Skip to main content
Status — April 2026: The management review program is launching alongside internal audit. First review targeted for Q2 2026.
Owner: CEO (chair) · Participants: CEO, CTO, Security Officer, Privacy Officer · Cadence: Quarterly

Purpose

Management review ensures the ISMS remains suitable, adequate, and effective — three words that matter to an ISO 27001 auditor:
  • Suitable — aligned with Denialbase’s objectives, customer commitments, and risk appetite.
  • Adequate — covers the scope it claims to cover.
  • Effective — producing the security outcomes we expect.

Cadence

Review typeFrequencyDurationAttendees
Quarterly operational reviewEvery 3 months60–90 minCTO, Security Officer, Privacy Officer
Annual strategic reviewOnce per year3 hoursCEO, CTO, Security Officer, Privacy Officer, Board observer (optional)
Ad-hoc post-incident reviewAfter any Sev-1/Sev-260 minCEO, CTO, Security Officer
Pre-audit reviewBefore external audit2 hoursCTO, Security Officer

Standing agenda (ISO 27001 clause 9.3.2)

Every review addresses the clauses below. For each, the owner presents the current state, trend since last review, and any proposed changes.
What did we decide last time? Which actions are closed, in progress, or overdue?
New regulations (HIPAA enforcement updates, state privacy laws), new customer segments, new subprocessors, new threats (emerging CVE categories), major organizational changes.
Customer commitments, regulator expectations, workforce requirements, partner requirements.
  • Nonconformities and corrective actions
  • Monitoring and measurement results (access review completion, patching cadence, incident counts, MTTR)
  • Audit results (internal and external)
  • Achievement of information security objectives
Customer feedback, regulator feedback, workforce feedback (e.g. from security awareness training surveys).
New risks identified, risks accepted / mitigated / transferred / avoided, residual risk trending.See Risk register.
Where is the ISMS inefficient? What’s the friction? Which controls cost more than they return in risk reduction?

Inputs prepared by the Security Officer

Before every review, the Security Officer prepares a briefing pack with:
  1. KPI dashboard (see below).
  2. Open findings from internal + external audits.
  3. Risk register delta — added, closed, and changed since last review.
  4. Incident summary for the period.
  5. Training completion stats.
  6. Subprocessor changes and annual review status.
  7. Customer-visible security events (status page entries, breach notifications if any).

Key performance indicators

KPITargetSource
Access reviews completed on schedule100%Access control
Mean time to remediate high vulnerabilities≤ 7 daysVulnerability management
Incident MTTR (Sev-1)≤ 4 hoursIncident response
Backup verification pass rate100%Disaster recovery
Security training completion (annual)≥ 95%Security awareness
Open critical risk count0 sustainedRisk register
Internal audit nonconformities aged > 90 days0Internal audit
Customer-reported security incidentsDownward trendSupport + security inbox

Outputs (ISO 27001 clause 9.3.3)

Each review produces minutes recording:
  • Decisions related to continual improvement opportunities.
  • Any needed changes to the ISMS — scope, controls, resources.
  • Changes to security objectives.
  • Resource requirements (headcount, tooling, budget).
  • Assigned actions with owners and due dates.
Minutes are stored in a restricted Google Drive folder with 6-year retention and are made available to external auditors.

Actions from management review

All actions are tracked in the same system as audit findings (Risk register) to avoid parallel tracking. Each action has:
  • Owner
  • Target due date
  • Success criteria
  • Review cadence (who checks on progress and how often)

Relationship to other processes

Risk register ─┐
Audit findings ─┼→ Management review → Updated ISMS ─┐
Incident trends ┤                                      ↓
KPI dashboard ──┘                               Resource allocation
                                                Policy updates
                                                Risk treatment decisions

First review

Scheduled: 2026-06-15 Preparation owner: Security Officer Agenda: Standing agenda above + ISMS launch readiness + internal-audit readiness plan Expected duration: 3 hours (first review runs longer to establish baseline)