The management review is one of those ISO 27001 requirements that many organisations treat as a box-ticking exercise: a meeting that happens because the standard says it must, producing minutes that nobody reads. Shelfware.
That’s a mistake. Not just because auditors can usually tell when a management review has been done properly versus written up after the fact, but because a good ISO 27001 management review is genuinely valuable for your ISMS. It’s the moment where senior management engages with your security posture and makes decisions that keep the system improving.
This guide explains exactly what ISO 27001 requires from a management review, and how to run one that’s both compliant and actually useful.
What Is a Management Review?
The management review is a formal meeting (held at least annually) where senior management reviews the performance of the ISMS and makes decisions about how it should develop.
It’s required by Clause 9.3 of ISO 27001. The clause is quite specific about what must be covered, which is why having a clear agenda is important.
The review isn’t a technical meeting for the security team. It’s a leadership meeting where the people with authority to allocate resources and change direction review whether the ISMS is working and what should happen next.
The Management Review in Your ISMS Calendar
The management review sits at the heart of your Plan-Do-Check-Act cycle — fed by your ISMS processes, and driving improvements back into them.
Internal Audits
Findings, nonconformities, and observations feed directly into the review agenda
(Clause 9.3.1)
Improvement Actions
Specific actions with owners and deadlines, tracked through to closure
Incidents & Risks
Security incidents, near-misses, and updated risk assessment results
Policy & Scope Changes
Decisions to update the ISMS scope, security policy, or objectives
KPIs & Metrics
Performance data: training completion, control effectiveness, SLA compliance
Resource Decisions
Budget, headcount, and tooling commitments needed to maintain the ISMS
Who Must Attend?
The management review must be attended by top management — the people with overall responsibility for the organisation. In a small business, this typically means the MD or CEO. In a larger organisation, it might mean the management team or board.
The person leading the ISMS (whether an information security manager, operations manager, or whoever owns the project) will typically present to management rather than simply attending as a peer.
Other attendees might include:
- The IT manager (if distinct from the ISMS lead)
- Department heads with significant information security responsibilities (HR for example)
- The ISO 27001 project lead or internal audit lead (if different from the above)
External consultants or advisers may attend, but the review should be clearly owned by internal management.
Who Should Be in the Room?
ISO 27001 says "top management" must conduct the review — but getting the right people involved makes the difference between a rubber-stamp and a useful meeting.
What Must the Management Review Cover?
Clause 9.3 sets out specific inputs that must be addressed in the management review. These aren’t optional as auditors will check that all of them are covered in your minutes:
Required inputs under ISO 27001 Clause 9.3:
The status of actions from previous management reviews
What was decided last time? Has it been done? If not, why not?
Changes in external and internal issues relevant to the ISMS
What has changed in your business or your environment since the last review? New systems, new staff, new services, new threats, regulatory changes, customer requirements?
Feedback on information security performance
This includes:
- Nonconformities and corrective actions: what’s been raised and addressed?
- Monitoring and measurement results: are your KPIs being met?
- Audit results: what did the internal audit find?
- Fulfilment of information security objectives: are you hitting your targets?
Feedback from interested parties
What are customers, regulators, or other stakeholders saying about your security? Any complaints, requests, or concerns?
Results of risk assessment and status of risk treatment plan
Have risks changed? Are treatment actions on track? Have new risks emerged?
Opportunities for continual improvement
What could be done better? What have you learned from incidents, audits, or near-misses?
What Does the Management Review Produce?
The outputs of the management review — the decisions made — must also be documented. ISO 27001 specifies what decisions must be covered:
- Continual improvement opportunities — what will be done to improve the ISMS?
- Any needs for changes to the ISMS — scope changes, policy updates, resource allocation, process improvements
- Resource needs — if the ISMS needs more time, budget, or people, this is where that’s approved
These decisions should be captured as action items with owners and target dates.
What Goes In — and What Must Come Out
ISO 27001 Clause 9.3 specifies both the inputs your management review must consider and the outputs it must produce. Both are mandatory.
- Status of actions from previous reviews 9.3.2a
- Changes in external and internal issues affecting the ISMS 9.3.2b
- Feedback on information security performance — incidents, nonconformities, monitoring results, audit findings 9.3.2c
- Feedback from interested parties 9.3.2d
- Results of risk assessment and risk treatment plan status 9.3.2e
- Opportunities for continual improvement 9.3.2f
Review
Meeting
- Decisions on continual improvement opportunities 9.3.3a
- Any need for changes to the ISMS — scope, policy, objectives 9.3.3b
- Resource needs identified and allocated 9.3.3c
- Specific improvement actions with owners and deadlines
- Updates to risk treatment plan if required
- Documented minutes retained as evidence
Management Review: Sample KPI Dashboard
This is the kind of performance data top management should be reviewing — not raw logs, but meaningful metrics that drive decisions. Values shown are illustrative examples.
How Often Must It Be Held?
At minimum, once a year. There’s no maximum — many organisations hold them more frequently (quarterly or six-monthly) as part of a broader governance rhythm.
If you’re in your first year of implementation, you’ll want to hold a management review before your Stage 2 audit. Auditors will ask to see the minutes, and a management review that happened last week looks better than no management review at all — but the further in advance of the audit you can hold it, the better it reflects your ongoing operation.
A Sample Management Review Agenda
Here’s an agenda structure that covers all the required Clause 9.3 inputs:
1. Welcome and purpose (5 minutes)
Brief introduction to the purpose of the meeting.
2. Actions from the previous management review (10 minutes)
Review of actions agreed at the last meeting. Status update for each.
3. Context and changes (10 minutes)
What has changed since the last review — internally (new staff, new systems, new services) and externally (regulatory changes, new threats, customer requirements)?
4. Information security performance (20 minutes)
- Internal audit results and status of findings
- Corrective actions raised and status
- Security incidents and near-misses reviewed
- KPIs and objectives performance
- Feedback from stakeholders (customers, regulators, suppliers)
5. Risk assessment and treatment status (10 minutes)
Risk register summary: any new or changed risks? Treatment plan progress?
6. Opportunities for improvement (10 minutes)
Open discussion on what could be done better. Inputs from the team.
7. Decisions and actions (10 minutes)
Confirm resource allocation, scope changes, policy updates, and other decisions. Agree actions with owners and dates.
8. Summary and close (5 minutes)
Confirm date of next management review.
Sample Management Review Agenda
A structured agenda mapped to Clause 9.3 inputs — adapt this for your own organisation. Every item marked Mandatory is required by the standard.
| Time | # | Agenda Item | Clause | Owner |
|---|---|---|---|---|
| Opening | ||||
| 0:00 | 1 | Welcome & Apologies Confirm quorum; record attendance for minutes | Admin | Chair |
| 0:05 | 2 | Actions from Previous Review Mandatory Review closure of actions agreed at the last meeting; note any outstanding items | 9.3.2a | ISMS Mgr |
| ISMS Performance | ||||
| 0:15 | 3 | Internal Audit Results Mandatory Summary of findings, nonconformities, and corrective action status | 9.3.2c | Audit Lead |
| 0:25 | 4 | Security Incidents & Nonconformities Mandatory Incidents logged, near-misses, and trend analysis since the last review | 9.3.2c | ISMS Mgr |
| 0:35 | 5 | KPIs & Monitoring Results Mandatory Control effectiveness metrics, training completion, vulnerability closure rates | 9.3.2c | ISMS Mgr |
| Risk & Context | ||||
| 0:45 | 6 | Risk Assessment & Treatment Update Mandatory Changes to the risk register; risk treatment plan progress; any new or changed risks | 9.3.2e | Risk Owner |
| 0:55 | 7 | Changes to Internal & External Context Mandatory Regulatory changes, new contracts, organisational changes, technology changes | 9.3.2b | ISMS Mgr |
| 1:05 | 8 | Interested Party Feedback Mandatory Customer security questionnaires, supplier assessments, regulator correspondence | 9.3.2d | ISMS Mgr |
| Decisions & Close | ||||
| 1:15 | 9 | Improvement Opportunities Mandatory Agree continual improvement actions; assign owners and deadlines | 9.3.3a | All |
| 1:25 | 10 | Resource & Scope Decisions Mandatory Confirm resource adequacy; any changes to ISMS scope or policy required | 9.3.3b-c | CEO |
| 1:35 | 11 | Summary & Next Review Date Confirm action log; agree next review date; chair to sign minutes | 9.3.3 | Chair |
Writing the Management Review Minutes
The minutes are the evidence that the management review happened. Auditors will read them carefully, looking for substantive discussion of all required inputs — not just a list of attendees and a note that “security was discussed.”
Good management review minutes include:
- Date, time, and location (or video call)
- Attendees (names and roles)
- A summary of the discussion against each agenda item
- The specific decisions made (not just “we discussed risk” but “we agreed to implement MFA for all admin accounts by Q2”)
- Action owners and target dates
- Signature or approval from the most senior person present
Avoid the temptation to write minutes that are too brief. A one-page set of minutes for a topic as important as information security governance will look thin to an auditor.
Common Mistakes
Holding it, but not documenting it properly. The review must be recorded. A meeting that isn’t minuted never happened as far as an auditor is concerned.
Treating it as a one-person exercise. The review must involve top management — it cannot simply be the ISMS lead writing a report to themselves. Senior management engagement needs to be visible in the minutes.
Not addressing all the required inputs. It’s easy to have a good discussion about incidents and risks but forget to cover changes in internal/external context or feedback from interested parties. Use a checklist against Clause 9.3 inputs to verify completeness.
No action items. A management review that produces no decisions and no actions suggests nothing was discussed that needed management attention. In a live ISMS, there’s always something to decide or improve.
Holding it the day before Stage 2. Auditors can tell when a management review was rushed to satisfy a certification requirement. Build it into your regular calendar so it happens naturally.
Management Review vs Internal Audit: What's the Difference?
Both are mandatory Clause 9 requirements — but they serve completely different purposes. Confusing the two is one of the most common ISO 27001 mistakes.
Management Review and Your Certification Audit
In the Stage 2 audit, the auditor will review your management review minutes as evidence that the organisation is genuinely running its ISMS. They may ask management attendees directly what was discussed and what decisions were made.
The most reassuring thing you can have is a management review that clearly shows senior management engaged, substantive discussion of real issues, and concrete actions that were followed through.
The Evidence Trail Your Auditor Will Follow
When your certification auditor reviews your management review, they're not just checking it happened — they're tracing a complete paper trail. Here's exactly what they look for.
Meeting Invitation Required
Evidence that the meeting was formally scheduled — not a last-minute catch-up. A calendar invite or formal notice sent in advance demonstrates due process.
- Date, time, and location (or video link)
- Named attendees including top management
- Attached or linked agenda circulated in advance
Agenda Required
The agenda confirms that all Clause 9.3.2 inputs were planned for discussion. Auditors compare the agenda against the standard's required inputs to check nothing was skipped.
- Previous action status, incidents, audit results
- Risk assessment & treatment plan update
- Changes to context and interested party feedback
- Improvement opportunities
Attendance Record Required
Proof that top management was genuinely present — not just copied on the minutes afterwards. A signed attendance sheet or named sign-off in the minutes is expected.
- Name and role of each attendee
- Signature or confirmed attendance (for key roles)
- Any apologies noted — and whether quorum was met
Meeting Minutes Required
The primary evidence document. Minutes must record what was discussed, what decisions were made, and any changes agreed to the ISMS. "Discussed and agreed" is not sufficient — specifics are needed.
- Discussion points against each agenda item
- Specific decisions made (including "no change" decisions)
- Resource allocations agreed
- Date and chair's signature
Action Log Required
Every improvement decision must translate into a tracked action. Auditors look for ownership, deadlines, and evidence of follow-through — especially at the next review.
- Action description and reference number
- Named owner responsible for completion
- Target completion date
- Status updated at each subsequent review
Supporting Data Packs
The inputs presented at the meeting — KPI reports, audit summaries, risk register extracts, incident logs. These are often reviewed by the auditor to confirm the review was substantive.
- KPI dashboard or metrics report for the period
- Internal audit findings summary
- Risk register extract with treatment status
- Incident log summary for the period
Related Resources
- ISO 27001 Clause 9 — Performance Evaluation
- ISO 27001 Internal Audit Guide
- How to Define KPIs for Your ISMS
- ISO 27001 mandatory documents
ISO 27001 Online Course + Full Toolkit
Stop guessing. Follow a proven step-by-step process.
“Highly recommended for anyone looking to understand ISO 27001, whether attempting it on your own or even using a consultant.“
Verified Trust.me Review
✓ Full toolkit included
✓ Learn as you build
✓ 12-month access
✓ 6 hours of video
✓ Email consultancy
✓ 30-day upgrade credit to consultancy
£285
Instant access
FAQs
How often does ISO 27001 require a management review to be held?
ISO 27001 requires management reviews to be held “at planned intervals” — in practice, certification bodies expect at least one per year. However, the standard doesn’t set a maximum frequency, and many organisations benefit from quarterly reviews, particularly during periods of rapid growth, significant organisational change, or following a serious security incident. More frequent reviews mean shorter agendas and faster response to emerging risks.
Who counts as “top management” for the purposes of the management review?
ISO 27001 defines top management as the person or group of people who direct and control the organisation at the highest level — typically the CEO, Managing Director, or equivalent. The key requirement is that the person attending has genuine authority to make resource decisions and direct the ISMS. A delegated ISMS Manager running the meeting alone, without a senior leader present, is unlikely to satisfy an auditor that top management has meaningfully conducted the review.
What happens if we miss a management review during our certification cycle?
Missing a management review is a nonconformity against Clause 9.3 and will be raised by your certification auditor at surveillance or recertification. In serious cases — for example, no review conducted in over 18 months — it could result in a major nonconformity that puts your certificate at risk. If you miss a scheduled review, hold one as soon as possible, document why it was delayed, and implement controls to prevent it recurring.
Do the management review minutes need to be signed, and how long should we keep them?
ISO 27001 requires the outputs of the management review to be retained as documented information, but doesn’t specify a signature requirement or a precise retention period. In practice, having the chair (and ideally a senior leader) sign off the minutes significantly strengthens your evidence. For retention, most organisations keep management review records for the full three-year certification cycle plus one additional year — ensuring that records from the previous cycle are available during recertification if requested.
