Management Reviews Are Not Optional -- They Are a Certification Requirement
Of all the ISO 27001 clauses that organizations treat as administrative overhead, Clause 9.3 tops the list. Management reviews get scheduled, rescheduled, rushed through in 20 minutes, and documented with meeting minutes that say little more than "security was discussed." Then the certification auditor arrives, reads those minutes, and issues a nonconformity.
Clause 9.3 is not a suggestion. It is a mandatory clause in ISO 27001:2022, meaning you cannot exclude it from your ISMS scope, you cannot delegate it away from top management, and you cannot fake it with a retroactively written summary. Certification auditors know exactly what a real management review looks like, and they know what a checkbox exercise looks like.
The irony is that management reviews, done properly, are one of the most valuable activities in your entire ISMS. They are the mechanism through which leadership makes informed decisions about security investments, risk tolerance, and strategic direction. Organizations that treat them seriously end up with better security programs. Organizations that treat them as compliance theater end up with both bad security and audit findings.
The auditor's perspective: Management review is the primary evidence that top management is engaged with the ISMS. If the review is superficial, auditors question whether leadership commitment -- a Clause 5 requirement -- is genuine.
What Clause 9.3 Actually Says: The Mandatory Requirements
ISO 27001:2022 Clause 9.3 is structured into three sub-clauses: General (9.3.1), Management Review Inputs (9.3.2), and Management Review Results (9.3.3). Each has specific requirements that your review must satisfy.
Clause 9.3.1 -- General Requirements
Top management must review the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. The standard does not define "planned intervals" but certification bodies expect at minimum annual reviews. Semi-annual is considered best practice, and quarterly reviews are common in mature organizations.
The three evaluations packed into that single sentence are distinct:
- Suitability -- Is the ISMS still appropriate for the organization's context? Have external factors, business strategy, or the threat landscape changed in ways that affect the ISMS scope or objectives?
- Adequacy -- Are the controls and processes sufficient to address the identified risks? Are there gaps in coverage or areas where controls are not performing as expected?
- Effectiveness -- Is the ISMS achieving its objectives? Are security incidents decreasing? Are risk treatment plans being executed? Is the organization's security posture measurably improving?
The key word is "top management." This is not a meeting your security team runs independently. The CEO, COO, or equivalent executive authority must participate. If your management review is attended only by the IT team, it does not satisfy Clause 9.3.
Clause 9.3.2 -- Mandatory Inputs
The standard specifies exactly what must be considered during the management review. These are not optional agenda items -- each one must be addressed and documented.
| Required Input | What This Means in Practice | Evidence to Prepare |
|---|---|---|
| Status of previous actions | Review action items from the last management review and report on completion status | Action item tracker with status updates, completion dates, and any carry-forward items |
| Changes in external/internal issues | New regulations, business changes, organizational restructuring, market shifts that affect the ISMS | Summary of relevant changes since last review (new regulations, M&A activity, new products) |
| Information security performance | Metrics showing how the ISMS is performing against its objectives | Dashboard or report covering security KPIs, incident counts, control effectiveness metrics |
| Nonconformities and corrective actions | Status of all open nonconformities from internal and external audits | Nonconformity register with corrective action status, root cause analysis, and closure evidence |
| Monitoring and measurement results | Results from security metrics, KPI tracking, and control effectiveness measurements | Performance evaluation data from Clause 9.1 activities |
| Audit results | Findings from internal audits (Clause 9.2) and any external audit results | Internal audit report summary, nonconformity trends, corrective action progress |
| Feedback from interested parties | Input from customers, regulators, partners, and employees regarding information security | Customer security questionnaire trends, regulatory correspondence, employee feedback |
| Risk assessment results | Current state of the risk register and any changes to risk levels or new risks identified | Risk register summary, risk treatment plan progress, any risk acceptance decisions needed |
| Opportunities for improvement | Areas where the ISMS can be enhanced -- processes, technology, training, or scope | Improvement proposals with business cases and resource requirements |
Auditor expectation: The auditor will request the management review minutes and check each required input against the agenda. If the minutes say "risk assessment discussed" without any detail, the auditor will ask for the supporting materials that were presented. Prepare a management review pack that includes the actual data for each input, not just a reference to it.
Clause 9.3.3 -- Required Outputs
The management review must produce documented decisions and actions. Vague statements like "continue current approach" are insufficient. Auditors expect specific, actionable outputs.
Required outputs include:
- Decisions related to continual improvement -- specific improvements approved, with owners and timelines
- Decisions about changes to the ISMS -- scope changes, policy updates, new controls, or control modifications
- Resource allocation decisions -- budget approvals, headcount changes, tool procurement
- Updates to risk treatment plans -- new risk acceptances, additional mitigations approved
- Changes to security objectives -- revised targets or new objectives for the next period
The outputs feed directly into the next management review, where the first agenda item will be the status of these action items. This creates a cycle of accountability that auditors evaluate across multiple review periods.
Building a Management Review Agenda That Auditors Respect
A well-structured agenda ensures you cover every mandatory input while keeping the meeting focused and productive. Here is a proven agenda template that satisfies Clause 9.3 and keeps executives engaged.
Sample Management Review Agenda (90 Minutes)
- Opening and Previous Action Item Review (10 min) -- Review the action tracker from the last management review. Report completion status for each item. Discuss any outstanding items and update timelines.
- Changes in Context (10 min) -- Present any changes in external context (regulatory landscape, threat environment, industry changes) and internal context (organizational changes, new systems, staffing changes) that affect the ISMS.
- Information Security Performance Report (15 min) -- Present key metrics covering incident volumes and trends, vulnerability management statistics, control effectiveness measures, security objective progress, and compliance status.
- Internal Audit Results (10 min) -- Summarize findings from internal audits conducted since the last review. Present nonconformity status and corrective action progress.
- Risk Assessment Update (15 min) -- Present the current risk register summary. Highlight new risks, changes in risk levels, and any risks requiring management decisions on treatment or acceptance.
- Objective Fulfillment (10 min) -- Report progress against each defined information security objective with measurable evidence.
- Interested Party Feedback (5 min) -- Summarize feedback from customers, partners, regulators, and employees. Highlight any trends or recurring concerns.
- Improvement Opportunities and Decisions (15 min) -- Present proposed improvements to the ISMS. Include business cases, resource requirements, and expected benefits. This is where decisions are made and action items are assigned.
Keep it to 90 minutes. Management reviews that run three hours lose executive attention and produce diminishing returns. If 90 minutes is not enough, it usually means the pre-read materials were insufficient. Send the performance report, risk register summary, and audit findings to attendees 5 business days before the meeting so they arrive prepared.
Who Must Attend and Why It Matters
The single most common management review nonconformity is that top management was not present. Having the IT manager or information security officer present the review to themselves does not meet the requirement. The intent is that senior leadership evaluates the ISMS and makes strategic decisions about its direction.
| Role | Why They Attend | Required? |
|---|---|---|
| CEO / Managing Director | Demonstrates top management commitment, makes resource decisions | Yes (Clause 5.1) |
| CISO / Security Manager | Presents ISMS performance data, recommends improvements | Practical necessity |
| CTO / Head of Engineering | Provides context on technology changes, development security | Recommended |
| Head of Operations | Provides context on operational changes, business continuity | Recommended |
| Compliance / Legal | Addresses regulatory changes, contractual requirements | Recommended |
| HR Representative | Reports on security awareness training, personnel security | Optional |
For startups and smaller organizations, the management review may involve only two or three people. That is acceptable as long as someone with genuine executive authority is present and participating in decisions. A 15-person meeting is not inherently better than a 3-person meeting if the right people are in the room.
Metrics That Make Management Reviews Meaningful
The "information security performance" input is where most management reviews either shine or fall flat. Presenting the right metrics transforms the review from a compliance exercise into a strategic decision-making session.
Operational Metrics
- Security incident count and severity trend -- Present quarter-over-quarter or year-over-year trends, not just the current number. A reduction in high-severity incidents with context on why is more valuable than a raw count.
- Mean time to detect (MTTD) -- How long it takes from an event occurring to your team identifying it. Tracked from your continuous monitoring program.
- Mean time to respond (MTTR) -- How long from detection to containment. This measures the effectiveness of your incident response process.
- Vulnerability remediation rates -- Percentage of critical and high vulnerabilities remediated within SLA. Show trend over time.
- Patch compliance rate -- Percentage of systems with current security patches applied within your defined window.
Compliance and Control Metrics
- Nonconformity closure rate -- How many nonconformities were identified, how many have been closed, and what is the average time to closure.
- Risk treatment plan completion rate -- What percentage of planned risk treatments have been completed on schedule.
- Policy compliance rate -- Percentage of employees who have acknowledged current policies and completed required training.
- Third-party risk status -- Number of vendors assessed, any high-risk vendors identified, and remediation actions in progress.
Strategic Metrics
| Metric | Target | Why Executives Care |
|---|---|---|
| MTTR for P1 incidents | Under 4 hours | Directly impacts customer trust and potential regulatory exposure |
| Critical vuln remediation within SLA | 95% within 7 days | Reduces breach probability and demonstrates due diligence |
| Offboarding within 24 hours | 100% compliance | Prevents unauthorized access from former employees |
| Security awareness completion | 100% within 30 days of hire | Reduces human-factor risk, which drives most breaches |
| Risks above tolerance threshold | Zero unaddressed | Ensures conscious risk acceptance rather than oversight |
Present each metric with context: what the target is, what the actual performance is, whether the trend is improving or declining, and what action is recommended. Executives make better decisions when they see the gap between target and actual, not just the raw numbers.
Documenting Management Review Outputs Properly
The meeting minutes from your management review are primary audit evidence. They will be requested during every surveillance audit and certification audit. Poor documentation is one of the most common Clause 9.3 nonconformities.
What Must Be in the Minutes
- Date, time, and duration of the meeting
- Attendee list with roles -- critically, evidence that top management was present
- Each mandatory input covered with a summary of what was presented and discussed
- Decisions made -- specific, documented decisions with rationale
- Action items with assigned owners, deadlines, and expected outcomes
- Risk acceptance decisions -- if management accepted any risks, document the risk, the rationale, and the accepting authority
- Next review date -- confirms the "planned intervals" requirement
What Auditors Flag as Insufficient
- "Security performance was reviewed and found satisfactory" -- This tells the auditor nothing. What metrics were reviewed? What were the actual numbers? What is the basis for "satisfactory"?
- No action items -- A management review that produces zero action items suggests the review was superficial. There are always improvements to make.
- Missing attendees -- If the CEO is listed as the top management representative but the minutes show they were not present, you have a Clause 5 leadership commitment problem in addition to a Clause 9.3 issue.
- No reference to previous actions -- Clause 9.3.2 explicitly requires reviewing the status of actions from previous reviews. If the minutes do not address this, it is a gap.
- Generic improvement statements -- "We will continue to improve our security posture" is not an output. "We will implement automated access reviews by Q3 2026, owned by the IT Director, budget of $15,000 approved" is an output.
Common Clause 9.3 Nonconformities and How to Avoid Them
Based on our experience supporting ISO 27001 certification audits, these are the most frequent management review nonconformities we encounter.
Major Nonconformities
- No management review conducted -- The most severe finding. If you have not held a management review at all during the audit period, this is an automatic major nonconformity that must be closed before certification can proceed.
- Top management not present -- The review was held, but only the IT team attended. Clause 9.3 explicitly requires top management, and delegation to middle management does not satisfy this requirement.
- Mandatory inputs missing -- The review covered some topics but skipped others entirely. For example, risk assessment results were not presented, or audit findings were not discussed.
Minor Nonconformities
- Insufficient documentation of decisions -- The review was held and covered the right topics, but the minutes lack specificity about what decisions were made and what actions were assigned.
- Action items not tracked to completion -- Previous review actions were assigned but there is no evidence of follow-up or status tracking between reviews.
- Review not conducted at planned intervals -- The organization defined semi-annual reviews but the last review was nine months ago. Once you commit to a frequency, you must maintain it.
Prevention strategy: Use a management review template that maps directly to Clause 9.3.2 inputs. Structure your agenda so that each mandatory input is a separate agenda item. This makes it nearly impossible to accidentally skip a required topic, and it makes it obvious to the auditor that you covered everything.
Frequency: How Often Is Enough?
The standard says "at planned intervals" without specifying a frequency. The minimum that auditors accept is annual, but the right frequency depends on your organization's maturity and pace of change.
| Frequency | Best For | Considerations |
|---|---|---|
| Quarterly | New ISMS implementations, rapidly growing organizations, high-risk industries | More frequent reviews catch issues early but require more executive time |
| Semi-Annual | Established ISMS with moderate change rate, mid-size organizations | Good balance of oversight and efficiency; common for organizations in surveillance audit years |
| Annual | Mature ISMS with stable operations, small organizations with limited change | Minimum acceptable frequency; must be supplemented with ad-hoc reviews if significant changes occur |
Regardless of the planned frequency, significant changes should trigger an ad-hoc management review. A major security incident, a regulatory change affecting your ISMS scope, or a significant organizational restructuring all warrant management attention outside the regular cycle.
Integrating Management Reviews with Other Compliance Frameworks
If your organization also maintains SOC 2 or PCI DSS compliance, management reviews can serve multiple frameworks simultaneously. The key is structuring your review to address the overlapping requirements without creating separate meetings for each framework.
ISO 27001 + SOC 2 Overlap
SOC 2's CC4 (Monitoring Activities) requires management to monitor internal control effectiveness. Your ISO 27001 management review can satisfy this requirement if you include SOC 2-specific metrics and control effectiveness data in your performance report. Document this mapping explicitly so both your ISO auditor and SOC 2 auditor can reference the same meeting minutes.
ISO 27001 + PCI DSS Overlap
PCI DSS v4.0 Requirement 12.4 requires service providers to perform quarterly reviews of security policies and procedures. While the scope is narrower than an ISO 27001 management review, you can incorporate PCI-specific metrics into your review agenda and satisfy both requirements with a single meeting.
This multi-framework approach is a core part of how we structure compliance programs for clients using our Compliance Package ($42,500/yr). Rather than running separate compliance programs that duplicate effort, we design integrated programs where a single management review produces evidence for ISO 27001, SOC 2, and PCI DSS simultaneously.
Making Management Reviews Add Real Value
Beyond satisfying the auditor, management reviews are your opportunity to align security investments with business priorities. Here is how to make them genuinely useful.
Connect Security to Business Risk
Frame every metric and every risk in business terms. Instead of "we had 47 medium-severity vulnerabilities this quarter," say "we had 47 vulnerabilities in customer-facing systems, 12 of which could have enabled unauthorized access to customer data, representing potential regulatory exposure under GDPR." Executives make decisions based on business impact, not technical severity ratings.
Present Decision-Ready Options
When requesting resources or proposing changes, do not present problems without solutions. Present two or three options with costs, benefits, and trade-offs, and ask management to select one. This respects their time and produces clear, documented decisions.
Track Trends, Not Just Snapshots
Show metrics as trends over three or four review periods. A single data point tells management nothing about direction. Trending data shows whether investments are paying off, whether risk is increasing or decreasing, and whether the ISMS is maturing.
- Present year-over-year incident trends to show program maturity
- Show vulnerability remediation time improvements to justify tooling investments
- Track risk register evolution to demonstrate that risks are being actively managed
- Compare security spending against industry benchmarks to frame budget requests
- Measure ISMS maturity using a recognized framework to show progression over time
Management Review Readiness Checklist
Use this checklist before each management review to ensure compliance and maximize the value of the meeting.
- Top management confirmed attendance with calendar invitation sent at least two weeks in advance
- Management review pack distributed at least one week before the meeting, containing data for all required inputs
- Previous action items status compiled showing completion status, evidence of closure, and reasons for any delays
- Context changes documented including regulatory updates, organizational changes, technology changes, and threat landscape developments
- Performance metrics prepared with trend data, targets, actuals, and recommended actions for any underperformance
- Risk assessment summary current showing new risks, changed ratings, treatment plan progress, and residual risk levels
- Audit findings summarized from both internal audits and any external assessments, with corrective action status
- Information security objectives status updated with measurable evidence of progress toward each objective
- Minutes template prepared with sections for each required input and a dedicated section for decisions and action items
- Minutes from previous review available for reference during action item follow-up
The ultimate test of a good management review: If an executive walks out of the room having made at least one decision they could not have made without the information presented, the review added value. If nothing was decided that required the meeting, it was compliance theater.
Need Help Structuring Your ISO 27001 Program?
Lorikeet Security's Compliance Package ($42,500/yr) includes ISO 27001 readiness, management review framework design, internal audit support, and certification preparation. We build ISMS programs that integrate with SOC 2 and PCI DSS to eliminate duplicate effort.
