1.3 KiB
#iso27001/2022/EN
9.3 Management review
9.3.1 General
Top management shall review the organization's information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
9.3.2 Management review inputs
The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) changes in needs and expectations of interested parties that are relevant to the information security management system;
d) feedback on the information security performance, including trends in: 1) nonconformities and corrective actions; 2) monitoring and measurement results; 3) audit results; 4) fulfilment of information security objectives;
e) feedback from interested parties;
f) results of risk assessment and status of risk treatment plan;
g) opportunities for continual improvement.
9.3.3 Management review results
The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
Documented information shall be available as evidence of the results of management reviews.