Clause 9.3 is one of the most straightforward clauses in ISO 27001 — and one of the most commonly failed. Top management must review the ISMS at planned intervals. The review must cover specific inputs defined by the standard. The outputs must be documented. Without a complete set of management review minutes showing coverage of all required agenda items, a Stage 2 audit will flag a nonconformity.
The reason this clause fails so often is that organisations either hold a review but produce inadequate minutes, or produce minutes that do not address all the required inputs. What follows is what the clause actually requires and how to run a review that produces audit-ready documentation.
Who Must Attend
Clause 9.3 requires top management to conduct the review. Top management means those with authority and accountability for the organisation — typically the CEO, CTO, or equivalent C-suite. It is not sufficient to delegate the review entirely to the CISO or IT manager. The whole point of the management review is to demonstrate that senior leadership is engaged with the ISMS and making informed decisions about it.
In practice, for a small organisation, this means at least one director or founder must be present. The CISO or security lead typically presents the agenda items, but the decisions made in the review — resource allocations, risk acceptance decisions, objectives — must be made by or with the authority of top management.
How Often to Hold It
The standard says "at planned intervals." It does not mandate a specific frequency. Annual is the minimum acceptable cadence. For organisations in their first certification year, holding two reviews — one mid-year and one before the Stage 2 audit — is a practical approach that generates more evidence and demonstrates active ISMS management.
The 9 Mandatory Agenda Inputs
Clause 9.3 defines the inputs that must be considered in the management review. All nine must be addressed in your minutes. Missing any one of them is sufficient for an auditor to raise a nonconformity against Clause 9.3.
Status of actions from previous reviews
What was decided last time? What was completed, what is still open, and why?
Changes in external and internal issues relevant to the ISMS
What has changed in the business context, regulatory environment, or threat landscape since the last review?
Information on ISMS performance
Nonconformities and corrective actions, monitoring/measurement results, audit results, progress on ISMS objectives.
Feedback from interested parties
Customer security questionnaires, regulatory communications, feedback from suppliers or partners about your security posture.
Risk assessment results and risk treatment plan status
Have risks changed? Are treatment actions on track? Are any accepted risks still within tolerance?
Opportunities for continual improvement
What could the ISMS do better? Are there process improvements, tool upgrades, or policy updates that would improve security posture?
Results of the internal audit
Summary of findings from the most recent internal audit, including any nonconformities raised and their current status.
Fulfilment of information security objectives
How has the organisation performed against the ISMS objectives set in Clause 6.2? Were targets met?
Resource needs
Does the ISMS have adequate resources — budget, people, tools — to operate effectively? Are any additional resources needed?
What the Minutes Must Contain
Meeting minutes structure
- —Date, time, and location of the review
- —Attendees — with roles (including confirmation that top management was present)
- —Coverage of each of the 9 inputs above — even if brief, each must be referenced
- —Decisions made — specifically on risk, resources, and objectives
- —Action items — with named owners and due dates
- —Approved by: signed or dated approval by top management
Making It Useful, Not Just a Checkbox
The management review is most valuable when it actually drives decisions. Treat it as your annual ISMS board meeting: review the security posture of the organisation, make explicit decisions about risk appetite, approve resource allocation for the coming period, and set objectives for the next cycle. The documentation that comes out of a genuine review is far more compelling to an auditor than a tick-box template filled in the week before the audit.
If auditors find no minutes
A missing management review is a Major nonconformity against Clause 9.3. It signals to the auditor that top management is not genuinely engaged with the ISMS — which undermines confidence in the entire programme. This is one of the most common reasons organisations fail their Stage 2 audit on a first attempt.
If you want help structuring and facilitating your management review, our ISO 27001 consulting service includes management review facilitation and documentation on a retained basis.