Over on the ISO27k Forum this week, Ray asked us for "guidance on conducting and documenting 'Management Reviews' that include the agenda items required by the standard in 9.3. Any templates shall be much appreciated." Forumites duly offered advice and agendas. So far so good!
However, I made the point that ISO/IEC 27001 does not require/insist that management reviews take the form of periodic management meetings, specifically, although that is the usual approach in practice.
Personally, since they are both forms of assurance, I advise clients to plan and conduct their ISMS management reviews and ISMS internal audits similarly, with one critical and non-negotiable difference: auditors must be independent of the ISMS, whereas management reviews can be conducted by those directly involved in designing, operating or managing the ISMS. This is not merely a compliance matter or protectionist barrier: auditor independence brings a fresh perspective and valuable insight that insiders simply cannot match.
In my considered opinion, independence and formality follow a continuum through these activities: