Commented [G1]: Generic agenda prepared by Gary

ISMS Management Review Meeting Hinson based on inputs to the ISO27k Forum by Sean
Malward and Richard O Regalado.
Date & time Place
This work is licensed under a Creative Commons
AGENDA Attribution-ShareAlike 4.0 International License.
Feel free to customize and adapt it for internal corporate
use; do not attempt to sell it on or incorporate it into
Introduction commercial products

a) Purpose of this meeting

b) Agenda items and priorities (if agreed, we may take pressing business first)
c) Recap, confirm minutes and close-off actions from previous Management Review Commented [G2]: ISO/IEC 27001:2013 section 9.3 (a)

ISMS governance and management

d) Significant organization, business or other changes relevant to the ISMS including laws, Commented [G3]: ISO/IEC 27001:2013 section 9.3 (b)
regulations or other compliance obligations Commented [G4]: ISO/IEC 27001:2013 section 6.2
e) Confirm ISMS scope and objectives Commented [G5]: ISO/IEC 27001:2013 section 4.3
f) Review information security strategy, plans, rôles and responsibilities
Commented [G6]: ISO/IEC 27001:2013 section 6.2
g) Information security resourcing including budget and return on security investments
Commented [G7]: ISO/IEC 27001:2013 sections 6.2, 8.1
h) Review ISMS performance and trends (security metrics) and 9.3 (e)
i) Information security policies
Commented [G8]: ISO/IEC 27001:2013 section 5.3
Commented [G9]: ISO/IEC 27001:2013 section 7.1
Information risk management
Commented [G10]: ISO/IEC 27001:2013 sections 9.1 &
j) Significant information risks (threats, vulnerabilities and impacts) and opportunities, 9.3 (c)
including information security incidents affecting this or other organizations
Commented [G11]: ISO/IEC 27001:2013 section 5.2
k) Prioritization of information risks relative to other business risks (risk register)
Commented [G12]: ISO/IEC 27001:2013 section 6.1
l) Risk treatments including information security projects and initiatives
Commented [G13]: ISO/IEC 27001:2013 section 6.1.3
Business continuity management
m) Resilience, recovery and contingency plans, preparation and arrangements
n) Continuity exercises – plans and results, improvements arising

ISMS continuous improvement

o) ISMS internal audits and management reviews – key findings, issues and plans Commented [G14]: ISO/IEC 27001:2013 section 9.2
p) Feedback from or concerning external parties Commented [G15]: ISO/IEC 27001:2013 section 9.3 (d)
q) Opportunities to improve the ISMS including preventative and corrective actions Commented [G16]: ISO/IEC 27001:2013 section 9.3 (f)

Close
r) Actions arising from this meeting (with owners and due dates)
s) Resolutions for executive management approval
t) Next Management Review – date, venue, purpose, agenda items, invitees
u) Any other business