CHAPTER 16: MANAGEMENT REVIEW

Clause 9.3 of ISO27001 (and Control objective A.18.2), which deals with management review of the ISMS, stresses that the management review should take into account ‘feedback on the information security performance, including trends in […] nonconformities and corrective actions’,¹ as well as any changes anywhere or to anything that might affect the ISMS, and recommendations for improvement.

It should be noted that corrective and preventative action should be prioritised on the basis of a risk assessment.²

ISO27001 calls, at Control A.18.2.1, for an ‘independent review of information security’, which should take place at planned intervals (or whenever there have been significant changes), and should be comprehensive (‘control objectives, controls, policies, processes, and procedures’). Third-party certification would meet this control requirement.

Assessing and evaluating risks is a core competence required in any organisation that is serious about achieving and maintaining ISO27001 accredited certification. It is useful to recall the point that the prevention of nonconformities is often more cost-effective than corrective action, which sums up the risk-based, cost-effective, common-sense approach of the Standard.

¹ ISO/IEC 27001:2013, 9.3.c.1.

² ISO/IEC 27001:2013, 6.1.2.e.2.