Management Review

Purpose

ISO 27001 requires top management to review the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. This document defines the management review process.

Review Frequency

Required: At least annually Current cadence: Quarterly, plus ad-hoc reviews after significant events

Most Recent: Management Review #1 (15 February 2026) Next Review: November 2026

Triggers for ad-hoc review:

• Major security incident
• Significant change to business or scope
• External audit findings
• Regulatory changes affecting ISMS
• Major technology changes

Participants

Required Attendees:

• ISMS Owner. Chairs meeting, presents all inputs (sole operator)

When team grows:

• Security Lead: Presents security posture
• Developer(s): Operational input
• External advisors (if applicable)
• Legal counsel (if compliance issues)

Duration: 1-2 hours (sole operator); 2-3 hours for larger teams

Agenda

1. Opening

Time: 5 minutes

Activities:

• Review purpose of management review
• Confirm scope of review
• Review previous meeting action items

Deliverable: Action item status update

2. Review of Previous Actions

Time: 15 minutes

Review:

• Actions from last management review
• Status: Completed / In Progress / Not Started
• Barriers to completion
• New target dates if needed

Deliverable: Updated action item list

3. Changes in External and Internal Issues

Time: 15 minutes

External Changes:

• Regulatory environment (Privacy Act, Australian laws)
• Threat surface (new attack types, vulnerabilities)
• Market conditions (competitor security incidents)
• Technology trends (post-quantum cryptography timeline)

Internal Changes:

• Team size or structure
• New products or features
• Infrastructure changes (new cloud services)
• Budget or resource constraints

Reference: Context Analysis

Deliverable: Updated context analysis (if significant changes)

4. Feedback on Information Security Performance

Time: 20 minutes

Metrics Reviewed:

Security Incidents

• Number of incidents (by severity)
• Mean time to detect (MTTD)
• Mean time to respond (MTTR)
• Lessons learned and improvements implemented

Target: Zero P0/P1 incidents, all incidents resolved within target response times

Vulnerabilities

1. Critical/high vulnerabilities in dependencies
2. Time to patch critical vulnerabilities
3. Security scan findings (CodeQL, cargo audit)

Target: Critical vulnerabilities patched within 24 hours

Access Control

1. Number of access reviews completed on schedule
2. MFA adoption rate (should be 100%)
3. Access revocations on termination (immediate)

Target: 100% compliance

Training and Awareness

1. Professional certification currency (CISSP, Security+, PenTest+, SecurityX)
2. Security awareness activities (industry engagement, threat monitoring)
3. Training completion rate (when team grows)

Target: All certifications current; 100% training completion within first week (for new hires)

Supply Chain Security

1. SLSA Level 3 compliance maintained
2. Dependency update cadence
3. Provenance attestation coverage

Target: 100% builds meet SLSA Level 3

Deliverable: Security metrics report

5. Feedback from Interested Parties

Time: 15 minutes

Stakeholder Feedback:

Customers/Relying Parties:

• Security concerns raised
• Feature requests related to security
• Incidents affecting relying parties
• Transparency feedback

Internal (Security Lead self-assessment; team feedback when team grows):

• Usability of security tools
• Policy or process friction
• Security culture
• Training effectiveness

Suppliers (Cloudflare, GitHub):

• Service incidents or degradations
• Security advisories
• New security features available

Regulators/Standards Bodies:

• Changes to ISO 27001 guidance
• Australian Privacy Act updates
• Industry standards evolution

Deliverable: Summary of stakeholder feedback and implications

6. Results of Risk Assessments

Time: 20 minutes

Review:

• Changes to Risk Register since last review
• New risks identified
• Risk treatment effectiveness
• Residual risk levels
• Risks closed or downgraded

Key Questions:

• Are we treating the right risks?
• Are treatments effective?
• Any risks escalating?
• New risks on the horizon?

Reference: Risk Register (should be current)

Deliverable: Risk register status and any needed updates

7. Results of Internal Audit

Time: 20 minutes

Review:

• Internal audit findings from past year
• Conformities (what’s working well)
• Non-conformities (major and minor)
• Observations and improvement opportunities
• Corrective action status

Key Questions:

• Are we compliant with ISO 27001?
• Are controls effective?
• What needs improvement?
• Are we ready for external audit (when pursued)?

Reference: Internal Audit Program

Deliverable: Summary of audit results and corrective actions

8. Fulfillment of Information Security Objectives

Time: 15 minutes

Review progress on objectives from Information Security Policy:

Objective 1: Protect confidentiality, integrity, availability

Metrics:

• Uptime: Cloudflare availability (target 99.9%)
• Integrity: Zero unauthorized modifications to cryptographic parameters
• Confidentiality: Zero signing key compromises

Status: ✅ / ⚠️ / ❌

Objective 2: Comply with legal/regulatory requirements

Metrics:

• Privacy Act compliance (minimal PII processing. DOB processed ephemerally during issuance only)
• Incident notification readiness
• Audit findings related to compliance

Status: ✅ / ⚠️ / ❌

Objective 3: Maintain customer trust through transparency

Metrics:

• Public documentation completeness
• Response time to security inquiries
• Security incident transparency (public postmortems)

Status: ✅ / ⚠️ / ❌

Objective 4: Secure development lifecycle

Metrics:

• Security scans run on 100% of PRs
• Code review coverage (100% of changes)
• SLSA Level 3 maintained

Status: ✅ / ⚠️ / ❌

Objective 5: Continuous improvement

Metrics:

• ISMS maturity increasing (audit findings decreasing)
• Security controls implemented vs. planned
• Training and awareness improvements

Status: ✅ / ⚠️ / ❌

Deliverable: Objective achievement summary

9. Feedback on Continual Improvement

Time: 15 minutes

Review:

• Improvements implemented since last review
• SOA controls: Partially Implemented → Implemented
• Process improvements (automation, efficiency)
• New security tools or practices adopted
• Lessons learned from incidents

Examples:

• Automated audit log cleanup (planned) → implemented
• Security certification renewal → completed
• New security scanning tool added to CI/CD

Deliverable: Improvement log

10. Suggestions for Improvement

Time: 20 minutes

Discussion:

• What’s not working well?
• Where are we spending too much effort?
• Opportunities for automation
• New threats requiring new controls
• Best practices from industry

Brainstorm:

• Near-term improvements (next quarter)
• Medium-term (next year)
• Long-term strategic (3+ years)

Prioritisation:

• Quick wins (high value, low effort)
• Critical gaps (address immediately)
• Nice-to-haves (backlog)

Deliverable: Prioritized improvement backlog

11. Need for Changes to the ISMS

Time: 15 minutes

Assess:

• Policy updates needed
• Scope changes (new services, infrastructure)
• Resource allocation (budget, staffing)
• New risks requiring new controls
• Structural changes to ISMS

Examples:

• Expand ISMS scope to include new mobile SDK
• Update cryptography policy for post-quantum algorithms
• Increase audit frequency
• Add new KPIs for security metrics

Deliverable: ISMS change proposals

12. Adequacy of Resources

Time: 10 minutes

Review:

• Staffing: Is sole operator model sustainable? Hiring needs?
• Budget: Security tools, training, external audits
• Time: Is security getting adequate priority?
• Tools: Do we have what we need (password manager, monitoring, etc.)?

Gaps:

• What’s missing?
• What’s constraining security effectiveness?

Decisions:

• Resource allocation for next year
• Hiring plans (if applicable)
• Budget for certification audit (when pursued)

Deliverable: Resource allocation plan

13. Decisions and Actions

Time: 15 minutes

Summary of Decisions:

• ISMS changes approved
• Resource allocation
• Policy updates
• Risk treatment decisions
• Improvement priorities

Action Items:

• What needs to be done?
• Who is responsible?
• Target completion date?
• How will we measure success?

Format:

Deliverable: Action item register

14. Closing

Time: 5 minutes

Wrap-up:

• Confirm all required inputs reviewed
• Schedule next management review
• Thank participants
• Distribute minutes within 1 week

Management Review Outputs

Required by ISO 27001:

• Decisions related to continual improvement opportunities
• Decisions related to changes needed to ISMS
• Decisions related to resource needs

Documented in:

• Management review minutes (meeting notes)
• Action item register (tracked to completion)
• Updated ISMS documents (if changes made)

Management Review Minutes Template

# Management Review Minutes
**Date**: YYYY-MM-DD
**Attendees**: [List]
**Chaired by**: ISMS Owner

## 1. Previous Action Items
- [Status of each action from last review]

## 2. External and Internal Changes
- [Summary of significant changes]

## 3. Security Performance
- Incidents: [Number and severity]
- Vulnerabilities: [Patching metrics]
- Access Control: [Review completion]
- Training: [Completion rates]
- Supply Chain: [SLSA compliance]

## 4. Stakeholder Feedback
- [Key feedback from customers, team, suppliers]

## 5. Risk Assessment Results
- [Changes to risk register]
- [Key risks status]

## 6. Internal Audit Results
- [Findings summary]
- [Non-conformities and corrective actions]

## 7. Information Security Objectives
- Objective 1: [Status]
- Objective 2: [Status]
- Objective 3: [Status]
- Objective 4: [Status]
- Objective 5: [Status]

## 8. Continual Improvement
- [Improvements implemented]

## 9. Suggestions for Improvement
- [Prioritized improvement list]

## 10. ISMS Changes
- [Proposed changes to ISMS]

## 11. Resource Adequacy
- [Resource assessment and allocation]

## 12. Decisions Made
1. [Decision 1]
2. [Decision 2]

## 13. Action Items
| Action | Owner | Due Date | Status |
|--------|-------|----------|--------|
| [Action] | [Person] | [Date] | Open |

## Next Review
**Date**: [Planned date]

---
*Minutes prepared by*: [Name]
*Approved by*: ISMS Owner

Success Criteria

Effective management review:

• All required inputs covered
• Decisions made and documented
• Actions assigned with owners and dates
• ISMS demonstrated as suitable, adequate, effective
• Commitment to continual improvement

Red flags (requires immediate attention):

• Major non-conformities from audit
• Critical risks not treated
• Objectives not being met
• Resources inadequate
• Repeat issues not improving

Related Documents

• Information Security Policy - Objectives reviewed
• Internal Audit Program - Audit results input
• Risk Register - Risk status input
• Context Analysis - External/internal issues

Document Information

• Version. 2.1
• Effective Date. 2025-01-13 (initial), 2026-05-21 (updated)
• Owner. ISMS Owner
• Review Frequency. Quarterly
• Next Review. 2026-11-21
• Classification. Public