ISO 27001 Clause 9.3 Management Review is a critical governance requirement necessitating that top management evaluates the ISMS at planned intervals. The primary implementation requirement focuses on reviewing specific mandatory inputs and outputs, providing the business benefit of ensuring information security remains suitable, adequate, and strategically effective.
In this guide, I will show you exactly how to implement ISO 27001 Clause 9.3 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Clause 9.3 Management Review
ISO 27001 Clause 9.3 requires top management to review the organization’s Information Security Management System (ISMS) at planned intervals. This is the Governance layer of ISO 27001. It is not enough for the IT team to just “do security”; senior leadership must actively review performance, approve resources, and make strategic decisions to ensure the ISMS remains suitable, adequate, and effective. If you cannot prove that leadership is reviewing these specific inputs, you will fail the audit.
Core requirements for compliance include:
- Fixed Agenda: The standard mandates specific “Inputs” that must be discussed. You cannot just have a general chat about security; you must cover the exact list defined in Clause 9.3.2.
- Planned Intervals: Reviews must happen regularly. While the standard doesn’t specify a frequency, Quarterly or Monthly is best practice to demonstrate active oversight (Annual reviews are often considered insufficient for dynamic environments).
- Documented Minutes: The “Outputs” of the meeting (decisions and actions) must be documented. If there are no minutes, the meeting technically “didn’t happen” in the eyes of an auditor.
- Required Attendees: The meeting must be attended by Top Management (e.g., CEO, COO, or Board Member), the Information Security Manager, and key department heads.
- Decision Making: The review isn’t just for information sharing; it must result in decisions regarding resource allocation, risk acceptance, and continual improvement opportunities.
Audit Focus: Auditors will look for “The Governance Evidence”:
- The Minutes: “Show me the minutes from your last three Management Review meetings. Do they explicitly cover all the mandatory inputs like ‘Internal/External Issues’ and ‘Risk Treatment Status’?”
- Attendance Records: “Did the CEO or a designated Senior Leader actually attend, or did they delegate it to a junior manager?”
- Action Tracking: “In the previous meeting, you raised an issue about insufficient budget for training. Show me the decision made in this meeting to address that.”
Mandatory Agenda Checklist (Audit Prep):
| Clause 9.3.2 Input | What to discuss? | Example Evidence |
| Status of Actions | Did we do what we said last time? | “Action Item 3: Closed.” |
| Internal/External Issues | What changed? (Laws, Market, Tech). | “New AI Regulation introduced.” |
| Performance Feedback | Metrics, Audits, & Nonconformities. | “0 Major NCs in Internal Audit.” |
| Interested Parties | What do customers/partners want? | “Client X requires SOC 2.” |
| Risk Assessment | Is the Risk Treatment Plan working? | “Risk #4 reduced to ‘Low’.” |
| Improvement | What can we do better? | “Budget approved for new Firewall.” |
Table of contents
- ISO 27001 Management Review
- What is ISO27001 Clause 9.3?
- Watch the ISO 27001 Clause 9.3 Tutorial
- Implementation Guide
- How to implement ISO 27001 Clause 9.3
- ISO 27001 Clause 9.3 Implementation Checklist
- ISO 27001 Management Review Template
- How to audit ISO 27001 Clause 9.3
- What the auditor will check
- ISO 27001 Clause 9.3 Audit Checklist
- Top 4 ISO 27001 Clause 9.3 Mistakes and How to Fix Them
- Fast Track ISO 27001 Clause 9.3 Compliance with the ISO 27001 Toolkit
- ISO 27001 Clause 9.3 Mapped to other standards and Laws
- The CEO Audit Defense Script: How to Brief Your Leadership
- Advanced Benchmarking Metrics: The 110% Clause 9.3 Dashboard
- The Future of Clause 9.3: Integrating AI Governance (ISO 42001)
- The Ultimate ISO 27001 Annual Governance Calendar
- ISO 27001 Clause 9.3 FAQ
- Related ISO 27001 Controls
- Further Reading
ISO 27001 Management Review
ISO 27001 Management Review requires an organisation to conduct a Management Review Meeting at regular intervals and follow a structure, defined agenda. By doing this we can ensure we have an effective information security management system that is achieving it’s intended outcomes.
The requirement is that the management review
- Reviews the status of actions from previous management reviews
- Records changes in external and internal issues that are relevant to the information security management system
- Records changes in needs and expectations of interested parties that are relevant to the information security management system
- Reviews the information security performance
- Ensures the fulfilment of information security objectives
- Takes account of feedback from interested parties
- Oversees the results of risk assessment and status of risk treatment plan
- Reviews opportunities for continual improvement
What is ISO27001 Clause 9.3?
The purpose of clause 9.3 is to ensure that you have management oversight of the information security management system and that you have documentary evidence to support it.
This clause has now had the wording removed and wording shifted to three new separate sub clauses.
ISO 27001:2022 Clause 9.3.1 General
Top management shall review the organisation’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
ISO 27001:2022 Clause 9.3.1 General
ISO 27001:2022 Clause 9.3.2 Management Review Inputs
The management review shall include consideration of: a) the status of actions from previous management reviews; b) changes in external and internal issues that are relevant to the information security management system; c) changes in needs and expectations of interested parties that are relevant to the information security management system; d) feedback on the information security performance, including trends in: 1) nonconformities and corrective actions; 2) monitoring and measurement results; 3) audit results; 4) fulfilment of information security objectives e) feedback from interested parties; f) results of risk assessment and status of risk treatment plan; g) opportunities for continual improvement.
ISO 27001:2022 Clause 9.3.2 Management Review Inputs
ISO 27001:2022 Clause 9.3.3 Management Review Results – New clause
The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. Documented information shall be available as evidence of the results of management reviews.
ISO 27001:2022 Clause 9.3.3 Management Review Results
ISO27001:2022 Changes to ISO 27001 Clause 9.3
In the transition from the 2013 version to ISO 27001:2022, the most immediate change to Clause 9.3 (Management Review) is its expansion and restructuring into three distinct sub-sections. Previously, Clause 9.3 was a single block of requirements. It has now been divided into 9.3.1 (General), 9.3.2 (Management review inputs), and 9.3.3 (Management review results).
While the core intent, ensuring top management remains engaged in the ISMS remains identical, the 2022 update introduces a critical new “input” requirement. Specifically, it now mandates that management must review changes in the “needs and expectations of interested parties” that are relevant to the ISMS. This aligns the clause with the Harmonised Structure (HS), ensuring that the management review is not just looking inward at audits and risks, but outward at the shifting requirements of clients, regulators, and partners.
| Feature | ISO 27001:2013 (Old Standard) | ISO 27001:2022 (Current Standard) |
| Structure | A single, unified Clause 9.3. | Sub-divided into 9.3.1 (General), 9.3.2 (Inputs), and 9.3.3 (Results). |
| New Mandatory Input | Not explicitly required as a standalone review item. | 9.3.2 (c): Requires specific review of changes in the needs and expectations of interested parties. |
| Input Grouping | Inputs listed in a single bulleted list. | Inputs are now clearly categorised to distinguish between performance trends and context changes. |
| Output Clarity | Required “decisions and actions” regarding the ISMS. | Refined in 9.3.3 to emphasise that decisions must relate to the continual improvement of the ISMS and any necessary changes. |
| Alignment | Standard ISO structure. | Fully aligned with the Harmonised Structure (HS), making it easier to integrate with ISO 9001 or ISO 22301 reviews. |
Watch the ISO 27001 Clause 9.3 Tutorial
In the ISO 27001 tutorial How to implement ISO 27001 Clause 9.3 Management Review | Step-by-Step Guide I show you how to implement it and pass the audit.
Implementation Guide
There are many ways to conduct management reviews.
Follow the culture of your organisation on how you conduct meetings. They can be remote, they can be in person. It is best to follow the best practice of your organisation.
For detailed step by step guidance read – How to conduct an ISO 27001 Management Review Meeting
Time needed: 1 hour and 30 minutes.
How to implement ISO 27001 Clause 9.3 Management Review
- Decide who will attend the ISO 27001 Management Review Meeting
Decide who will attend the ISO 27001 management review team meetings. It should include the information security manager, a member of the senior leadership team and members from each department in the organisation. This should then be documented in your roles and responsibilities documentation. Make sure that the members are added to the competency matrix.
- Create your meeting agenda and book your meetings
Create your ISO 27001 Management Review Meeting agenda based on the requirements of the standard, including all mandatory topics.
- Schedule your ISO 27001 Management Review Meetings for the year
Forward plan and schedule your meetings for the year.
- Conduct your meetings keeping minutes
Conduct your ISO 27001 Management Review Meetings and be sure to minute and keep copies of minutes.
How to implement ISO 27001 Clause 9.3
Implementing ISO 27001 Clause 9.3 requires a structured approach to executive governance. As a Lead Auditor, I recommend following this action-orientated framework to ensure your management reviews move beyond a simple meeting and become a powerful driver for your Information Security Management System (ISMS).
1. Establish the Governance Review Cycle
Provision a formal schedule for your management reviews at planned intervals: Although most organisations opt for an annual review, high-growth firms should consider quarterly sessions to maintain alignment with rapid business changes. This step ensures you meet the mandatory timing requirements of Clause 9.3.1.
- Define the frequency based on the complexity of your risk landscape.
- Integrate the dates into the corporate governance calendar.
2. Identify the Executive Review Board
Designate the specific members of Top Management required to attend: You must include individuals with the authority to allocate budget and approve strategic security changes. This often includes the CEO, CTO, and Lead ISO 27001 Auditor or Information Security Manager.
- Ensure all participants understand their accountability for the ISMS.
- Define deputy roles to maintain continuity if primary members are unavailable.
3. Formalise the Standardised Agenda
Construct a meeting agenda that maps directly to the mandatory inputs of Clause 9.3.2: You must cover previous action items, changes in internal and external issues, and feedback on information security performance. Using a standardised template prevents the omission of critical audit evidence.
- Include a review of the Information Security Policy and Objectives.
- Address feedback from interested parties, including clients and regulators.
4. Consolidate Monitoring and Measurement Data
Aggregate technical performance data from your security controls: This includes uptime statistics, MFA adoption rates, and IAM log reviews. Presenting quantified data allows management to make objective decisions rather than relying on anecdotal evidence.
- Extract reports from your Asset Register and risk management tools.
- Summarise the status of technical vulnerabilities and patch management.
5. Summarise Risk and Audit Intelligence
Collate findings from recent Internal Audits and the current Risk Treatment Plan: Management needs a clear view of any non-conformities and the effectiveness of current mitigations. This information identifies where the ISMS is failing to meet its intended outcomes.
- List all open corrective actions and their current status.
- Highlight any significant shifts in the threat landscape.
6. Execute the Strategic Review Meeting
Facilitate the meeting with a focus on strategic decision-making: Avoid getting bogged down in minor technical details. The goal is for Top Management to assess the suitability and adequacy of the ISMS in its current form.
- Follow the pre-defined agenda strictly to ensure compliance.
- Encourage active participation and challenge from the leadership team.
7. Identify Continual Improvement Opportunities
Formalise decisions on where the ISMS needs to evolve: This is a direct requirement of Clause 9.3.3. You must identify specific opportunities to enhance security, whether through new technology, improved processes, or increased training.
- Document ideas for improving the maturity of the ISMS.
- Prioritise improvements based on their impact on residual risk.
8. Authorise Resource Provisioning
Approve the allocation of resources required to maintain and improve the ISMS: This includes personnel, budget for security tools, and time for staff training. Management must explicitly sign off on these requirements to satisfy auditors.
- Link budget requests directly to identified risks or performance gaps.
- Confirm that the Information Security Manager has sufficient authority.
9. Generate Compliant Documented Information
Record formal minutes that serve as objective evidence of the review: Your minutes must document every decision made and every input discussed. Auditors will look for these records as the primary proof of leadership commitment.
- Ensure minutes are stored securely and are easily accessible for audits.
- Include an attendee list and a summary of all authorised actions.
10. Close the Governance Loop
Assign and track all action items resulting from the review: Every decision must have a clear owner and a deadline for completion. Tracking these through to closure ensures that the management review actually results in improved security posture.
- Update the Corrective Action Log with items from the review.
- Report on the status of these actions at the next scheduled meeting.
ISO 27001 Clause 9.3 Implementation Checklist
Management Review ISO 27001 Clause 9.3 Implementation Checklist
| Implementation Step | Key Challenge | Auditor-Approved Solution |
|---|---|---|
| 1. Plan the Review Establish a regular schedule and planned intervals. | Finding executive time; reviews becoming a routine “tick-box” exercise. | Schedule well in advance. Prioritise as a mandatory governance obligation to maintain certification. |
| 2. Define the Agenda Map topics to mandatory standard requirements. | Unfocused agendas that miss critical ISO 27001:2022 input requirements. | Use a concise, structured template covering KPIs, risks, and stakeholder feedback. |
| 3. Gather Information Collect evidence-based reports and facts. | Manual data collection is time-consuming and prone to human error. | Automate metrics where possible. Use clear visualisations to highlight trends and non-conformities. |
| 4. Conduct the Review Facilitate discussion and executive decision-making. | Domination by single voices; delayed decisions on ISMS changes. | Ensure cross-functional participation. Formally document all decisions and assigned action owners. |
| 5. Review ISMS Performance Objectively assess control effectiveness. | Defensiveness regarding security failures; lack of objective measurement. | Base reviews on predefined security objectives and quantitative performance indicators. |
| 6. Review Risk Treatment Verify that identified risks are being mitigated. | Treatments becoming outdated; emergence of novel threats (e.g., AI risks). | Regularly refresh risk assessments to ensure alignment with the current threat landscape. |
| 7. Internal & External Issues Scan for environmental and regulatory shifts. | Difficulty tracking rapid legislative changes (e.g., DORA, NIS2, or the UK Data Act). | Perform regular environmental scans and monitor industry-specific regulatory updates. |
| 8. Improvement Opportunities Identify gaps for continual improvement. | Cultural resistance to change; difficulty prioritising security investments. | Foster a “no-blame” culture focused on maturity. Prioritise items with the highest risk impact. |
| 9. Document the Review Maintain “documented information” as evidence. | Administrative burden; fragmented or inaccessible records. | Use a central ISMS document repository with standardised minute formats. |
| 10. Follow Up on Actions Verify the closure of management decisions. | Loss of momentum; actions implemented poorly or forgotten entirely. | Establish clear deadlines. Track implementation progress in a formal Action Log. |
ISO 27001 Management Review Template
The ISO 27001 Management Review Template is the mandatory ISO 27001 Management Review agenda and comes with a detailed step-by-step guide on how to do a management review.
How to audit ISO 27001 Clause 9.3
As a Lead Auditor, I perform the management review audit to ensure that leadership is not just “attending a meeting” but actively governing the Information Security Management System (ISMS). This audit process verifies that every mandatory input and output required by the standard is evidenced through documented information and strategic decision-making.
1. Verify the Defined Review Frequency
Audit the organisation’s schedule for management reviews to ensure they occur at planned intervals: The auditor will compare the internal ISMS policy against actual meeting dates to confirm that reviews happen as frequently as the risk landscape requires. A failure to meet the planned frequency constitutes a non-conformity in governance.
- Check the ISMS Governance Calendar for planned dates.
- Compare the policy requirements (e.g. annual or quarterly) against historical records.
2. Validate Top Management Attendance
Inspect attendee logs and minutes to confirm the presence of Top Management: The auditor verifies that individuals with the authority to allocate resources, such as those with executive IAM roles or budgetary control, were present. Participation by deputies is only acceptable if they hold formalised delegated authority for strategic risk decisions.
- Review the organisation chart against the meeting attendee list.
- Ensure the Information Security Manager and relevant department heads are represented.
3. Audit the Status of Previous Actions
Evaluate the progress of decisions made in prior management reviews to ensure continuity: I look for evidence that action items from the last meeting were tracked to closure or appropriately carried forward. This demonstrates that the management review is an ongoing cycle rather than a disconnected event.
- Review the “Previous Actions” section of the current meeting minutes.
- Cross-reference closed items with evidence of implementation in the Asset Register or Risk Treatment Plan.
4. Inspect Internal and External Issue Reviews
Examine the minutes for evidence that leadership discussed changes in context: The auditor looks for specific mentions of new legislation, such as the UK Data (Use and Access) Bill or NIS2, and internal changes like new office locations or remote working policies. This confirms the ISMS remains suitable for the current operating environment.
- Search for discussions regarding regulatory, technological, or market shifts.
- Verify that the ISMS scope remains adequate following these changes.
5. Analyse Information Security Performance Trends
Analyse the data presented to management regarding non-conformities, monitoring results, and audit findings: Leadership must review objective data, such as MFA adoption rates or the number of blocked cyberattacks, to assess ISMS effectiveness. I look for evidence that management questioned poor performance or celebrated objective achievements.
- Examine reports on security incidents and their resolution times.
- Validate that internal audit results were formally presented and understood by the board.
6. Evaluate Feedback from Interested Parties
Confirm that the review included an assessment of stakeholder needs and expectations: The auditor checks for evidence that customer security requirements, legal obligations, and partner concerns were addressed. This ensures the ISMS aligns with the external commitments made by the organisation.
- Check for records of customer security questionnaires or third-party audit requests.
- Verify that legal and regulatory compliance registers were reviewed for updates.
7. Cross-Reference Risk Assessment Results
Audit the discussion regarding the current risk profile and the status of the Risk Treatment Plan: Management must review the results of recent risk assessments to ensure that residual risks remain within the organisation’s appetite. I verify that the board has formally “accepted” the current risk posture.
- Check for evidence that high-risk items were specifically debated.
- Ensure the risk treatment effectiveness was evaluated by the leadership team.
8. Assess Resource Adequacy Decisions
Identify formal decisions regarding the provision of resources, including budget, personnel, and technology: The auditor looks for “Outputs” in the minutes where management authorised specific spending or headcount to address security gaps. A lack of resource discussion is a common indicator of a perfunctory review.
- Review the minutes for approved budget allocations for security tools like MFA or encryption.
- Verify that the Information Security Manager has sufficient time and authority to perform their role.
9. Formalise Continual Improvement Opportunities
Confirm that management identified and authorised specific opportunities for ISMS enhancement: Clause 9.3.3 requires decisions on improvement. I look for a list of projects or process changes intended to increase the maturity of the security framework over the coming cycle.
- Inspect the improvement log for entries originating from the management review.
- Verify that these improvements are linked to performance data or audit findings.
10. Confirm Documented Information Retention
Audit the storage and accessibility of the management review records: Finally, I verify that the minutes are stored securely, version-controlled, and available for the required retention period. These records are the primary evidence of the “Check” and “Act” phases of the PDCA cycle.
- Ensure minutes are signed or formally approved by the chairperson.
- Verify that the Record of Evidence (ROE) document is complete and audit-ready.
What the auditor will check
The auditor is going to check a number of areas for compliance with Clause 9.3. Lets go through them
1. That roles are defined and assigned
The auditor will look for evidence that you have defined the roles for the management review team. They will want to see representation for the in scope areas. For best practice they will be looking for one representative of each in scope department, at least one member of senior leadership, deputies for everyone.
2. That management meetings have happened and are planned
They will be looking to see that management reviews have taken place and that future management reviews are planned in. It is likely to be the case that they will look for calendar entries and also, most important of all, they are looking for minutes and documentation of those management reviews.
ISO 27001 Clause 9.3 Audit Checklist
Management Review ISO 27001 Clause 9.3 Audit Checklist
| Checklist Item | Audit Requirement | Audit Technique |
|---|---|---|
| 1. Review Meeting Frequency | Verify that management reviews are conducted at planned intervals. | Examine the documented schedule for management reviews and compare it against actual meeting dates. Check attendance records to confirm participation. |
| 2. Check Agenda Completeness | Ensure the management review agenda covers all required inputs specified in the standard. | Review past management review agendas and compare them against the requirements of ISO 27001 clause 9.3. Look for inclusion of topics like ISMS performance, risk treatment effectiveness, and interested party feedback. |
| 3. Examine Input Information | Confirm that relevant and up-to-date information is used as input to the management review. | Review the reports, data, and other information used in the management review. Check for accuracy, relevance, and timeliness. Examples include performance reports, audit findings, and risk assessments. |
| 4. Verify Management Participation | Ensure that top management actively participates in the management review process. | Review attendance records for management review meetings. Interview top management personnel to gauge their involvement and understanding of the ISMS. |
| 5. Review Meeting Minutes | Check that meeting minutes are accurate, comprehensive, and record key decisions and actions. | Examine minutes from past management review meetings. Verify that they clearly document discussions, decisions made, and assigned actions. |
| 6. Assess ISMS Performance Review | Confirm that the management review includes a thorough assessment of the ISMS’s performance against its objectives. | Review performance reports and metrics presented during the management review. Check for evidence of analysis and evaluation of ISMS effectiveness. |
| 7. Evaluate Risk Treatment Review | Verify that the effectiveness of risk treatments is reviewed and discussed during the management review. | Examine records of risk assessments, risk treatment plans, and any changes made to them as a result of the management review. |
| 8. Check Consideration of Internal/External Issues | Ensure that internal and external issues relevant to the ISMS are considered during the review. | Review meeting minutes and other documentation to confirm that Internal issues (e.g., organisational changes) and external issues (e.g., new legislation) are discussed and their potential impact on the ISMS is assessed. |
| 9. Verify Action Follow-up | Confirm that actions arising from management reviews are tracked, implemented, and their effectiveness verified. | Review action logs, implementation records, and any follow-up reviews conducted to assess the effectiveness of corrective actions. |
| 10. Examine Record Keeping | Ensure that records of management reviews, including minutes, reports, and action plans, are maintained and readily accessible. | Check the organisation’s document management system for the presence and accessibility of management review records. Verify that they are stored securely and for the required retention period. |
Top 4 ISO 27001 Clause 9.3 Mistakes and How to Fix Them
In my experience, the top 4 mistakes people make for ISO 27001 Management Review are:
| The Mistake | Why it Fails the Audit (The Risk) | How to Fix It (The Auditor’s Solution) |
|---|---|---|
| Lack of formal minutes or documentation of management reviews. | Non-conformity against Clause 9.3.3; without “documented information,” there is no objective evidence the review ever occurred. | Use a standardised Management Review Minutes template to record all discussions, decisions, and specific action owners. |
| Poor attendance, including the absence of senior leadership or designated deputies. | Demonstrates a lack of “Leadership and Commitment” (Clause 5.1); indicates the ISMS is not being governed by those with decision-making authority. | Mandate attendance for Top Management; if a primary member is absent, ensure a deputy with delegated authority attends and contributes to the minutes. |
| No forward planning or schedule to evidence future review cycles. | Failure to meet the “planned intervals” requirement; suggests the ISMS governance is reactive rather than a structured management cycle. | Establish an annual governance calendar with pre-scheduled meeting invites that align with the organisation’s strategic reporting cycles. |
| Failing to follow the mandatory structured agenda. | Audit failure for Clause 9.3.2; missing even one mandatory input (e.g., status of previous actions) renders the entire review non-compliant. | Strictly follow a compliant meeting agenda that explicitly lists all required inputs from Clause 9.3.2 (a) through (g). |
Fast Track ISO 27001 Clause 9.3 Compliance with the ISO 27001 Toolkit
For ISO 27001 Clause 9.3 (Management review), the requirement is that top management must review the organization’s ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. This is a mandatory “top-down” clause that requires a structured agenda covering everything from previous action items to audit results and risk assessment status.
While SaaS compliance platforms often try to sell you “meeting modules” or complex “leadership dashboards,” they cannot actually be your senior management or make strategic decisions about business risk, those are human leadership and governance tasks. The High Table ISO 27001 Toolkit is the logical choice because it provides the governance framework you need without a recurring subscription fee.
| Governance Aspect | The SaaS “Compliance” Model | The HighTable Toolkit Advantage |
|---|---|---|
| Ownership | “Renting” leadership history; records are locked within a proprietary system. | Permanent ownership of editable Word/Excel Management Review templates. |
| Simplicity | Forces senior leadership to learn complex, non-standard software interfaces. | Auditor-approved agenda layers that integrate with existing real-world meeting cultures. |
| Cost Efficiency | Recurring “Governance Tax” often scaling based on user seats or leadership access. | Single one-off fee for the entire documentation suite, regardless of head count. |
| Flexibility | Vendor lock-in; restricted by the reporting logic of the platform provider. | 100% technology-agnostic; adaptable to monthly board meetings or lean quarterly check-ins. |
Summary: For Clause 9.3, the auditor wants to see that meetings are planned, attended by the right people, and followed a structured agenda with recorded minutes. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Clause 9.3 Mapped to other standards and Laws
This mapping table aligns the requirements of ISO 27001:2022 Clause 9.3 (Management Review) with global industry standards, emerging AI regulations, and new UK/EU/US legislation.
| ISO 27001:2022 Clause 9.3 Component | Relevant Industry Standard / Law | How it Maps / Specific Requirements |
| 9.3.1 General: Top Management Oversight | DORA (Digital Operational Resilience Act) – Art. 5 | Mandates that the “management body” bears ultimate responsibility for ICT risk. It requires the board to approve, oversee, and periodically review the ICT risk framework. |
| NIS2 Directive / UK Cyber Security & Resilience Bill | Moves governance from IT to the boardroom. Board members are personally liable for non-compliance and must undergo mandatory cybersecurity training to “oversee” risk effectively. | |
| SOC 2 – CC1.2 & CC1.3 | Requires the Board to demonstrate independence from management and exercise oversight of the development and performance of internal controls. | |
| NIST CSF 2.0 – GV.OV-01 | Governance (GV) function: Requires that “Organizational leadership is responsible and accountable for cybersecurity risk and oversees the cybersecurity strategy.” | |
| EU AI Act – Art. 16 & 17 | Providers of high-risk AI must establish a management system that ensures “human oversight” and quality management, with senior leadership responsible for the AI’s “safety and ethics.” | |
| 9.3.2 (a) Status of previous actions | SOC 2 – CC1.1 / COSO Principle 1 | Focuses on “Tone at the Top.” Management must track and resolve deviations from standards of conduct and previous audit findings. |
| HIPAA Security Rule – §164.308(a)(8) | Periodic Evaluation: Requires organizations to perform periodic technical and non-technical evaluations of their security posture in response to environmental or operational changes. | |
| 9.3.2 (b) Changes in internal/external issues | UK Data (Use & Access) Act 2025 | Requires “Accountability Frameworks” to be dynamic. Management must review “Recognised Legitimate Interests” and “High-volume Digital Verification” processing as the business context shifts. |
| California CCPA/CPRA | Mandates annual Cybersecurity Audits and regular Risk Assessments (Regs effective Jan 2026) that must be reviewed by the board to address new privacy risks. | |
| ISO 42001 (AI Management) – Clause 9.3 | Specifically requires reviewing changes in the AI regulatory landscape, ethical expectations, and societal impact. | |
| 9.3.2 (c) Feedback on performance (Trends, Incidents, Audits) | CIRCIA (USA) | Mandates 72-hour reporting for significant incidents. Management reviews must evaluate these incident trends to ensure the 72-hour threshold is consistently met. |
| GDPR – Art. 24 & 32 | The “Accountability Principle” requires management to demonstrate that technical and organizational measures (determined via 9.3 reviews) are effective for data protection. | |
| NIS2 / UK Cyber Bill | Expands mandatory reporting to Managed Service Providers (MSPs). Management must review reporting “near-misses” and supply chain incidents, not just successful breaches. | |
| 9.3.2 (d) Feedback from interested parties | ECCF (EU Cybersecurity Certification Framework) | Moves toward harmonized security labels. Management review records serve as evidence of “organizational maturity” for certifying products/services under ENISA schemes. |
| EU Product Liability Directive (PLD) Update | Management must review feedback on software flaws/defects throughout the product life cycle, as strict liability now applies to software providers for security failures. | |
| 9.3.2 (e) Risk assessment & treatment status | DORA – Art. 6(4) | Management must “periodically review” the ICT risk management framework to ensure it achieves “high levels of digital operational resilience.” |
| NIST CSF 2.0 – GV.SC-01 | Management must review the “Cybersecurity Supply Chain Risk Management” strategy to ensure third-party risks are within the organization’s appetite. | |
| 9.3.3 Outputs: Decisions on Resources & Improvements | ISO 42001 – Clause 9.3 | Decisions must include resource allocation for AI fairness, transparency, and explainability improvements. |
| UK Cyber Governance Code of Practice | Principle B4 requires the board to gain assurance that the “cyber strategy is being delivered effectively” and authorized resources are achieving intended outcomes. | |
| SOC 2 – CC2.2 | Requires management to communicate identified deficiencies to the parties responsible for taking corrective action and to senior management/the board. |
The ISO 27001 Governance Engine (The Cycle)
The biggest mistake you can make is thinking Clause 9.3 exists in a vacuum. It doesn’t. It is the destination for all the data you’ve been collecting in the “Check” phase.
In the Plan-Do-Check-Act (PDCA) cycle, Clause 9.3 is the bridge between Check and Act.
- The Inputs (The Fuel): Clause 9.1 (Monitoring & Measurement) and Clause 9.2 (Internal Audit) feed the engine with raw data.
- The Review (The Engine): Clause 9.3 processes that data.
- The Outputs (The Exhaust): This feeds directly into Clause 10 (Improvement) and Clause 6.2 (Objectives).
If your auditor doesn’t see this flow, if your minutes don’t show that audit findings led to a resource decision, they’ll see your ISMS as a “paper system,” not a living management system.
Defining the “Big Three”: Suitability, Adequacy, Effectiveness
The standard specifically mandates that Top Management reviews the ISMS for three specific things. Most people gloss over these in the minutes, which is a massive red flag for me as an auditor. If you want to pass with flying colours, you need to define and evidence these three pillars:
The 110% Governance Framework
| Pillar | What it means in plain English | How to prove it to an Auditor |
| Suitability | Is the ISMS still a good “fit” for our business? | Show me minutes where you discussed if the ISMS still works after that new office opening, the shift to remote work, or the acquisition of Company X. |
| Adequacy | Do we have enough “fuel” (budget, people, tools) to run it? | Show me a documented decision where the Board approved a new hire for the security team or signed off on the budget for an automated MFA tool. |
| Effectiveness | Is it actually stopping the “bad stuff”? | This is where you look at your KPIs. Show me that you reviewed your “99.9% Uptime” goal or “Zero Unauthorised Access” objective and confirmed you actually hit them. |
The Lead Auditor’s Secret: The “Pre-Review” Strategy
If you drag your CEO into a 4-hour meeting to look at raw firewall logs, they will disengage, and your governance will fail.
The Diamond Standard approach: Conduct a “Technical Pre-Review” with the IT and Security leads. Summarise the logs, the audit non-conformities, and the risk shifts into a high-level Executive Briefing.
When the actual Management Review happens, you aren’t looking for data; you are looking for Decisions.
Auditor’s Note: I don’t want to see that you spent 2 hours talking about patches. I want to see that the Board looked at a summary of failed patches and decided to allocate the resource to fix the underlying issue. That is true Clause 9.3 compliance.
Scaling the Review: Small vs. Large Organisations
| Organisational Type | The Governance Strategy | Auditor-Approved Approach |
|---|---|---|
| The Startup (“Lean” Review) | Integrate with existing monthly Founders’ or Operations meetings. | Don’t create a new 4-hour meeting. Dedicate 30 minutes of your existing monthly meeting to the ISO 27001 Agenda. It keeps security “front of mind” without killing productivity. |
| The Enterprise (“Tiered” Review) | Use a Security Steering Committee (SecCo) to pre-digest the data. | The SecCo handles the technical deep dives (the “How”). They then present a high-level summary to the Board (the “What”) for strategic decision-making and budget approval. |
Advanced Benchmarking Metrics: The 110% Clause 9.3 Dashboard
Top Management doesn’t want a 50-page report; they want a high-fidelity dashboard that proves the ISMS is protecting the company’s valuation. If you present these five metrics in your Management Review, you are operating at a “Diamond Standard” level.
| Benchmarking Metric | Definition & Calculation | Strategic Value & Auditor Signal |
|---|---|---|
| 1. Residual Risk “Velocity” | The percentage of “High” or “Critical” risks that have moved to “Medium” or “Low” status since the previous review. | Proves that security expenditure is effectively “buying down” risk. Demonstrates a closed-loop between Clause 6.1 (Risk Treatment) and Clause 9.3 oversight. |
| 2. Control Effectiveness Ratio (CER) | Calculated as: (Number of passed control tests ÷ Total controls tested) x 100. | Provides a definitive percentage regarding the health of the technical environment. A drop below 90% triggers an immediate mandate for Resource Adequacy (Clause 7.1). |
| 3. Non-Conformity “Burn-Down” Rate | The average number of days elapsed from the initial “Audit Finding” to “Formal Closure.” | Measures organisational agility. A slow rate suggests the business is ignoring security gaps, which serves as a major red flag during certification audits. |
| 4. Security ROI (S-ROI) | A comparison of the Total Cost of Prevention vs. the Estimated Cost of a Breach (based on the current risk assessment). | Uses the language of the CFO to justify the security budget by preventing high-cost regulatory fines or ransomware events. |
| 5. Third-Party “Risk Drift” | Percentage of critical vendors who have failed to provide their latest ISO 27001 or SOC 2 certificates on schedule. | Addresses the primary 2026 threat of supply chain attacks. Identifies if partners are becoming a liability to the organisation’s valuation. |
The Ultimate ISO 27001 Annual Governance Calendar
Management reviews often fail audits because they are treated as standalone events. A high-maturity ISMS coordinates the Internal Audit (9.2) and Monitoring (9.1) so that the results are fresh when they hit the Management Review (9.3).
| Quarter | Month | Governance Activity | ISO 27001 Clause |
| Q1: The Reset | Jan | Context Review: Update Internal/External issues (Law, Market). | 4.1 / 4.2 |
| Feb | Asset & Risk Refresh: Update the Risk Treatment Plan. | 6.1.2 / 8.2 | |
| Mar | Management Review (Q1): Strategic alignment and budget review. | 9.3 | |
| Q2: The Check | Apr | Training & Awareness: Competency matrix update. | 7.2 / 7.3 |
| May | Technical Monitoring: Vulnerability scan & MFA audit. | 9.1 | |
| Jun | Management Review (Q2): Performance trends & incident review. | 9.3 | |
| Q3: The Audit | Jul | Supplier Review: Third-party “Risk Drift” assessment. | Annex A 5.21 |
| Aug | Internal Audit Phase: Comprehensive ISMS health check. | 9.2 | |
| Sep | Management Review (Q3): Results of Internal Audit & NC closure. | 9.3 | |
| Q4: The Act | Oct | Business Continuity: Drill/Test of recovery plans. | Annex A 5.30 |
| Nov | Objective Setting: Set security targets for the next year. | 6.2 | |
| Dec | Executive Strategy Review: Annual ISMS Suitability sign-off. | 9.3 |
ISO 27001 Clause 9.3 FAQ
What is ISO 27001 Clause 9.3 Management Review?
ISO 27001 Clause 9.3 Management Review requires an organisation to hold a regular management review meeting that follows the structure and requirements of the ISO 27001 standard. This ensures top management reviews the Information Security Management System (ISMS) to confirm its continuing suitability, adequacy, and effectiveness.
How do I evidence I meet the requirement of ISO 27001 Clause 9.3 Management Review?
ISO 27001 Clause 9.3 Management Review compliance is evidenced by having Management Review Meetings scheduled throughout the year and evidence that meetings have occurred with meeting minutes available. These minutes must record decisions on mandatory inputs such as audit results, risk treatment status, and resource needs.
Where can I download ISO 27001 Clause 9.3 Management Review templates?
You can download ISO 27001 Clause 9.3 Management Review in the ISO 27001 Toolkit. This toolkit provides pre-configured templates that ensure all mandatory agenda items are covered to satisfy certification body auditors.
ISO 27001 Clause 9.3 Management Review example?
An example of ISO 27001 Clause 9.3 Management Review can be found in the ISO 27001 Toolkit. This includes real-world demonstrations of how to document management decisions regarding information security performance and improvement opportunities.
How often do you perform ISO 27001 Management Review?
You perform ISO 27001 management reviews monthly. If you cannot then at least once every 3 months. While the standard only requires reviews at “planned intervals,” higher frequency ensures closer alignment with evolving regulations like the UK Data (Use and Access) Act 2025 and DORA.
Who performs ISO 27001 management review?
The information security manager ensures that the meeting takes place. The meeting is attended by the information security manager, senior leadership representative and representatives from each department in the organisation to ensure cross-functional oversight of the ISMS.
Who are ISO 27001 management reviews reported to?
Management reviews are reported to the senior leadership team. This reporting is a critical E-E-A-T signal for auditors, proving that those with the highest level of authority are making informed decisions about the organisation’s security posture.
What happens if the we don’t do ISO 27001 management reviews?
If you do not do ISO 27001 management reviews and minute them then you will not achieve ISO 27001 certification. In addition your management system will not operate as intended and will not be effective, leaving the organisation vulnerable to security breaches and regulatory fines.
Related ISO 27001 Controls
| Related ISO 27001 Control / Page | Description of Relationship |
|---|---|
| How to conduct an ISO 27001 Management Review Meeting | This is the practical execution guide for Clause 9.3. It provides the mandatory agenda items (Inputs) and required decisions (Outputs) needed to satisfy the standard. |
| ISO 27001 Objectives (Clause 6.2) | Clause 9.3.2(c) mandates that management review the “fulfilment of information security objectives.” This page explains how to set and measure the goals that the board must review. |
| Independent Review of Information Security (Annex A 5.35) | Independent reviews (audits) provide the “audit results” required as a mandatory input for the management review. The board uses these results to gain an unbiased view of ISMS health. |
| ISO 27001 Clause 4.1 Understanding Context | Management is required to review “changes in internal and external issues” (Clause 9.3.2 b). This page defines how those issues are identified so they can be reported to leadership. |
| ISO 27001 Clause 4.2 Interested Parties | Feedback from stakeholders (customers, regulators, partners) is a mandatory input for Clause 9.3. This guide outlines how to capture the feedback that management must eventually review. |
| ISO 27001 Clause 7.1 Resources | A primary output of the Management Review (Clause 9.3.3) is decisions regarding “any need for resources.” This page explains the types of resources (people, budget, tools) management must approve. |
| Business Management System (BMS) | HighTable defines the Management Review as the primary “Executive Oversight” bridge where the ISMS integrates with the broader Business Management System for strategic alignment. |
| ISO 27001 Clause 4.4 ISMS | This page details the overall ISMS lifecycle (Plan-Do-Check-Act). Management Review represents the “Act” and “Check” phases, ensuring the system is continually improved. |
| ISO 27001:2022 Update Guide | Provides a breakdown of the specific wording changes in the 2022 update, which separated Clause 9.3 into three distinct sub-clauses (General, Inputs, and Results) for better audit clarity. |
| ISO 27001 Information Security Policy | Management reviews are the mechanism used to approve and authorize high-level policies. The review ensures the policy remains “suitable and adequate” for the organization’s goals. |
About the author
