← All guides
ISO 270019 min read5 July 2026

ISO 27001 Management Review: Clause 9.3 Requirements, Inputs, Outputs, and What Certification Bodies Actually Check

ISO 27001:2022 Clause 9.3 requires top management to review the ISMS at planned intervals. Here's exactly what the 7 mandatory inputs and 3 mandatory outputs are, and what BSI or DNV will look for.

What is an ISO 27001 management review?

ISO/IEC 27001:2022 Clause 9.3 requires that top management review the organisation's Information Security Management System (ISMS) at planned intervals. The purpose is to ensure the ISMS remains suitable, adequate, and effective — and to drive continual improvement.

This isn't optional. Without documented management review records, a certification body cannot issue or renew an ISO 27001 certificate. It is one of the most commonly cited nonconformities in surveillance audits.

The 2022 revision of ISO 27001 expanded and restructured the management review requirements compared to the 2013 edition. If you transitioned from ISO 27001:2013, your management review process needs updating to reflect the new Clause 9.3 structure.

Why management review is so frequently misunderstood

Many ISMS managers treat management review as a box-ticking exercise — a one-hour meeting where leadership rubber-stamps the CISO's slide deck. Certification bodies see through this immediately. A genuine management review leaves a paper trail: minutes, data presented, decisions made, actions assigned with owners and due dates, and a clear link from inputs to outputs.

The three questions a BSI or DNV assessor will ask when reviewing your management review records:

  1. Did top management actually attend and make decisions?
  2. Were all 7 mandatory input categories addressed with real data?
  3. Are the outputs clearly documented — decisions on improvement, resource needs, and policy/objective changes?

ISO 27001:2022 Clause 9.3 structure

The 2022 standard reorganised management review into three sub-clauses:

  • 9.3.1 General: Top management shall review the ISMS at planned intervals. The frequency isn't specified — annual is the minimum accepted norm; more frequent for high-risk environments.
  • 9.3.2 Management review inputs: Seven mandatory input categories that must be addressed in every review.
  • 9.3.3 Management review results: Three mandatory output categories — the decisions and actions that must come out of the review.

The 7 mandatory inputs (Clause 9.3.2)

Clause 9.3.2 defines what must be considered in every management review. These are not suggestions — they are requirements. If any are missing, an assessor will raise a nonconformity.

(a) Status of actions from previous management reviews

Every action item from the prior review must be tracked and reported. This creates a closed loop: previous meeting → actions → follow-up → current meeting. The assessor will ask to see the previous review minutes and verify that actions were followed up.

What to document: A table showing each prior action, owner, due date, current status (complete/in progress/overdue), and any revised timeline for incomplete items.

(b) Changes in external and internal issues relevant to the ISMS

This connects to Clause 4.1 (understanding the organisation and its context) and 4.2 (understanding interested parties). You must review whether the external threat landscape, regulatory environment, business model, technology stack, or competitive environment has changed in ways that affect the ISMS.

Common changes to report: New regulations (EU AI Act, DORA, NIS2), ransomware threat trends, acquisition or restructuring, new products/data types, changes to key suppliers, customer requirements evolving.

(c)(1) Achievement of information security objectives

Under Clause 6.2, you must set measurable information security objectives. In the management review, you report on how you performed against each one. This requires actual data — not vague assertions.

Example objectives and metrics:

  • Mean time to remediate critical vulnerabilities (target: <14 days) → actual: 9 days ✅
  • Security awareness training completion (target: 100% by Q1) → actual: 98% ✅
  • Zero P1 security incidents caused by access control failures → actual: 0 ✅
  • Third-party security assessments completion (target: 80% of high-risk vendors) → actual: 55% ❌

(c)(2) Nonconformities and corrective actions

All nonconformities identified during the review period — from internal audits, external surveillance audits, security incidents, or day-to-day operations — must be reviewed for effectiveness of corrective actions. The key question: has the root cause been addressed so the nonconformity won't recur?

A common mistake is reporting that a corrective action was implemented without demonstrating that the root cause was actually resolved. Assessors distinguish between symptomatic fixes (patching one vulnerability) and root-cause fixes (fixing the vulnerability management process that allowed it to exist).

(c)(3) Monitoring and measurement results

Clause 9.1 requires you to decide what to monitor and measure, how, when, and who analyses results. The management review must present the actual results. This includes security dashboards, KPIs, KRIs, control effectiveness metrics, SIEM alert trends, and access review completion rates.

(c)(4) Audit results

Results of both internal audits (Clause 9.2) and external audits (certification body surveillance, customer security audits, regulatory inspections) must be presented and discussed. If the internal audit programme hasn't been executed, this is a gap that will itself produce a nonconformity.

(c)(5) Feedback from interested parties

Security questionnaires from customers, regulator correspondence, certification body observations, partner audit findings, and customer security incident queries all qualify as interested party feedback. Track and present this data.

For a B2B SaaS, completing 20 customer security questionnaires in a period is relevant feedback — it tells you what customers care about most (often MFA, pen test recency, data residency).

(c)(6) Risk assessment and risk treatment status

The current risk register — including new risks identified, changes to existing risks, risk treatment plan progress, and any risk acceptance decisions — must be reviewed. Risk owners should report on the status of their assigned treatment actions.

The management review is a key place where risk acceptance decisions are formally documented and approved by top management, as required by Clause 6.1.

(c)(7) Opportunities for continual improvement

ISO 27001:2022 places significant emphasis on Clause 10.2 (continual improvement). The management review should identify and discuss specific improvement opportunities — not just fix problems, but proactively improve the ISMS. These could include: new controls being adopted industry-wide, tool upgrades, process automation, expanding the ISMS scope.

The 3 mandatory outputs (Clause 9.3.3)

The management review must produce documented outputs in three categories:

(a) Opportunities for continual improvement

The specific improvement initiatives that management has decided to pursue, with owners and timelines.

(b) Any need for changes to the ISMS

Whether the ISMS scope, policies, controls, objectives, or risk treatment plan need updating based on what was reviewed. This could include: scope extension to a new office, policy updates for new regulations, new controls to address emerging threats.

(c) Resource needs

Management must explicitly address whether the ISMS has adequate resources — budget, staffing, tools, and training. If the CISO is under-resourced, this is where that needs to be raised, decided, and documented.

What does documented information look like?

Clause 7.5 requires documented information as evidence of management review. In practice, this means:

  • Meeting minutes or a formal review record — dated, listing attendees, summarising each input category discussed, and recording all decisions made
  • Action register — table with action, owner, due date, priority
  • Data supporting each input — dashboard screenshots, audit reports, metrics summaries
  • Sign-off — chairperson signature (or equivalent electronic approval)

The record doesn't need to be 50 pages. A well-structured 8-page management review record covering all 7 inputs and 3 outputs with real data will pass certification. A 2-page meeting summary that vaguely mentions "we discussed security" will not.

How often should you conduct management reviews?

Clause 9.3.1 says "at planned intervals." What does this mean in practice?

  • Annual minimum: For most organisations maintaining certification, one comprehensive annual review is the accepted baseline. Certification bodies expect this before each surveillance or recertification audit.
  • More frequent for higher-risk environments: Financial services, healthcare, and critical infrastructure organisations often conduct quarterly or semi-annual reviews.
  • Trigger-based additional reviews: A major security incident, significant business change, regulatory change, or failed audit may warrant an unscheduled review.

The key: whatever interval you commit to in your ISMS documentation, you must actually do it. A policy that says "quarterly" but only produces one annual review is itself a nonconformity.

Common management review nonconformities

Based on common certification audit findings:

  1. Missing inputs: Risk treatment status not covered, or audit results not discussed
  2. No real data: Narrative claims without metrics or evidence
  3. Actions without owners or dates: "We will improve" is not an action item
  4. No link to continual improvement: Outputs don't include specific improvement initiatives
  5. Top management not present: CISO alone doesn't satisfy the "top management" requirement — CEO, CTO, or the board need to be engaged
  6. Previous actions not followed up: No evidence that prior action items were progressed
  7. Records not retained: Minutes lost or inaccessible — retention per Clause 7.5 is required

Preparing for your management review

Six weeks before your management review, start collecting:

  1. Previous review minutes and action status
  2. SIEM/monitoring dashboard exports for the period
  3. Objective KPI actuals vs targets
  4. Internal audit report and nonconformity tracker
  5. Risk register — current view with risk owner updates
  6. Security incident log and post-mortem summaries
  7. Customer security questionnaire log
  8. Risk treatment plan progress report from risk owners

Package these into a management review pack distributed to attendees at least one week before the meeting. Management reviews that start with executives seeing data for the first time rarely produce meaningful decisions.

Generate your ISO 27001 Management Review Record

ComplyKit's ISO 27001 Management Review Template Generator produces a complete, certification-body-ready management review record covering all 7 Clause 9.3.2 inputs and 3 Clause 9.3.3 outputs. Review your ISMS inputs interactively, then generate a formal document in minutes.

For the full ISMS picture, see also: ISO 27001 Internal Audit Checklist Generator, ISO 27001 Risk Assessment Generator, and Statement of Applicability (SoA) Generator.