In this guide, I will show you exactly how to implement ISO 27001 Clause 9.3 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Clause 9.3 Management Review
ISO 27001 Clause 9.3 requires top management to review the organization’s Information Security Management System (ISMS) at planned intervals. This is the Governance layer of ISO 27001. It is not enough for the IT team to just “do security”; senior leadership must actively review performance, approve resources, and make strategic decisions to ensure the ISMS remains suitable, adequate, and effective. If you cannot prove that leadership is reviewing these specific inputs, you will fail the audit.
Core requirements for compliance include:
- Fixed Agenda: The standard mandates specific “Inputs” that must be discussed. You cannot just have a general chat about security; you must cover the exact list defined in Clause 9.3.2.
- Planned Intervals: Reviews must happen regularly. While the standard doesn’t specify a frequency, Quarterly or Monthly is best practice to demonstrate active oversight (Annual reviews are often considered insufficient for dynamic environments).
- Documented Minutes: The “Outputs” of the meeting (decisions and actions) must be documented. If there are no minutes, the meeting technically “didn’t happen” in the eyes of an auditor.
- Required Attendees: The meeting must be attended by Top Management (e.g., CEO, COO, or Board Member), the Information Security Manager, and key department heads.
- Decision Making: The review isn’t just for information sharing; it must result in decisions regarding resource allocation, risk acceptance, and continual improvement opportunities.
Audit Focus: Auditors will look for “The Governance Evidence”:
- The Minutes: “Show me the minutes from your last three Management Review meetings. Do they explicitly cover all the mandatory inputs like ‘Internal/External Issues’ and ‘Risk Treatment Status’?”
- Attendance Records: “Did the CEO or a designated Senior Leader actually attend, or did they delegate it to a junior manager?”
- Action Tracking: “In the previous meeting, you raised an issue about insufficient budget for training. Show me the decision made in this meeting to address that.”
Mandatory Agenda Checklist (Audit Prep):
| Clause 9.3.2 Input | What to discuss? | Example Evidence |
| Status of Actions | Did we do what we said last time? | “Action Item 3: Closed.” |
| Internal/External Issues | What changed? (Laws, Market, Tech). | “New AI Regulation introduced.” |
| Performance Feedback | Metrics, Audits, & Nonconformities. | “0 Major NCs in Internal Audit.” |
| Interested Parties | What do customers/partners want? | “Client X requires SOC 2.” |
| Risk Assessment | Is the Risk Treatment Plan working? | “Risk #4 reduced to ‘Low’.” |
| Improvement | What can we do better? | “Budget approved for new Firewall.” |
Table of contents
- ISO 27001 Management Review
- What is ISO27001 Clause 9.3?
- Watch the Tutorial
- Implementation Guide
- Implementation Checklist
- ISO 27001 Management Review Template
- What the auditor will check
- Audit Checklist
- Common Mistakes
- Fast Track ISO 27001 Clause 9.3 Compliance with the ISO 27001 Toolkit
- ISO 27001 Clause 9.3 FAQ
- Related ISO 27001 Controls
- Further Reading
ISO 27001 Management Review
ISO 27001 Management Review requires an organisation to conduct a Management Review Meeting at regular intervals and follow a structure, defined agenda. By doing this we can ensure we have an effective information security management system that is achieving it’s intended outcomes.
The requirement is that the management review
- Reviews the status of actions from previous management reviews
- Records changes in external and internal issues that are relevant to the information security management system
- Records changes in needs and expectations of interested parties that are relevant to the information security management system
- Reviews the information security performance
- Ensures the fulfilment of information security objectives
- Takes account of feedback from interested parties
- Oversees the results of risk assessment and status of risk treatment plan
- Reviews opportunities for continual improvement
What is ISO27001 Clause 9.3?
The purpose of clause 9.3 is to ensure that you have management oversight of the information security management system and that you have documentary evidence to support it.
This clause has now had the wording removed and wording shifted to three new separate sub clauses.
ISO 27001:2022 Clause 9.3.1 General
Top management shall review the organisation’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
ISO 27001:2022 Clause 9.3.1 General
ISO 27001:2022 Clause 9.3.2 Management Review Inputs
The management review shall include consideration of:
ISO 27001:2022 Clause 9.3.2 Management Review Inputs
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) changes in needs and expectations of interested parties that are relevant to the information security management system;
d) feedback on the information security performance, including trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
3) audit results;
4) fulfilment of information security objectives
e) feedback from interested parties;
f) results of risk assessment and status of risk treatment plan;
g) opportunities for continual improvement.
ISO 27001:2022 Clause 9.3.3 Management Review Results – New clause
The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
ISO 27001:2022 Clause 9.3.3 Management Review Results
Documented information shall be available as evidence of the results of management reviews.
ISO27001:2022 Changes to ISO 27001 Clause 9.3
There is nothing significant that has changed to the ISO 27001 Clause 9.3 Management Review in the 2022 update. The change is wording and clarification change with a change to the layout of how the requirements are presented. Rather than one clause they have split out elements into 3 sub clauses for enhanced clarity.
Watch the Tutorial
In the ISO 27001 tutorial How to implement ISO 27001 Clause 9.3 Management Review | Step-by-Step Guide I show you how to implement it and pass the audit.
Implementation Guide
There are many ways to conduct management reviews.
Follow the culture of your organisation on how you conduct meetings. They can be remote, they can be in person. It is best to follow the best practice of your organisation.
For detailed step by step guidance read – How to conduct an ISO 27001 Management Review Meeting
Time needed: 1 hour and 30 minutes
How to implement ISO 27001 Clause 9.3 Management Review
- Decide who will attend the ISO 27001 Management Review Meeting
Decide who will attend the ISO 27001 management review team meetings. It should include the information security manager, a member of the senior leadership team and members from each department in the organisation. This should then be documented in your roles and responsibilities documentation. Make sure that the members are added to the competency matrix.
- Create your meeting agenda and book your meetings
Create your ISO 27001 Management Review Meeting agenda based on the requirements of the standard, including all mandatory topics.
- Schedule your ISO 27001 Management Review Meetings for the year
Forward plan and schedule your meetings for the year.
- Conduct your meetings keeping minutes
Conduct your ISO 27001 Management Review Meetings and be sure to minute and keep copies of minutes.
Implementation Checklist
Management Review ISO 27001 Clause 9.3 Implementation Checklist
1. Plan the Review
Decide when and how often to hold management reviews. Set a regular schedule.
Challenge
Finding time for reviews can be tough. Reviews can become routine and lose their value.
Solution
Schedule reviews well in advance. Make them a priority. Keep them focused and efficient.
2. Define the Agenda
Make a clear list of topics to cover in each review. Focus on key issues.
Challenge
Agendas can become too long and unfocused. Important topics may be missed.
Solution
Keep agendas concise and relevant. Prioritise key performance indicators and risks. Get input from different teams.
3. Gather Information
Collect data and reports to inform the review. Have the facts ready.
Challenge
Gathering data can be time-consuming. Hard to make sense of large amounts of data.
Solution
Automate data collection where possible. Use clear charts and graphs. Focus on key metrics and trends.
4. Conduct the Review
Hold the management review meeting. Discuss the key issues and make decisions.
Challenge
Reviews can become dominated by a few people. Decisions may be delayed or not followed up.
Solution
Encourage everyone to participate. Keep discussions focused and productive. Document decisions clearly.
5. Review ISMS Performance
Assess how well the ISMS is working. Are the controls effective?
Challenge
Hard to be objective about performance. People may be defensive about their work.
Solution
Use clear performance indicators. Focus on learning and improvement. Be honest about strengths and weaknesses.
6. Review Risk Treatment
Check if risk treatments are working. Are risks being managed effectively?
Challenge
Risk treatments can become outdated. New risks may emerge.
Solution
Regularly review risk assessments and treatment plans. Adapt to changes in the threat landscape.
7. Consider Internal and External Issues
Think about any changes and internal issues and external issues that might affect the ISMS.
Challenge
Hard to keep track of all the changes. External factors can be unpredictable.
Solution
Monitor industry trends and regulatory changes. Conduct regular environmental scans.
8. Review Improvement Opportunities
Look for ways to improve the ISMS. Are there any gaps or weaknesses?
Challenge
People may resist change. Hard to prioritise improvement activities.
Solution
Encourage a culture of continual improvement. Focus on areas with the biggest potential impact.
9. Document the Review
Keep clear records of the management review meeting, including decisions and actions.
Challenge
Documenting everything can be time-consuming. Hard to keep records organised.
Solution
Use a simple meeting minutes template. Store records centrally. Keep documentation clear and concise.
10. Follow Up on Actions
Make sure that any agreed actions are taken and are effective.
Challenge
It’s easy to forget about follow-up. Actions may not be implemented properly.
Solution
Set deadlines for actions. Track progress and report on it. Verify that actions have achieved the desired results.
ISO 27001 Management Review Template
The ISO 27001 Management Review Template is the mandatory ISO 27001 Management Review agenda and comes with a detailed step-by-step guide on how to do a management review.
What the auditor will check
The auditor is going to check a number of areas for compliance with Clause 9.3. Lets go through them
1. That roles are defined and assigned
The auditor will look for evidence that you have defined the roles for the management review team. They will want to see representation for the in scope areas. For best practice they will be looking for one representative of each in scope department, at least one member of senior leadership, deputies for everyone.
2. That management meetings have happened and are planned
They will be looking to see that management reviews have taken place and that future management reviews are planned in. It is likely to be the case that they will look for calendar entries and also, most important of all, they are looking for minutes and documentation of those management reviews.
Audit Checklist
Management Review ISO 27001 Clause 9.3 Audit Checklist
1. Review Meeting Frequency
Verify that management reviews are conducted at planned intervals.
Audit Technique
Examine the documented schedule for management reviews and compare it against actual meeting dates. Check attendance records to confirm participation.
2. Check Agenda Completeness
Ensure the management review agenda covers all required inputs specified in the standard.
Audit Technique
Review past management review agendas and compare them against the requirements of ISO 27001 clause 9.3. Look for inclusion of topics like ISMS performance, risk treatment effectiveness, and interested party feedback.
3. Examine Input Information
Confirm that relevant and up-to-date information is used as input to the management review.
Audit Technique
Review the reports, data, and other information used in the management review. Check for accuracy, relevance, and timeliness. Examples include performance reports, audit findings, and risk assessments.
4. Verify Management Participation
Ensure that top management actively participates in the management review process.
Audit Technique
Review attendance records for management review meetings. Interview top management personnel to gauge their involvement and understanding of the ISMS.
5. Review Meeting Minutes
Check that meeting minutes are accurate, comprehensive, and record key decisions and actions.
Audit Technique
Examine minutes from past management review meetings. Verify that they clearly document discussions, decisions made, and assigned actions.
6. Assess ISMS Performance Review
Confirm that the management review includes a thorough assessment of the ISMS’s performance against its objectives.
Audit Technique
Review performance reports and metrics presented during the management review. Check for evidence of analysis and evaluation of ISMS effectiveness.
7. Evaluate Risk Treatment Review
Verify that the effectiveness of risk treatments is reviewed and discussed during the management review.
Audit Technique
Examine records of risk assessments, risk treatment plans, and any changes made to them as a result of the management review.
8. Check Consideration of Internal/External Issues
Ensure that internal and external issues relevant to the ISMS are considered during the review.
Audit Technique
Review meeting minutes and other documentation to confirm that Internal issues (e.g., organisational changes) and external issues (e.g., new legislation) are discussed and their potential impact on the ISMS is assessed.
9. Verify Action Follow-up
Confirm that actions arising from management reviews are tracked, implemented, and their effectiveness verified.
Audit Technique
Review action logs, implementation records, and any follow-up reviews conducted to assess the effectiveness of corrective actions.
10. Examine Record Keeping
Ensure that records of management reviews, including minutes, reports, and action plans, are maintained and readily accessible.
Audit Technique
Check the organisation’s document management system for the presence and accessibility of management review records. Verify that they are stored securely and for the required retention period.
Common Mistakes
In my experience, the top 4 mistakes people make for ISO 27001 Management Review are:
- Not having minutes or documentation of management reviews happening
- People, including deputies, not attending management review meetings
- No planning ahead to evidence that reviews will happen in the future
- Not following the structured, defined agenda with no evidence that the provided agenda items were covered.
Fast Track ISO 27001 Clause 9.3 Compliance with the ISO 27001 Toolkit
For ISO 27001 Clause 9.3 (Management review), the requirement is that top management must review the organization’s ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. This is a mandatory “top-down” clause that requires a structured agenda covering everything from previous action items to audit results and risk assessment status.
While SaaS compliance platforms often try to sell you “meeting modules” or complex “leadership dashboards,” they cannot actually be your senior management or make strategic decisions about business risk, those are human leadership and governance tasks. The High Table ISO 27001 Toolkit is the logical choice because it provides the governance framework you need without a recurring subscription fee.
1. Ownership: You Own Your Management Records Forever
SaaS platforms act as a middleman for your compliance evidence. If you define your management review agenda and store your meeting minutes inside their proprietary system, you are essentially renting your own leadership history.
- The Toolkit Advantage: You receive the Management Review Team Meeting Agenda Template in fully editable Word formats. These files are yours forever. You maintain permanent ownership of your records (such as your unique history of leadership decisions), ensuring you are always ready for an audit without an ongoing “rental” fee.
2. Simplicity: Governance for Real-World Meetings
Clause 9.3 is about oversight and evidence. You don’t need a complex new software interface to manage what a well-structured Word agenda and a regular calendar invite already do perfectly.
- The Toolkit Advantage: Your senior team already knows how to run meetings. What they need is the governance layer, the specific mandatory agenda items required by the ISO standard, to prove to an auditor that they are actively governing the ISMS. The Toolkit provides pre-written, auditor-approved agendas that formalise your existing meetings into a compliant framework, without forcing your leadership team to learn a new software platform just to sign off on a risk plan.
3. Cost: A One-Off Fee vs. The “Governance” Tax
Many compliance SaaS platforms charge more based on the number of “users” or “leadership seats” you have. For a clause that requires broad involvement from senior management, these monthly costs can scale aggressively for very little added value.
- The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you have 3 or 30 managers in the review meeting, the cost of your Management Review Documentation remains the same. You save your budget for actual security improvements rather than an expensive compliance dashboard.
4. Freedom: No Vendor Lock-In for Your Leadership Strategy
SaaS tools often mandate specific ways to report on and monitor “management review.” If their system doesn’t match your organization’s unique meeting culture or specialized reporting needs, the tool becomes a bottleneck to true leadership engagement.
- The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Review Procedures to match exactly how you operate, whether you use formal monthly board meetings or lean, quarterly remote check-ins. You maintain total freedom to evolve your governance strategy without being constrained by the technical limitations of a rented SaaS platform.
Summary: For Clause 9.3, the auditor wants to see that meetings are planned, attended by the right people, and followed a structured agenda with recorded minutes. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Clause 9.3 FAQ
ISO 27001 Clause 9.3 Management Review requires an organisation to hold a regular management review meeting that follows the structure and requirements of the ISO 27001 standard.
ISO 27001 Clause 9.3 Management Review compliance is evidenced by having Management Review Meetings scheduled through out the year and evidence that meetings have occurred with meeting minutes available.
You can download ISO 27001 Clause 9.3 Management Review in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 9.3 Management Review can be found in the ISO 27001 Toolkit.
You perform ISO 27001 management reviews monthly. If you cannot then at least once every 3 months.
The information security manager ensures that the meeting takes place. The meeting is attended by the information security manager, senior leadership representative and representatives from each department in the organisation.
Management reviews are reported to the senior leadership team.
If you do not do ISO 27001 management reviews and minute them then you will not achieve ISO 27001 certification. In addition your management system will not operate as intended and will not be effective.
Related ISO 27001 Controls
ISO 27001 Understanding The Organisation And Its Context: Clause 4.1
ISO 27001 Understanding The Needs And Expectations of Interested Parties: Clause 4.2
ISO 27001 Continual Improvement: Clause 10.1
ISO 27001 Management Responsibilities: Annex A 5.4
ISO 27001 Organisational Roles, Responsibilities and Authorities: Clause 5.3
ISO 27001 Information Security Risk Treatment: Clause 8.3
Further Reading
How to conduct an ISO 27001 Management Review Meeting
