The management review is one of those ISMS activities that organisations often get wrong in one of two ways. Either it becomes a formality — a brief meeting where management nods along while the ISMS lead presents a slide deck, then signs the minutes — or it becomes an unwieldy marathon that nobody wants to attend.
Done well, the management review is a genuinely useful activity: a structured checkpoint where senior leadership assesses whether the ISMS is performing as intended, considers new information that should influence its direction, and makes resource and prioritisation decisions that keep the programme healthy. The annual management review is also one of the first things a certification body auditor asks to see.
Clause 9.3 of ISO 27001:2022 specifies what the management review must include. This guide explains what each input means in practice, how to run an effective meeting, and what the output needs to look like.
What Clause 9.3 Requires
Clause 9.3 is structured into three parts.
Clause 9.3.1 (General) requires that top management reviews the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. “Planned intervals” means a defined schedule — typically annual as a minimum, though many organisations with more active security programmes review more frequently.
“Top management” is important. The management review is not something the ISMS lead can run alone and report to management afterwards. It requires the involvement of senior leadership — the people who have accountability for the organisation and can authorise resources.
Clause 9.3.2 (Management review inputs) specifies nine categories of input that the review must consider. These are not suggestions — they are required inputs, and an auditor reviewing your management review minutes will check that each has been addressed.
Clause 9.3.3 (Management review results) specifies what must come out of the review: decisions and actions related to continual improvement opportunities, changes to the ISMS, and resource needs.
The Nine Required Inputs
ISO 27001 Management Review: The 9 Required Inputs
Clause 9.3.2 — all nine must be addressed in your review minutes, not just the ones that seem relevant
1. Status of actions from previous management reviews
Has everything that was agreed at the last review been done? Actions with no status update — particularly those that are overdue — should be explicitly addressed. If actions are still open, the review should confirm responsibility and a revised timeline.
2. Changes in external and internal issues that affect the ISMS
What has changed since the last review that is relevant to information security? New regulations, significant changes to the threat landscape, organisational restructuring, changes to key suppliers, new business services, or changes to your technology environment all belong here. The review should assess whether these changes require any adjustment to the ISMS.
3. Information on the ISMS’s security performance and effectiveness
This is where you present the evidence that your ISMS is (or is not) working. The specific metrics will depend on what your organisation has defined, but typically include:
- Nonconformities and corrective actions — opened, closed, and outstanding
- Security incidents — number, nature, and outcomes
- Results of monitoring, measurement, and analysis of ISMS objectives
- Audit results — internal audit findings and status
4. Feedback from interested parties
What are customers, regulators, staff, and other stakeholders saying about information security? Customer security questionnaires, complaints related to data handling, regulatory correspondence, and staff-reported concerns all qualify. If there is nothing to report here, say so — but the review should confirm that feedback channels are operating.
5. Results of risk assessments and status of risk treatment plan
Has the risk assessment been reviewed since the last management review? Are risk treatment actions progressing? Are there new or changed risks that need to be reflected in the risk treatment plan? The review should confirm that the organisation’s risk picture is current.
6. Opportunities for continual improvement
This input invites a forward-looking discussion: where are there opportunities to improve the ISMS, beyond addressing specific gaps? This might include process improvements, control enhancements, opportunities to simplify or streamline, or investments in security capability.
7. Fulfilment of information security objectives
Were the information security objectives set at the last review met? If not, why not, and what does that mean for the programme? The review should also set or confirm objectives for the coming period.
8. Any relevant changes from interested parties
Changes in requirements from customers (new contractual security requirements), regulators (new guidance or requirements), or other stakeholders — separate from the broader issues discussed under input 2.
9. Monitoring and measurement results
Results from whatever monitoring and measurement activities the ISMS runs — vulnerability scan results and trends, access review outcomes, training completion rates, KPI dashboards, or similar operational metrics that give management visibility of day-to-day security performance.
Running the Meeting Effectively
Who should attend
At minimum: top management (typically the CEO, COO, or equivalent), the ISMS lead, and the heads of any functions with significant ISMS responsibilities (IT, HR, Operations). For larger organisations, relevant business unit owners may also attend.
The key test is whether the people in the room can make the decisions that the review is intended to produce. If resource allocation decisions require the CEO’s involvement, the CEO needs to be present.
Preparing the agenda pack
Circulate materials in advance — at least three to five working days before the meeting. Management reviewing documents for the first time in the meeting cannot give them the consideration they deserve.
The agenda pack should include:
- Status of actions from the previous review
- The nine required inputs, each with a prepared summary and any supporting data
- Draft objectives for the coming period (for discussion and agreement)
- Any decisions that management needs to make
The meeting itself
A well-run management review is a discussion, not a presentation. The ISMS lead presents the prepared inputs; management asks questions, challenges assumptions, and makes decisions. It should take between one and two hours for most organisations — if it is regularly running to four hours, the format may need simplification.
Keep the discussion focused on what management needs to assess and decide. Operational detail that does not require management input can be summarised rather than presented in full.
Recording the outcome
The minutes should be more than an attendance list and a brief note that the review took place. They need to demonstrate that:
- Each of the nine inputs was addressed (a brief summary of the discussion is sufficient — not a verbatim record)
- Decisions were made and recorded
- Actions were assigned with owners and due dates
- The review resulted in meaningful management engagement with the ISMS
Auditors assess the quality of management review minutes carefully. Thin minutes — a half-page document that says “the ISMS was reviewed and found satisfactory” — are a common nonconformity finding.
Management Review Agenda Template
The following structure works well for most organisations and ensures all required inputs are covered:
ISO 27001 Management Review: Agenda Template
A structure that covers all Clause 9.3 inputs — typical duration 90 minutes for most SMEs
Common Mistakes
Holding the review without top management present. An ISMS lead running a management review alone and sending management a summary to sign does not constitute a management review. The standard explicitly requires top management to review the ISMS.
Minutes that don’t evidence the inputs. Review minutes that say “risks were discussed” with no indication of what was discussed, what the current status is, or what was decided, do not evidence that the input was genuinely considered.
No actions or decisions recorded. A management review that results in no actions and no decisions is implausible for most organisations. Even in a well-running ISMS, there will be improvement opportunities to action and objectives to set.
Treating the review as an annual box-tick rather than a genuine decision forum. If management is signing minutes they have not read, the review is fulfilling the letter of the requirement but not the purpose. The management review exists to ensure that leadership is genuinely engaged with the ISMS.
Forgetting the inputs. Some organisations focus on preparing a performance report but do not systematically address all nine inputs. An auditor will work through the minutes and check each input is present — a missing input is a finding.
FAQs
How often does the management review need to take place?
The standard requires reviews “at planned intervals” — not a specific frequency. Annual reviews are the minimum practical standard for most organisations. Organisations with more active security programmes, higher risk environments, or significant ongoing changes often review more frequently — quarterly or biannually — with the formal annual review being more comprehensive.
Can the management review be combined with another meeting?
Yes, provided all the required inputs are addressed and the outcome is properly documented. Many organisations integrate ISMS management review into a broader leadership review or board meeting. The key requirement is that top management is present and that the ISMS receives adequate attention — not that it is a standalone meeting.
What if management is not engaged or does not take the review seriously?
This is a Clause 5.1 (Leadership) issue as much as a Clause 9.3 issue. If management is not genuinely engaged with the ISMS, that is a fundamental problem that goes beyond the management review meeting. The ISMS lead’s role includes keeping management informed and demonstrating the value of the programme — but ultimately, leadership commitment must come from the top.
Do we need a separate agenda and minutes, or can we use an existing meeting structure?
Separate minutes specific to the ISMS management review are cleaner and easier to present to an auditor. If the ISMS review is embedded in a broader leadership meeting, the ISMS-specific elements should be clearly identifiable in the minutes — ideally in a dedicated section.
What counts as “top management” for the purposes of the management review?
ISO 27001 defines top management as “a person or group of people who directs and controls an organisation at the highest level.” For most organisations, this means the CEO, MD, or equivalent. For organisations with a board, top management typically includes board-level or C-suite participants. The key test is whether the people present have authority to commit resources and make decisions about the ISMS’s direction.
