The Management Reviews module supports the requirements of ISO 27001 Clause 9.3, which mandates that top management review the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. Management reviews are a critical governance mechanism that ensures senior leadership remains engaged with information security and makes informed decisions about the ISMS.
Creating a Management Review Record
Click "Add Management Review" and enter the review title and planned review date. Assign the chair/reviewer and invite attendees.
Before the meeting, work through the required inputs checklist. Gather data, reports, and metrics for each input category. This preparation ensures the review meeting is productive and covers all required topics.
During the meeting, discuss each input item and record decisions, action items, and resource needs. Use the Decisions and Actions textarea to capture key outcomes.
Document any decisions related to ISMS changes, resource needs, and improvement opportunities. Set the next review date.
Attach the formal meeting minutes document for evidence and audit trail purposes.
Create action items arising from the review and track them to completion. These feed into the "status of actions from previous reviews" input for the next management review.
Form Fields Reference
| Field | Type | Required | Description |
|---|---|---|---|
| Review Title | Text input | Required | A descriptive title for the management review. Example: "Q1 2026 ISMS Management Review", "Annual ISMS Strategic Review" |
| Review Date | Date picker | Required | The date the management review meeting was held or is scheduled to be held |
| Chair / Reviewer | Text input | Optional | The person chairing the review, typically the CISO, CIO, or a member of top management. Example: "Sarah Johnson, CISO" |
| Attendees | Multi-select / Text | Optional | All persons attending the management review. Should include top management representation and key ISMS stakeholders. Select from organisation users or type names. |
| Input Items | Checklist | Optional | A checklist of required inputs per Clause 9.3.2 (see detailed input items below). Mark each item as covered/not covered. |
| Decisions and Actions | Textarea | Optional | Record all decisions made and actions agreed during the review. Include who is responsible, what needs to be done, and by when. |
| Resource Needs Identified | Textarea | Optional | Any resource requirements identified during the review (budget, personnel, tools, training). Clause 9.3.3 requires that outputs include decisions on resource needs. |
| Next Review Date | Date picker | Optional | The planned date for the next management review. ISO 27001 requires reviews at "planned intervals" (typically quarterly or semi-annually, minimum annually). |
| Minutes Document | File upload | Optional | Upload the formal meeting minutes as a PDF, Word document, or other format. This serves as documented evidence of the review for audit purposes. |
Required Input Items (Clause 9.3.2)
ISO 27001 Clause 9.3.2 specifies mandatory inputs that must be considered during each management review. The module provides a checklist to ensure all items are covered:
| Input Item | Description | Where to Find Data in Venvera |
|---|---|---|
| Status of actions from previous management reviews | Review the action items from the last management review meeting. Report on which actions are completed, in progress, or overdue. | Previous management review record → Action items |
| Changes in external and internal issues | Consider changes in the business environment, regulatory landscape, technology, threat landscape, organisational structure, or strategic direction that affect the ISMS. | Risk assessments, regulatory updates, organisational change records |
| Information security performance | This input has three sub-components that must all be covered: | |
| a) Nonconformities and corrective actions | Summary of NCs raised since the last review, their status, and effectiveness of corrective actions taken. | Nonconformity Register → Dashboard and reports |
| b) Audit results | Results of internal and external audits conducted since the last review, including findings, trends, and areas of concern. | Internal Audits module → Completed audits and findings |
| c) Fulfilment of information security objectives | Progress towards achieving the defined information security objectives and KPIs. | KPI dashboards, gap assessment scores, SoA progress |
| Feedback from interested parties | Feedback received from customers, partners, regulators, employees, or other stakeholders regarding information security. | Customer complaints, supplier feedback, regulatory correspondence |
| Results of risk assessment | Review of the current risk profile, changes to risk levels, new risks identified, and risk treatment plan progress. | Risk register, gap assessment results |
| Opportunities for improvement | Suggestions for improving the ISMS, including process improvements, new controls, technology upgrades, or training enhancements. | OFIs from audits, employee suggestions, industry best practices |
Action Item Tracking
Action items arising from the management review are tracked within the review record. Each action item includes:
- Action description — what needs to be done
- Responsible person — who is accountable
- Due date — when it should be completed
- Status — Not Started, In Progress, Completed
- Completion notes — evidence of completion
Open action items from previous reviews automatically appear in the inputs for the next review, creating a continuous improvement loop.