ISO 27001 Management Review (Clause 9.3)

Clause 9.3 of ISO 27001 requires top management to review the organization's ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. Of all the clauses in ISO 27001, this is the one where certification auditors most consistently find weak evidence. A calendar invite titled "Security Review" with no agenda, no minutes, and no decisions will not pass Stage 2.

Management review is also the clause where ISO 27001 most clearly communicates a cultural expectation: information security is a leadership responsibility, not a technical hobby. Done well, the management review becomes one of the most valuable recurring events in the security calendar because it forces leadership to see the ISMS as it really is, not how anyone wishes it looked.

What Clause 9.3 requires

Clause 9.3.1 requires top management to review the ISMS at planned intervals to ensure it remains suitable, adequate, and effective. Clause 9.3.2 lists specific required inputs. Clause 9.3.3 requires that outputs of the review include decisions related to continual improvement opportunities and any need for changes to the ISMS, and that the organization retain documented information as evidence of the results of management reviews.

The implication is that management review is not just a meeting. It is an evidence-producing event with defined inputs, documented decisions, and traceable outputs.

Cadence — how often to review

The standard says "at planned intervals" without prescribing a specific cadence. In practice, certification bodies expect at least one comprehensive management review per year covering all required inputs. Many organizations run a lighter quarterly review focused on specific topics like risk changes, audit findings, or metrics trends, and reserve the full review for an annual off-site or strategic session.

Very high-growth companies or those in heavily regulated industries sometimes run monthly management reviews. Smaller or more stable organizations can credibly operate on an annual cycle. Whatever cadence you choose, document it in your ISMS procedures and stick to it. Auditors will ask when the last review happened and compare that against your stated cadence.

Required inputs

Clause 9.3.2 lists the inputs the review must consider. A complete management review agenda covers:

• Status of actions from previous management reviews. Which decisions were executed, which are still in progress, which were dropped and why.
• Changes in external and internal issues relevant to the ISMS. Regulatory shifts, new customers with different requirements, major technology changes, organizational restructuring.
• Feedback on information security performance. Metrics on incidents, control effectiveness, training completion, phishing simulation results, patch compliance.
• Feedback from interested parties. Customer security questionnaires, regulatory feedback, auditor observations from external parties.
• Results of risk assessment and risk treatment plan status. Changes to the risk assessment, new risks identified, status of risk treatments.
• Opportunities for continual improvement. Ideas surfaced from internal continual improvement efforts, staff suggestions, or industry changes.
• Nonconformities and corrective actions. Status of open and closed nonconformities and corrective actions.
• Monitoring and measurement results. KPIs tracked against the ISMS.
• Audit results. Internal audit findings from the internal audit programme and external audit findings if any.
• Fulfillment of information security objectives. Progress against the measurable objectives set under Clause 6.2.

Not every input needs to be a deep dive at every review. A quarterly cycle might rotate focus, while the annual review covers everything. What auditors want to see is evidence that over the course of your review cycle, every input was considered.

Required outputs

Clause 9.3.3 requires outputs related to continual improvement opportunities and any changes needed in the ISMS. Documented outputs typically include:

• Decisions. Specific, assigned, time-bound decisions. "We will increase the security engineering headcount by one in Q3 2026" is a decision. "Security is important" is not.
• Changes to the ISMS. Updates to scope, policies, controls, or procedures.
• Resource commitments. Budget, headcount, or tooling decisions.
• Updated information security objectives. Revised or reaffirmed objectives for the next period.
• Acknowledged risks. Risks that leadership has reviewed and accepted.

The management review output is often the strongest evidence auditors use to confirm that top management is genuinely engaged with the ISMS. Vague outputs signal a rubber-stamp review and invite deeper questioning.

Who attends

Top management means people with the authority to allocate resources and change organizational direction. In a small technology company this is typically the CEO, CTO, and COO. In a larger organization it may be a dedicated information security committee chaired by the CISO and including department heads with revenue, product, legal, and operations responsibility.

Supporting roles such as the ISMS owner, compliance lead, internal audit lead, and risk manager usually present material. Their attendance is expected, but they cannot substitute for the actual decision-makers. A management review where no one with budget authority is present will not satisfy Clause 9.3.

Documentation expectations

The review must produce documented information as evidence. At a minimum, retain:

• Meeting minutes or a review report capturing inputs discussed, participants, and outputs.
• A record of attendees including roles, to demonstrate top management participation.
• Supporting materials such as metrics dashboards, audit reports, and risk updates presented at the review.
• Action logs tracking decisions to closure.

Minutes should be specific enough that an outside reader can reconstruct what was considered and decided. "Discussed risk" is not enough. "Reviewed residual risk on vendor management, noting three vendors with overdue annual reviews. Decision: reassign vendor review owner by April 30 and complete reviews by May 31. Owner: CTO." is the right level of detail.

How this fits into your ISMS

Management review sits inside Clause 9 (Performance Evaluation) alongside monitoring, measurement, analysis, evaluation, and internal audit. It is the moment where all of those inputs converge and leadership formally acts on them. Without management review, the rest of Clause 9 produces information but no decisions.

Management review is also a critical bridge into Clause 10 (Improvement). Outputs feed directly into nonconformity handling and continual improvement. For first-time certifiers, at least one management review with complete inputs and outputs must be documented before Stage 2 of the certification process.

Common pitfalls

• Running the meeting but not documenting it. Verbal commitments do not satisfy ISO 27001. If it is not in the minutes, it did not happen.
• Skipping inputs. Omitting risk assessment results or audit findings from the agenda will surface as a nonconformity.
• No top management in the room. Delegating the entire review to the security team invalidates it as a management review.
• Repeating the same outputs every cycle. Outputs should evolve as the ISMS matures. Identical decisions year after year suggest the review is ceremonial.
• Treating the review as a report-out, not a decision forum. The purpose is to decide, not to inform.
• Holding the review too close to the certification audit. Auditors want to see the review in normal operating cadence, not a one-time event manufactured for audit preparation.

How episki helps

episki generates the management review pack automatically from your control graph, risk register, audit findings, and metrics, so the ISMS owner is not spending a week assembling slides every quarter. Decisions made during the review are captured as tracked actions with owners and due dates, and the full review record is retained as documented information ready for external auditors.

Return to the ISO 27001 framework overview for how management review connects to the rest of the ISMS lifecycle.