives for the coming year
─────────────────────────────────────────────────────────────────────────────
AGENDA ITEM 1 — HOUSEKEEPING AND QUORUM [5 minutes]
1.1 Attendance and quorum confirmed
1.2 Apologies noted
1.3 Conflicts of interest declared (none expected — note if any)
1.4 Prior year minutes — confirmed as accurate record: YES / NO
[If No: corrections noted and prior minutes updated before filing]
1.5 Purpose of the meeting confirmed:
Review of ISMS suitability, adequacy, and effectiveness for [YEAR]
ISO 27001 clause 9.3 annual requirement
─────────────────────────────────────────────────────────────────────────────
AGENDA ITEM 2 — STATUS OF ACTIONS FROM PREVIOUS MANAGEMENT REVIEW
[10 minutes]
ISO 27001 clause 9.3.2(a) — required input
CISO presents: the actions and decisions register from the prior year's
management review. For each action: was it completed by the stated date?
If not, what is the current status and revised target?
Management confirms: which prior actions are closed; which require
revised timelines; which reveal a systemic issue requiring further attention.
Decision required if any prior action has been significantly delayed:
Is the delay acceptable?
Does it require additional resource?
Does it create a compliance gap that must be addressed now?
─────────────────────────────────────────────────────────────────────────────
AGENDA ITEM 3 — CHANGES IN EXTERNAL AND INTERNAL ISSUES RELEVANT TO THE ISMS
[10 minutes]
ISO 27001 clause 9.3.2(b) — required input
CISO presents:
External changes: regulatory changes (new DFARS clauses, CMMC programme
updates, NCSC guidance, ICO enforcement trends, DEFSTAN updates);
threat landscape changes (sector-specific threat intelligence, new attack
vectors relevant to defence contractors); customer and contracting authority
security requirements changes.
Internal changes: changes to business structure, ownership, or strategy
that affect the ISMS scope; new contracts with new compliance obligations;
changes to key personnel; technology changes (new systems, decommissions).
Management confirms: are any of these changes significant enough to require
an ISMS scope change, a policy revision, or a revised risk assessment?
Decision required if:
A new contract introduces a compliance obligation not currently met
A business change materially alters the ISMS boundary
A regulatory change requires a policy or process update not yet made
─────────────────────────────────────────────────────────────────────────────
AGENDA ITEM 4 — ISMS PERFORMANCE — SECURITY METRICS AND MONITORING OUTPUTS
[20 minutes]
ISO 27001 clause 9.3.2(c) — required input (feedback on information security performance)
CISO presents the annual security metrics summary. For each metric:
Target, actual performance over the year, trend, and whether performance
is acceptable or requires management attention.
Sub-item 4.1 — Patch management compliance
Critical patches within 7-day SLA: [%] (target: 100%)
High patches within 14-day SLA: [%] (target: 95%)
CISA KEV closure rate: [%] (target: 100%)
EOL software instances: [N] (target: 0)
[Trend chart: 12 months]
Sub-item 4.2 — Malware protection coverage
EDR deployment: [%] (target: 100%)
Signature currency <24h: [%] (target: 100%)
[Trend chart: 12 months]
Sub-item 4.3 — Access control
MFA coverage: [%] (target: 100%)
Quarterly privileged reviews conducted on time: [N of 4] (target: 4/4)
Leaver accounts disabled same-day: [%] (target: 100%)
[Trend: 12 months]
Sub-item 4.4 — Security training
Annual awareness training completion: [%] (target: 100%)
Phishing simulation click rate: Q1 [%] → Q2 [%] → Q3 [%] → Q4 [%]
Role-specific training completion: [%] (target: 100%)
Sub-item 4.5 — Vulnerability management
Open Critical vulnerabilities at year-end: [N] (target: 0)
Open High vulnerabilities at year-end: [N]
Open POA&M items: [N] — High risk: [N] — Overdue: [N]
Sub-item 4.6 — Continuous monitoring health
Monthly SIEM log reviews produced on time: [N of 12] (target: 12/12)
Monthly metrics reports produced on time: [N of 12] (target: 12/12)
SIEM log source gaps this year: [N] — resolved within SLA: [N of N]
Management decision required if any metric is materially below target:
Is the performance gap acceptable?
Does it require additional resource or process change?
Does it require a corrective action?
─────────────────────────────────────────────────────────────────────────────
AGENDA ITEM 5 — RISK POSTURE AND TREATMENT STATUS
[20 minutes]
ISO 27001 clause 9.3.2(d) — required input (results of risk assessment and risk treatment)
CISO presents:
Risk register summary: total risks by category and level
Risks exceeding risk appetite: [N] — detail per risk
Top 5 risks: current residual rating and treatment status
Risks closed this year: [N] and why
New risks added this year: [N] and origin
Treatment investment decisions requested (from Management Risk Posture page)
Management confirms: risk appetite is still appropriate for the organisation's
context and strategic direction.
Formal risk acceptances required:
For each risk rated High or Very High with proposed acceptance:
Management discusses, decides, and the decision is recorded in the minutes.
This is the formal acceptance record — the minutes are the evidence.
Proposed treatment investment decisions:
For each proposal on the Management Risk Posture → Treatment Investment
Decisions page: management decides Approve / Approve modified / Defer / Decline.
Budget commitment recorded in minutes.
─────────────────────────────────────────────────────────────────────────────
AGENDA ITEM 6 — RESULTS OF INTERNAL AUDIT AND ASSESSMENT
[15 minutes]
ISO 27001 clause 9.3.2(e) — required input
CISO presents:
Annual internal assessment results: controls assessed, findings by severity,
controls rated as Not Implemented or Partially Implemented.
Status of corrective actions from internal assessment findings.
CMMC self-assessment result: current SPRS score and POA&M status.
External assessments if applicable: Cyber Essentials renewal,
ISO 27001 surveillance audit findings, C3PAO assessment.
Management confirms: assessment programme is adequate; findings are being
appropriately resourced; no finding has been deprioritised inappropriately.
CMMC senior official confirmation (if CMMC is in scope):
The senior official confirms they have reviewed the self-assessment
results and the POA&M, and that the SPRS score accurately reflects
the organisation's posture. This is documented here before the
separate affirmation document is signed.
─────────────────────────────────────────────────────────────────────────────
AGENDA ITEM 7 — FEEDBACK FROM INTERESTED PARTIES
[10 minutes]
ISO 27001 clause 9.3.2(f) — required input
CISO presents:
Customer security feedback: any security questionnaires, audits, or
requirements received from customers this year; how they were addressed.
Regulator and certification body feedback: any observations from ISO 27001
surveillance audit; any ICO correspondence; any HMRC or other regulatory
contact on data security; any NCSC Early Warning significant advisories.
DEFSTAN contracting authority feedback: any security observations from the
contracting authority; any notifications made during the year.
CMMC feedback: any DoD supplier performance feedback received; any SPRS
score challenges or questions from contracting officers.
Management confirms: all interested party feedback has been addressed;
any outstanding matters require management awareness or decision.
─────────────────────────────────────────────────────────────────────────────
AGENDA ITEM 8 — SUPPLIERS AND THIRD PARTIES
[5 minutes]
ISO 27001 clause 9.3.2 (supporting — A.5.22 monitoring of supplier services)
CISO presents:
Supplier security assessment status: which critical suppliers were assessed
this year; any findings; any suppliers whose risk rating changed.
Any supplier security incidents this year.
Any new suppliers granted access to CUI or OFFICIAL information.
Management confirms: supplier security programme is proportionate;
any supplier risk concerns are being managed.
─────────────────────────────────────────────────────────────────────────────
AGENDA ITEM 9 — NONCONFORMITIES AND CORRECTIVE ACTIONS
[10 minutes]
ISO 27001 clause 9.3.2(g) — required input
CISO presents:
Corrective action register status (EV-A03):
Total open corrective actions: [N]
Actions closed this year: [N]
Actions overdue: [N]
Recurring nonconformities (same issue as a prior year): [N] — describe each
If any corrective action has been open for more than 12 months without
resolution: management must explicitly acknowledge this and either resource
it for closure or formally accept the risk of continued non-resolution.
Management confirms: corrective action programme is functioning; recurring
nonconformities are not indicating a systemic process failure.
─────────────────────────────────────────────────────────────────────────────
AGENDA ITEM 10 — CONTINUAL IMPROVEMENT AND SECURITY OBJECTIVES FOR COMING YEAR
[15 minutes]
ISO 27001 clause 9.3.2(h) and 9.3.3 — required input AND required output
CISO presents proposed security objectives for [YEAR+1]:
Each objective must be SMART (Specific, Measurable, Achievable, Relevant,
Time-bound). The CISO proposes; management approves, modifies, or adds.
Format per objective:
Objective: [specific, measurable statement]
Rationale: [why this objective — linked to a risk, a finding, or a gap]
Target metric: [the number or state that means the objective is achieved]
Owner: [named individual — not a team]
Resource required: [budget, people, time — confirmed at this meeting]
Deadline: [specific date within the coming year]
Management decisions made at this item:
Which proposed objectives are approved?
What resources are allocated to each?
What is the process for tracking progress (quarterly via Management Risk
Posture page; confirmed at next management review)?
─────────────────────────────────────────────────────────────────────────────
AGENDA ITEM 11 — POLICY RE-APPROVAL
[5 minutes]
ISO 27001 clause 5.2 — required for policies due for annual re-approval
CISO presents: policy review log showing which policies are due for
re-approval this year and any proposed changes to content.
Management confirms: policies are reviewed (pre-reading) and re-approved.
Signatures captured in the minutes or in a separate policy sign-off record.
Note: the Information Security Policy (Policy 01) requires top management
approval. Confirm the most senior attendee re-approves it here.
─────────────────────────────────────────────────────────────────────────────
AGENDA ITEM 12 — RESOURCES AND ISMS ADEQUACY
[5 minutes]
ISO 27001 clause 9.3.3 — required output
CISO confirms: the ISMS has the resources it needs to function in the
coming year. If there are resource gaps not addressed by the investment
decisions already made, they are raised here.
Management confirms: ISMS is adequately resourced or explicitly acknowledges
the resource constraint and its implications for the ISMS posture.
This item is frequently treated as a formality — it should not be. An ISMS
that is under-resourced produces gaps that appear at assessments. If the CISO
has resource concerns, this is the formal mechanism to raise them with
management on the record.
─────────────────────────────────────────────────────────────────────────────
AGENDA ITEM 13 — CLOSE
[5 minutes]
Next management review: confirm date for [YEAR+1]
Actions and decisions register: CISO circulates draft within 5 working days
Minutes: circulated for review within 5 working days; signed version filed
as EV-A01 within 10 working days
─────────────────────────────────────────────────────────────────────────────
Part 2 — Pre-review inputs pack guide
The CISO produces this pack and distributes it to all attendees one week before the management review. It is the preparation material that enables management to engage meaningfully with each agenda item rather than receiving all information for the first time on the day.
What the inputs pack must contain
The inputs pack is a single compiled document (PDF preferred for distribution; source files retained in Confluence) that contains:
Document 1 — CISO Annual Briefing Paper (maximum 8 pages)
Section 1: Executive summary (1 page)
The CISO's assessment of the overall ISMS posture in 3–5 paragraphs.
What has improved, what remains a concern, what requires management decision.
Written for a Director who will read this on their phone on the train —
not for a security professional.
Section 2: What happened this year (2 pages)
Significant security events: incidents (Class 2 and above); near-misses;
any event where the organisation was targeted or affected.
Assessment outcomes: what assessments were conducted; key findings.
Compliance changes: any new obligations; any certifications renewed or lapsed.
Supplier events: any supplier security incident or change affecting us.
Section 3: Compliance posture (1 page)
Table: each certification and obligation with current status, validity,
and next event. Matches the table in the Management Risk Posture page.
Section 4: CISO recommendations for the coming year (2 pages)
Proposed security objectives with rationale.
Treatment investment proposals with options and CISO recommendation.
Any structural changes recommended to the ISMS programme.
Section 5: What management must decide at the review (1 page)
A clear list of the specific decisions required at the review — so that
management arrives knowing what they are being asked to decide, not
discovering it on the day.
Section 6: What management must approve or confirm (1 page)
Risk acceptances proposed.
Policies requiring re-approval (list).
CMMC affirmation (if applicable).
ISMS scope confirmation.
Risk appetite confirmation.
Document 2 — Annual security metrics summary
The 12-month aggregation of EV-F02 data. Not the twelve individual monthly reports — a single summary showing: - Each key metric: monthly values across the year as a table or chart - Trend direction: improving, stable, or deteriorating - Whether the year-end position meets the stated annual target - Any month where a metric was significantly below target and what was done
This document is produced by the CISO from the EV-F02 filing series. It is typically 4–6 pages with charts.
Document 3 — Risk register executive summary
Not the full risk register (which is too detailed for pre-reading). A 2-page summary containing: - Total risks by category and current residual level - All risks currently exceeding risk appetite (with current rating and brief description) - Top 5 risks by residual rating with one-paragraph plain-English description each - Risks closed this year and why - New risks added this year and their origin
Document 4 — Prior year actions status
The actions and decisions register from the previous management review with a current status column added. Management can see at a glance which prior commitments have been completed and which are outstanding. For each outstanding item: current status, revised target date, and a brief explanation of why it is still open.
Document 5 — Internal audit summary
The annual internal assessment report (EV-A02) executive summary — not the full report. 2–3 pages covering: - Scope of the assessment (which control families were assessed) - Number of findings by severity - Most significant findings in plain English - Status of corrective actions raised from findings - CMMC self-assessment score and any change from prior year
Document 6 — Proposed security objectives for the coming year
One page per proposed objective, in the format:
OBJECTIVE [N]: [Title]
What we will achieve:
[Specific, measurable outcome statement]
Why this matters:
[Plain English rationale — linked to a risk, a finding, or a compliance gap]
How we will measure it:
[The specific metric or state that indicates the objective is achieved]
What it will cost:
[Budget required / people required / existing resource only]
Who is responsible:
[Named individual — owner of this objective]
When it will be done:
[Specific date]
If we do not achieve this:
[What the consequence is — links to risk register or compliance obligation]
Document 7 — Policy review log
The policy review log from Section 3 of the Management Policy Accountability page, updated to show which policies are due for re-approval at this review and any proposed changes to policy content.
Distribution and pre-reading expectations
DISTRIBUTION
Deadline: one week before the review date
Method: Confluence notification to all attendees (link to the year's
Pre-Review Inputs Pack child page) + email summary with links
Format: individual Confluence pages within the year's folder, plus
a single-page index with links to each document
PRE-READING EXPECTATIONS
Directors and senior management: all 7 documents
HR Manager: Documents 1, 5 (training section), 6 (training objectives)
Risk owners (attending for specific agenda items): Documents 1, 3
If an attendee has not read the pre-reading, the meeting will not be
slowed for them. The CISO presents; management is expected to have read
the context before arriving.
ACKNOWLEDGEMENT
CISO circulates a pre-reading acknowledgement request with the pack.
Attendees confirm they have read the pre-reading by the day before the review.
If a Director confirms they have not had time to read, the CISO provides
a 15-minute verbal briefing immediately before the meeting.
Part 3 — Decisions management must make
The following decisions are required at every management review. They are not optional agenda items — they are outputs of ISO 27001 clause 9.3.3 and evidence that management has actively engaged with the ISMS. Each decision must be documented in the minutes.
Mandatory decisions (required every year)
Decision 1 — ISMS scope confirmation
Management must confirm that the ISMS scope statement is still accurate and appropriate. If the scope has changed, management must confirm the updated scope and direct the CISO to update the SSP within 30 days.
Evidence in minutes: "The management team confirmed that the ISMS scope statement is accurate as of [date] / The management team confirmed the following changes to the ISMS scope: [describe]. CISO to update the SSP by [date]."
Decision 2 — Risk appetite confirmation
Management must confirm that the risk appetite thresholds remain appropriate for the organisation's current context and strategic direction. If any threshold changes, it must be documented.
Evidence in minutes: "The management team reviewed the risk appetite statement and confirmed it remains appropriate for the organisation's current strategic direction and contractual obligations. No changes to the appetite thresholds were made / The following change to the risk appetite was agreed: [describe]. CISO to update the Management Risk Posture page by [date]."
Decision 3 — Security objectives approval
Management must approve the security objectives for the coming year, with named owners and explicit resource commitments. Objectives proposed by the CISO that are not approved must also be documented — with the reason.
Evidence in minutes: Per objective — "Objective [N] ([title]) was approved. Owner: [name]. Resource committed: [£ or person-days]. Deadline: [date]." For declined objectives: "Objective [proposed title] was not approved. Reason: [brief]. Alternative direction: [if any]."
Decision 4 — Resource confirmation
Management must explicitly confirm that the ISMS has adequate resources for the coming year, or acknowledge any resource gap and its implications. This is ISO 27001 clause 9.3.3 output — it is tested at surveillance audits.
Evidence in minutes: "The management team confirmed that the ISMS programme is adequately resourced for [YEAR]. / The management team acknowledged that [specific resource constraint] exists and accepted that this means [specific implication]. The CISO will manage within the available resource by [approach]."
Decision 5 — ISMS overall adequacy
Management must make an explicit statement about whether the ISMS is fit for purpose. This is the overarching ISO 27001 clause 9.3.1 output — the management team's view on whether the ISMS is suitable, adequate, and effective.
Evidence in minutes: "The management team reviewed the ISMS performance, risk posture, and assessment results and confirmed that the ISMS is [suitable / adequate / effective] for [YEAR]. / The management team identified the following concerns about ISMS effectiveness that require attention in [YEAR+1]: [describe]."
Situational decisions (required when triggered)
Decision 6 — Formal risk acceptance
Required when a risk exceeds the risk appetite and management has decided to accept it rather than treat it. Each acceptance must be individually documented.
Evidence in minutes: "The management team formally accepted RISK-[YYYY]-[NNN] ([title]) at a residual rating of [level]. This exceeds the [confidentiality / compliance] risk appetite threshold. Acceptance rationale: [plain English justification]. Compensating controls in place: [describe]. The CISO will review this acceptance at the next management review and will escalate immediately if the compensating controls are no longer effective. Accepted by: [name, role]."
Decision 7 — Treatment investment decisions
Required for each proposal on the Management Risk Posture — Treatment Investment Decisions page.
Evidence in minutes: "Proposal [Ref] ([title]) was [approved / approved with modification / deferred / declined]. [For approved:] Budget of £[X] approved. Owner: [name]. Expected completion: [date]. [For deferred:] Deferred to [budget cycle]. CISO to re-present at Q[N] management review. [For declined:] Risk RISK-[YYYY]-[NNN] will remain at [level] without this investment. The management team confirmed this is acceptable within the risk appetite. / The management team acknowledged this exceeds appetite and accepted the residual risk."
Decision 8 — Policy re-approval
Required for each policy due for annual re-approval.
Evidence in minutes: "Policy 01 (Information Security Policy) v[N] was reviewed and re-approved for [YEAR] by [Director name, role] on [date]. No changes / The following changes were approved: [describe]." [Repeat per policy.]
Decision 9 — CMMC senior official affirmation (if applicable)
Required annually if the organisation handles CUI under DoD contracts.
Evidence in minutes: "[Director name, role] confirmed that they have reviewed the CMMC self-assessment results and the current SPRS score of [N], and that the score accurately reflects the organisation's implementation status as of [date]. [Director name] will sign the formal senior official affirmation document. CISO to file the signed affirmation before [SPRS submission deadline]."
Decision 10 — Corrective action resource decisions
Required when a corrective action is significantly delayed or requires additional resource to close.
Evidence in minutes: "Corrective action CA-[YYYY]-[NNN] ([brief description]) has been open for [N] months without resolution. The management team [approved additional resource of [describe] to close this by [date] / acknowledged the delay and confirmed the target completion date is revised to [date] / accepted that this corrective action will remain open with the following compensating control in place: [describe]]."
Part 4 — EV-A01 minutes template
This template is completed during and immediately after the management review. The minutes become EV-A01 once signed. They are the primary compliance evidence for ISO 27001 clause 9.3 and are reviewed at every subsequent surveillance and recertification audit.
═══════════════════════════════════════════════════════════════════
ISMS ANNUAL MANAGEMENT REVIEW — MINUTES
EVIDENCE REFERENCE: EV-A01-[YYYY]
═══════════════════════════════════════════════════════════════════
Date: [DATE]
Time: [START] — [END]
Location: [ROOM / PLATFORM]
Chair: [Director name, role]
Minute-taker: [CISO or delegate name]
ATTENDEES
Name Role Present / Apology
[Director name] [Role] Present
[Director name] [Role] Present
[CISO name] CISO Present
[IT Manager name] IT Manager Present
[HR Manager name] HR Manager Present
[Other names] [Roles] Present / Apology
QUORUM CONFIRMED: Yes / No
If No — meeting did not proceed to recorded decisions: state here and
record that the meeting was rescheduled to [date].
PRE-READING COMPLETION
All attendees confirmed pre-reading completed: Yes / No
[If No: list who had not completed pre-reading; note any briefing provided]
═══════════════════════════════════════════════════════════════════
ITEM 1 — HOUSEKEEPING AND QUORUM
═══════════════════════════════════════════════════════════════════
1.1 Quorum confirmed: Yes
1.2 Apologies: [name — role]
1.3 Conflicts of interest: None declared / [describe if any]
1.4 Prior year minutes (EV-A01-[YYYY-1]):
Confirmed as accurate: Yes / No — corrections: [describe if any]
1.5 Purpose confirmed: Annual management review under ISO 27001 clause 9.3
═══════════════════════════════════════════════════════════════════
ITEM 2 — STATUS OF ACTIONS FROM PREVIOUS REVIEW
[ISO 27001 clause 9.3.2(a)]
═══════════════════════════════════════════════════════════════════
CISO presented the prior year actions and decisions register. Status as follows:
Actions closed this year: [N]
[List each: Action ref | Description | Closed date | Verified by]
Actions outstanding:
[List each: Action ref | Description | Original target | Current status
| Revised target | Reason for delay]
Actions outstanding >12 months:
[List each with the management decision made — additional resource /
revised target confirmed / risk accepted]
MANAGEMENT CONFIRMED: [All prior actions are either closed or have a confirmed
revised plan. / The following actions require management attention: [describe].]
═══════════════════════════════════════════════════════════════════
ITEM 3 — CHANGES IN EXTERNAL AND INTERNAL ISSUES
[ISO 27001 clause 9.3.2(b)]
═══════════════════════════════════════════════════════════════════
EXTERNAL CHANGES PRESENTED:
Regulatory: [summarise — e.g. "CMMC final rule published under 32 CFR 170;
organisation's CMMC Level 2 C3PAO assessment confirmed for Q[N] [YYYY]"]
Threat landscape: [summarise — e.g. "NCSC annual threat report identified
defence contractors as continuing high-priority targets for state actors;
phishing and credential theft remain primary initial access vectors"]
Customer requirements: [summarise]
INTERNAL CHANGES PRESENTED:
Business structure: [summarise — e.g. "No material structure changes in [YEAR]"]
New contracts with new compliance obligations: [summarise]
Key personnel changes: [summarise]
Technology changes: [summarise]
MANAGEMENT CONFIRMED: [Changes presented are noted. No ISMS scope change required
at this time. / The following scope change is approved: [describe]. CISO to update
SSP by [date].]
DECISIONS MADE:
[Document any decisions arising from this item]
═══════════════════════════════════════════════════════════════════
ITEM 4 — ISMS PERFORMANCE — SECURITY METRICS
[ISO 27001 clause 9.3.2(c)]
═══════════════════════════════════════════════════════════════════
CISO presented the annual security metrics summary. Key points noted:
Patch management:
Critical patch SLA compliance: [%] — [met / not met target of 100%]
Comments: [any context — e.g. "Two SLA breaches in Q3 due to vendor delay;
both had documented exceptions; no exploitation occurred"]
Malware protection:
EDR coverage: [%] — [met / not met target of 100%]
Comments: [any context]
Access control:
MFA coverage: [%] — [met / not met target of 100%]
Leaver same-day deactivation: [%]
Comments: [any context]
Security training:
Annual training completion: [%] — [met / not met target of 100%]
Phishing simulation trend: [improving / stable / deteriorating]
Comments: [any context]
Vulnerabilities and POA&M:
Open Critical vulnerabilities: [N]
Open High-risk POA&M items: [N]
POA&M items overdue: [N]
Comments: [any context]
Continuous monitoring:
SIEM log reviews completed on time: [N/12]
Comments: [any context]
MANAGEMENT NOTED: [Key observations from the discussion — not just summaries
of the CISO presentation. What did management find concerning, reassuring, or
worthy of further attention?]
DECISIONS MADE:
[Document any decisions arising from this item — e.g. "The management team
directed the CISO to investigate why leaver deactivation was below target
in Q2 and to report corrective action at Q3 management risk posture review."]
═══════════════════════════════════════════════════════════════════
ITEM 5 — RISK POSTURE AND TREATMENT STATUS
[ISO 27001 clause 9.3.2(d)]
═══════════════════════════════════════════════════════════════════
CISO presented the risk register summary.
Current risk posture: [N] active risks
Very High: [N] | High: [N] | Moderate: [N] | Low: [N]
Risks exceeding risk appetite: [N]
RISK APPETITE CONFIRMATION:
The management team reviewed the risk appetite statement.
DECISION: Risk appetite thresholds confirmed as appropriate for [YEAR+1] /
The following changes to risk appetite were agreed: [describe]
FORMAL RISK ACCEPTANCES:
[For each risk accepted:
"RISK-[YYYY]-[NNN] ([title]) — residual rating [level] — formally accepted
by [name, role]. Rationale: [describe]. Compensating controls: [describe].
Review at next management review."]
TREATMENT INVESTMENT DECISIONS:
[For each proposal:
"Proposal [Ref] ([title]):
Decision: Approved / Modified / Deferred / Declined
[If approved:] Budget: £[X]. Owner: [name]. Target: [date].
[If declined:] Risk [YYYY-NNN] remains at [level]. Management confirmed
this is within appetite / Management accepted elevated risk."]
═══════════════════════════════════════════════════════════════════
ITEM 6 — INTERNAL AUDIT AND ASSESSMENT RESULTS
[ISO 27001 clause 9.3.2(e)]
═══════════════════════════════════════════════════════════════════
CISO presented the internal audit summary and assessment results.
Internal assessment:
Controls assessed: [N] (of 110 total)
Findings: Critical [N] | High [N] | Moderate [N] | Low [N]
Findings from prior year now closed: [N]
Significant new findings: [summarise in plain English]
CMMC self-assessment:
Current SPRS score: [N] / 110
Change from prior year: [+N / -N / unchanged]
Open POA&M items: [N]
CMMC SENIOR OFFICIAL CONFIRMATION:
[Director name, role] confirmed that they have reviewed the self-assessment
results and that the SPRS score of [N] accurately reflects the organisation's
current implementation status. [Director name] will sign the formal
affirmation document. CISO to file before [date].
External assessments:
ISO 27001 surveillance audit [YYYY]: [findings summary; all closed / [N] open]
Cyber Essentials: renewed [date]; no findings / [findings summary]
[Other: describe]
MANAGEMENT NOTED: [Management's assessment of the audit programme's adequacy;
any directions given to the CISO regarding the scope or approach of future
internal assessments]
DECISIONS MADE:
[Document any decisions arising — e.g. "The management team approved the
expansion of the internal audit programme to include the SC control family
in [YEAR+1], given the upcoming C3PAO assessment."]
═══════════════════════════════════════════════════════════════════
ITEM 7 — FEEDBACK FROM INTERESTED PARTIES
[ISO 27001 clause 9.3.2(f)]
═══════════════════════════════════════════════════════════════════
CISO presented interested party feedback received during the year.
Customer feedback: [summarise]
Regulatory / certification body feedback: [summarise]
DEFSTAN contracting authority feedback: [summarise]
CMMC / DoD feedback: [summarise]
Outstanding matters: [any unresolved feedback requiring management action]
DECISIONS MADE:
[Document any decisions arising]
═══════════════════════════════════════════════════════════════════
ITEM 8 — SUPPLIERS AND THIRD PARTIES
═══════════════════════════════════════════════════════════════════
Supplier security assessments completed: [N]
Suppliers with elevated risk this year: [N] — [describe]
Supplier incidents: [N] — [describe briefly]
New suppliers granted CUI or OFFICIAL access: [N]
MANAGEMENT NOTED: [brief note on management's view]
DECISIONS MADE:
[Document any decisions — e.g. "The management team directed that [supplier]
be assessed before any further CUI data is shared with them."]
═══════════════════════════════════════════════════════════════════
ITEM 9 — NONCONFORMITIES AND CORRECTIVE ACTIONS
[ISO 27001 clause 9.3.2(g)]
═══════════════════════════════════════════════════════════════════
Open corrective actions: [N]
Closed this year: [N]
Overdue: [N]
Recurring nonconformities (same issue as prior year): [N]
For each overdue or recurring nonconformity:
CA-[YYYY]-[NNN]: [description]
Current status: [describe]
Management decision: [additional resource / revised target / risk accepted]
MANAGEMENT CONFIRMED: [The corrective action programme is functioning and
all significant nonconformities are being actively managed. / The following
systemic issue was identified and directed for root cause analysis: [describe].]
═══════════════════════════════════════════════════════════════════
ITEM 10 — SECURITY OBJECTIVES FOR [YEAR+1]
[ISO 27001 clause 9.3.2(h) — input / 9.3.3 — required output]
═══════════════════════════════════════════════════════════════════
SECURITY OBJECTIVES APPROVED FOR [YEAR+1]:
Objective 1: [Title]
Target: [specific measurable outcome]
Owner: [named individual]
Resource committed: [£X / [N] person-days / existing resource]
Deadline: [date]
Objective 2: [Title]
[same format]
[Continue for all approved objectives]
PROPOSED OBJECTIVES NOT APPROVED:
[If any:] "[Proposed objective title]" — not approved at this review.
Reason: [brief]. CISO to reconsider for [next year / next budget cycle].
═══════════════════════════════════════════════════════════════════
ITEM 11 — POLICY RE-APPROVAL
[ISO 27001 clause 5.2]
═══════════════════════════════════════════════════════════════════
The following policies were reviewed and re-approved for [YEAR+1]:
Policy 01 (Information Security Policy) v[N]:
Changes: None / [describe changes]
Re-approved by: [Director name, role]
Date: [DATE]
[Repeat for each policy due for re-approval]
Policies confirmed as current (no re-approval required this cycle):
[List policies not due for re-approval and the date they were last approved]
═══════════════════════════════════════════════════════════════════
ITEM 12 — RESOURCES AND ISMS ADEQUACY
[ISO 27001 clause 9.3.3 — required output]
═══════════════════════════════════════════════════════════════════
CISO presented: the ISMS resource position for [YEAR+1].
MANAGEMENT DECISION ON RESOURCE ADEQUACY:
"The management team confirms that the ISMS is adequately resourced for
[YEAR+1], including the commitments made under Agenda Item 10 (security
objectives) and Agenda Item 5 (treatment investment decisions)."
OR
"The management team acknowledges the following resource constraint:
[describe]. The CISO will manage within available resources by [approach].
The management team accepts the risk implication: [describe]."
MANAGEMENT DECISION ON ISMS ADEQUACY:
"The management team reviewed the ISMS performance data, risk posture,
assessment results, and supplier security position. The management team
confirms that the ISMS is suitable, adequate, and effective for the
organisation's current context and strategic direction."
OR
"The management team confirms that the ISMS is broadly effective but
identifies the following areas for improvement in [YEAR+1]: [describe].
These are addressed through the security objectives approved at Item 10."
═══════════════════════════════════════════════════════════════════
ITEM 13 — CLOSE
═══════════════════════════════════════════════════════════════════
Next management review: [DATE — [YEAR+1]]
Draft minutes circulated by: [DATE — 5 working days from today]
Signed minutes filed as EV-A01 by: [DATE — 10 working days from today]
Actions and decisions register published by: [DATE — 5 working days]
═══════════════════════════════════════════════════════════════════
COMPLETE ACTIONS AND DECISIONS SUMMARY
═══════════════════════════════════════════════════════════════════
[Compiled from all agenda items — every decision and action in one place.
This section is what the CISO uses to update the corrective action register
and track management commitments through the year.]
Ref | Description | Owner | Deadline | Item
─────────────────────────────────────────────────────────────────────────────
MR-01 | [Action from item 2, 3, 4, etc.] | [name] | [date] | 2
MR-02 | [Action] | [name] | [date] | 4
MR-03 | Security objective 1 — [title] | [name] | [date] | 10
MR-04 | Policy 01 update to v[N+1] | CISO | [date] | 11
[continue for all actions]
═══════════════════════════════════════════════════════════════════
SIGNATURES
═══════════════════════════════════════════════════════════════════
These minutes are a true and accurate record of the [YEAR] Annual ISMS
Management Review conducted on [DATE].
Chair:
Name: _____________________________ Role: _____________________________
Signature: ________________________ Date: _____________________________
CISO (minute-taker):
Name: _____________________________
Signature: ________________________ Date: _____________________________
Additional management sign-off (confirming attendance and agreement):
Name: _____________________________ Role: _____________________________
Signature: ________________________ Date: _____________________________
═══════════════════════════════════════════════════════════════════
FILING INFORMATION
═══════════════════════════════════════════════════════════════════
Evidence reference: EV-A01-[YYYY]
Filed at: EV-A → Management System → Management Reviews → [YYYY]
Retention: 3 years minimum (one ISO 27001 certification cycle)
Recommended: 6 years (two certification cycles — auditors
reference prior cycle records at recertification)
Access: isms-management · isms-security
Part 5 — How outputs feed the corrective action register
The management review produces several types of output. Each type feeds a different part of the ISMS governance cycle. This section explains the pipeline so the CISO can ensure nothing falls through the gap between the review and the ongoing monitoring programme.
The five output types and where they go
Output type 1 — Security objectives
The approved security objectives become the primary ISMS improvement programme for the coming year. Within 5 working days of the management review:
CISO actions:
1. Create EV-A06 (Security Objectives — [YEAR+1]):
One Confluence page per approved objective
Populate all fields: target metric, owner, resource, deadline
File at: EV-A → Management System → Security Objectives → [YEAR+1]
2. Brief each named objective owner:
Send the objective page link to the owner
Confirm they accept ownership and the resource commitment
Confirm the first milestone check-in date
3. Add to Management Risk Posture quarterly cycle:
Objectives are reviewed quarterly — progress shown in the
Management Risk Posture page (Section 1 — CISO quarterly commentary)
4. Q3 interim review (September):
CISO reviews all objectives with owners
Any objective at risk of missing its deadline: escalate to management
Output type 2 — Corrective actions
Every decision from the management review that requires an action generates a corrective action entry in EV-A03. This includes: findings from internal audit that management directed be addressed; systemic issues identified in performance metrics; recurring nonconformities directed for root cause analysis; any action in the actions and decisions summary table.
CISO actions within 5 working days:
For each new corrective action from the management review:
1. Create an entry in EV-A03 (corrective action register):
Source: Annual management review [YYYY] — Item [N]
Reference from minutes: MR-[NN]
Nonconformity description: [from minutes]
Root cause: [to be determined if not already known]
Corrective action: [from minutes]
Owner: [from minutes]
Target date: [from minutes]
Status: Open
2. Confirm with the action owner:
They have seen the entry in EV-A03
They accept the target date
They know to update the status when complete
3. Monthly CISO review:
EV-A03 is reviewed monthly alongside the POA&M
EV-A04 (monthly POA&M review record) includes a note on the
corrective action register status for that month
Output type 3 — Risk acceptances
Each formal risk acceptance documented in the minutes feeds directly into the risk register.
CISO actions within 5 working days:
For each formally accepted risk:
1. Update the risk register entry (05 · Risk Register):
Treatment Option: Accept
Status: Accepted
Acceptance record: [name, role, date from minutes]
Review date: next management review (add to calendar)
2. Create a risk acceptance record:
As a child page of the risk register entry or in EV-C → Risk Management
Contains: risk ID, residual rating, acceptor name/role, rationale,
compensating controls, review date, copy of relevant minutes extract
3. Note in Management Risk Posture:
Next quarterly update to Management Risk Posture page includes the
acceptance with its rationale and review date
Output type 4 — Treatment investment approvals
Each approved investment proposal generates an action and feeds the POA&M if it addresses an open control gap.
CISO actions within 5 working days:
1. Create EV-A03 corrective action entry:
Treatment investment: [proposal title]
Owner: [from minutes]
Budget confirmed: [£X]
Target: [date from minutes]
2. If the investment closes a POA&M item:
Update the POA&M entry with: "Investment approved at management review
[date]. Owner: [name]. Implementation target: [date]."
SPRS implications: note whether this changes the projected SPRS score
once implemented
3. Procurement / implementation initiation:
CISO confirms with IT Manager that the approved investment is initiated
within 30 days of the management review
Output type 5 — Policy re-approvals
Each re-approved policy generates a version record.
CISO actions within 5 working days:
For each policy re-approved at the management review:
1. Update the Confluence page version:
If the policy content changed: update the page content with the
approved changes; increment the version number
If no changes: add a "Re-approved [date] by [name]" note to the
policy page footer or to the policy review log table
2. Update the policy review log:
Section 3 of Management Policy Accountability page
"Last approved" column: [date of management review]
"Approved by": [Director name from minutes]
"Next review due": [date + 12 months]
3. If content changed: re-communicate to affected staff
Significant policy changes require re-communication under
ISO 27001 clause 7.4 and EV-A09 (ISMS communications evidence)
The annual ISMS governance cycle — how the management review connects
ANNUAL GOVERNANCE CYCLE
Q4 [YEAR] / Q1 [YEAR+1]:
Annual management review (EV-A01)
→ Outputs: objectives, corrective actions, risk acceptances, investments
→ Feeds: EV-A03 (corrective actions), EV-A06 (objectives), POA&M,
risk register, policy review log
Q1–Q3 [YEAR+1]:
Monthly monitoring:
CISO produces EV-F01 (SIEM review), EV-F02 (metrics), EV-F06 (SIEM health)
Security Analyst produces EV-F04 (IDS/IPS), EV-F07 (PAM review)
IT Manager produces EV-D32 (AV coverage), EV-D07 (patch register)
Monthly POA&M review:
CISO reviews POA&M and corrective action register → EV-A04
Progress against management review objectives tracked
Any objective at risk: CISO escalates to named owner and management
Quarterly:
Management Risk Posture page updated by CISO
Top 5 risks updated; metrics dashboard updated
Management team reviews (no formal meeting required — read the page)
Q3 interim objectives review:
CISO reviews all [YEAR+1] objectives with owners
Any objective at risk of missing deadline: management notification
Annual internal assessment (typically Q3/Q4):
Findings feed corrective action register (EV-A03)
Significant findings pre-briefed to management before the review
Q4 [YEAR+1]:
Pre-review inputs pack prepared by CISO (1 week before)
Annual management review conducted
Cycle repeats
Part 6 — What an ISO 27001 auditor will check
A practical guide to what the certification body auditor will look for in the management review evidence, so the CISO and management can verify adequacy before any audit.
The three questions an auditor always asks
Question 1 — Was top management genuinely involved?
The auditor will check the attendance list in the minutes. A meeting attended only by the CISO and IT Manager is not a management review under ISO 27001 — it is a security team meeting with good minutes. A Director or equivalent must attend. The auditor may interview a Director and ask what they discussed at the management review. If the Director cannot remember, or says the CISO presented and they listened, the auditor will probe whether meaningful management engagement occurred.
Preparation: ensure the minutes reflect management's contribution — their questions, their observations, their decisions. Minutes that read as a series of CISO presentations with no management commentary suggest management was present but not engaged.
Question 2 — Were all nine required inputs addressed?
The auditor will go through the clause 9.3.2 list and check each one against the minutes. A management review that addressed eight of the nine inputs is still a finding. The agenda template above ensures all nine are covered — do not allow agenda items to be cut for time.
Preparation: the minutes checklist:
□ Status of actions from previous review [clause 9.3.2(a)]
□ Changes in external and internal issues [clause 9.3.2(b)]
□ Information security performance and effectiveness [clause 9.3.2(c)]
□ Results of risk assessment and risk treatment [clause 9.3.2(d)]
□ Results of monitoring and measurement [clause 9.3.2(c) — also covered in 4]
□ Audit results [clause 9.3.2(e)]
□ Feedback from interested parties [clause 9.3.2(f)]
□ Nonconformities and corrective actions [clause 9.3.2(g)]
□ Opportunities for continual improvement [clause 9.3.2(h)]
Note: risk assessment (d) and monitoring (c) are sometimes confused.
Clause 9.3.2(c) covers performance metrics and monitoring outputs.
Clause 9.3.2(d) covers the risk assessment results and treatment plan.
Both must appear in the minutes as distinct agenda items.
Question 3 — Do the outputs exist and are they being acted on?
The auditor will ask for: - The security objectives from the prior year's management review — are they SMART? Have they been achieved? - The corrective action register — do the actions from the management review appear in it? - Evidence that management decisions from the review were implemented
Preparation: the management review is not the end of the governance cycle — it is the beginning of the next one. If the objectives approved at last year's review are unachieved and no one has tracked them, the management review failed in its purpose. EV-A06 (objectives), EV-A03 (corrective actions), and the quarterly Management Risk Posture updates together provide the evidence that management decisions were implemented and monitored.
Version and review
| Version | Date | Prepared by | Approved by | Key changes |
|---|---|---|---|---|
| 1.0 | [DATE] | CISO | [Director name] | Initial publication |
Page owner: CISO · Review cycle: Annual (templates reviewed at each management review and updated if the governance cycle changes) · SCM: isms-management · Questions: [ciso@organisation.com]