← All guides
ISO 270018 min read5 July 2026

ISO 27001 Management Review vs Internal Audit: What's the Difference and How They Work Together

ISO 27001 requires both a management review (Cl. 9.3) and an internal audit programme (Cl. 9.2). They serve different purposes but feed each other. Here's how to run both effectively.

Two different requirements, often confused

ISO 27001:2022 Clause 9 — Performance Evaluation — contains two distinct requirements that serve different purposes but are deeply interconnected:

  • Clause 9.2 — Internal Audit: An independent, systematic examination of the ISMS against the ISO 27001 standard and the organisation's own policies and controls.
  • Clause 9.3 — Management Review: A review by top management of the ISMS's suitability, adequacy, and effectiveness — using inputs including internal audit results.

These are not interchangeable. You cannot satisfy Cl. 9.3 by describing your internal audit findings. And the internal audit cannot substitute for management review. Both must be documented separately.

Internal audit (Clause 9.2): what it is

An internal audit is a structured, evidence-based assessment that answers: Is our ISMS conforming to the ISO 27001 standard and our own policies? Is it effectively implemented and maintained?

Who conducts the internal audit?

Clause 9.2 requires that auditors be objective and impartial — they cannot audit their own work. In practice:

  • Large organisations: dedicated internal audit function or information security audit team
  • Medium organisations: cross-functional auditors (engineering lead audits HR processes, HR audits change management)
  • Small organisations (under 50 people): this is the hard part — you may need to bring in an external auditor or consultant for the internal audit to satisfy the independence requirement

The certification body will ask about auditor independence. "The CISO audited all the controls they implemented" is a common finding in surveillance audits.

What does the internal audit cover?

The audit programme (a planned schedule, not a single event) should cover:

  • All clauses of ISO 27001 (4–10) over the certification cycle (typically 3 years)
  • Annex A controls declared as applicable in the Statement of Applicability (SoA)
  • Higher-risk areas more frequently
  • Areas flagged in previous audits or risk assessments

The scope of each individual audit can be narrower — you don't have to audit everything in a single session. An annual programme might cover access control (CC6) and incident response in H1, then change management and vendor risk in H2.

Internal audit output

The audit produces:

  • An audit report — scope, objectives, method, findings, conclusion
  • Nonconformity records — specific deviations from requirements with severity (major/minor) and evidence
  • Opportunities for improvement (OFIs) — observations that don't rise to the level of nonconformity but represent improvement potential
  • Corrective action requests (CARs) — for nonconformities, requiring root cause analysis and correction

Management review (Clause 9.3): what it is

A management review is a strategic leadership discussion that answers: Is our ISMS appropriate for our organisation, adequate for our risks, and effective in achieving our objectives?

Where the internal audit is conducted by auditors examining evidence, the management review is conducted by top management examining inputs — including the internal audit results — to make decisions.

Who conducts the management review?

"Top management" as defined in ISO 27001 — the person or group that directs and controls the organisation at the highest level. For a startup, this is typically the CEO plus relevant C-suite. For a division, it's the division head and their direct reports. The CISO or ISMS Manager typically facilitates but is not the decision-maker.

What does the management review cover?

All 7 mandatory inputs per Clause 9.3.2 (described in detail in our Clause 9.3 requirements guide), producing 3 mandatory outputs per Clause 9.3.3: decisions on continual improvement, ISMS changes, and resource needs.

Key differences: a comparison table

Dimension Internal Audit (Cl. 9.2) Management Review (Cl. 9.3)
Purpose Assess conformance and effectiveness Evaluate suitability, adequacy, effectiveness; make decisions
Who leads it Independent auditors Top management
Input Standard requirements, policies, evidence 7 mandatory input categories (including audit results)
Output Audit report, NCs, OFIs, CARs Decisions on improvement, ISMS changes, resources
Frequency According to audit programme (at least annual) At planned intervals (at least annual)
Evidence required Audit report, NC tracker, evidence sampled Review minutes, action register, data supporting inputs
Can substitute for the other? No No
Certification body check Programme, independence, findings, CARs closed All 7 inputs covered, 3 outputs documented, management present

How they feed each other

The relationship between the two activities is intentional and important:

Internal audit → Management review

Internal audit results are a mandatory input (Cl. 9.3.2(c)(4)) to the management review. This means:

  • The internal audit must happen before the management review — or at least before the relevant management review
  • Management review must address audit findings — what nonconformities were found, what corrective actions are underway, and whether management is satisfied with the programme's coverage
  • If the internal audit found significant issues, the management review may need to allocate resources or change controls — which flows into the outputs

Management review → Internal audit

Management review decisions can shape the next internal audit programme:

  • Management may identify higher-risk areas that need more frequent or deeper audit coverage
  • Resource decisions (e.g., hiring an internal auditor) affect audit programme capacity
  • New ISMS scope changes require corresponding changes to the audit scope

Sequencing: which comes first?

For the annual certification cycle:

  1. Risk assessment and risk treatment review — updated risk register
  2. Internal audit — assessing controls against requirements, producing findings and NCs
  3. Corrective actions — addressing any NCs found in the audit (at least initiation, if not full closure)
  4. Management review — reviewing all inputs including audit results, making decisions for the next period
  5. Surveillance/recertification audit — certification body reviews all of the above

Running the management review before the internal audit deprives it of the audit input — a gap assessors will note.

Common mistakes when running both

  1. Conflating the two into one document: A management review that is just the internal audit report reformatted doesn't satisfy Cl. 9.3. They must be separate documented activities.
  2. The CISO running the internal audit of their own controls: Independence failure. Get a different person or bring in an external auditor.
  3. Management review without management: The CISO alone running a "management review" and sending minutes to leadership doesn't satisfy the requirement. Leadership must actively participate.
  4. Audit programme covering too narrow a scope: If the annual internal audit only covers access control, and ignores physical security, change management, and vendor risk, the programme is insufficient.
  5. No follow-up on CARs from internal audit before management review: Present the corrective action status in the management review — not just "we found NCs" but "here's what we did about them."

A practical calendar for small ISMS teams

Month Activity
January–FebruaryAnnual risk assessment update, risk treatment plan review
March–AprilInternal audit phase 1 (access control, incident response, change management)
MayCorrective actions initiated for H1 audit findings
July–AugustInternal audit phase 2 (vendor management, physical security, business continuity)
SeptemberCorrective actions for H2 audit findings; all CARs from both phases progressed
OctoberManagement review — covering full year of inputs, all audit results, risk assessment, objectives
November–DecemberCertification body surveillance or recertification audit

Generate both documents with ComplyKit

ComplyKit provides generators for both requirements:

See also: ISO 27001 Risk Assessment Generator and Statement of Applicability Generator.