ISO 27001
ISO 27001 Management Review: Clause 9.3 Agenda and Evidence
3 July 2026 · Updated 3 July 2026
Short answer: The clause 9.3 management review is where top management confirms the ISMS is still suitable, adequate and effective. It runs at planned intervals, at least annually, against a defined set of inputs, and produces documented decisions on improvement, change and resourcing. Auditors treat a weak or missing review as a direct finding.
Management review is one of the first things a Stage 2 auditor asks for, because it proves leadership actually runs the security system rather than delegating it and looking away. Teams that treat it as a box tick get findings. Teams that run it well steer the ISMS with it. This covers the agenda, the inputs, the outputs and the evidence.
What is the management review in ISO 27001?
The management review is the periodic review of the Information Security Management System (ISMS) by top management, required by clause 9.3 of ISO/IEC 27001:2022. Leadership examines whether the ISMS remains suitable, adequate and effective, and decides what needs to change.
It is a leadership control, not an operational one. Clause 5 places accountability for the ISMS with top management, and clause 9.3 is where that accountability gets exercised on a schedule. The review is not the security team reporting to itself. It is the accountable leaders looking at how the management system is performing and making binding decisions about it. That distinction is exactly what an auditor is testing when they read the review records.
How often does the ISO 27001 management review have to happen?
Clause 9.3 requires the review at planned intervals but sets no fixed frequency. You choose the interval, document it, and then meet it consistently.
Most organisations run a full management review at least annually, timed ahead of the surveillance or recertification audit so the record is current when the auditor arrives. Many run a lighter review quarterly, so the ISMS is steered through the year rather than revisited once. The frequency matters less than the consistency. An annual review that actually happened on schedule is stronger evidence than a quarterly cadence you set and then missed twice. Whatever interval you commit to has to appear in your documented information and be met on record.
What inputs does ISO 27001 clause 9.3 require?
Clause 9.3 lists the inputs the review must consider. Missing one is a common finding, so the agenda should map to the clause directly.
| Clause 9.3 input | What leadership examines |
|---|---|
| Status of prior actions | Whether decisions from the last review were done |
| Changes in issues and needs | Shifts in internal, external and interested party context |
| ISMS performance | Nonconformities, corrective actions, monitoring and measurement results |
| Audit results | Findings from internal audits and external audits |
| Risk treatment | Progress against the risk assessment and treatment plan |
| Interested party feedback | What customers, regulators and other parties have raised |
| Improvement opportunities | Options to strengthen the ISMS |
The agenda is the clause. Structure the meeting so each input is presented, discussed and minuted, and the record shows leadership engaged with the substance rather than noting it.
What are the ISO 27001 clause 9.3 management review outputs the auditor expects?
Clause 9.3 requires the outputs to include decisions on opportunities for continual improvement and any need to change the ISMS, including changes to resources. This is the part that turns a meeting into evidence.
An auditor reads the outputs to see whether the review changed anything. A review that considered a rising incident trend and resolved to fund an extra control, or reviewed a repeat nonconformity and directed a change to how it is handled, demonstrates a working system. A review that recorded only “ISMS remains effective” against every input reads as a rubber stamp. Document the decisions, assign owners and dates, and carry them into the next review as the prior actions input. That loop is what continual improvement looks like on paper.
What ISO 27001 management review evidence do auditors look for?
Auditors want to see that the review happened, that top management were in it, and that it produced decisions. The evidence is usually a set of minutes or a review record with an attendance list, the inputs presented against clause 9.3, and dated decisions with owners.
Three things weaken the evidence fast. Top management were absent, so the review was really a security team meeting. Inputs were missing, so the review could not have judged effectiveness. Or the outputs were generic, so nothing changed. Keep the record tied to the clause, keep the accountable leaders in the room and on the attendance list, and carry decisions forward. Cybernion helps teams run ISO 27001 management reviews that stand up to a Stage 2 auditor. For the wider picture, see the complete ISO 27001 guide. The ISO 27001 statement of applicability and the ISO 27001 readiness checklist are two resources that help prepare the inputs the management review needs.
Frequently asked questions
What is the management review in ISO 27001?
It is the periodic review by top management of the information security management system, required by clause 9.3. Leadership examines whether the ISMS is still suitable, adequate and effective, using a defined set of inputs, and records decisions on changes, resourcing and improvement.
How often must the ISO 27001 management review happen?
ISO 27001 says at planned intervals but does not set a frequency. Most organisations run it at least annually, and many run it quarterly so the ISMS stays current between audits. The interval you choose has to be documented and consistently met.
What inputs does ISO 27001 clause 9.3 require?
The status of prior actions, changes in internal and external issues and interested party needs, feedback on security performance including nonconformities, audit results and risk treatment progress, feedback from interested parties, and opportunities for continual improvement. Clause 9.3 lists these explicitly.
What are the required ISO 27001 management review outputs?
Decisions on opportunities for continual improvement and any need to change the ISMS, including changes to resources. The outputs have to be documented, and they are what turn a review meeting into evidence an auditor can test.
Who must attend the ISO 27001 management review?
Top management, since clause 9.3 places the review with them. In practice the ISMS owner or security lead prepares and presents the inputs, but the accountable leaders whose decisions bind the organisation have to be present and on record as making them.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 27001:2022, iso.org, 2022
Last updated: 3 July, 2026