- ISO 27001 requires in Chapter 9.3 that top management evaluates the ISMS at planned intervals. Without a documented management review, there is no certification.
- The standard defines nine mandatory inputs, including audit results, risk treatment status, performance metrics, and feedback from interested parties.
- Meaningful KPIs measure not only technology (patch rate, backup success rate) but also process quality and employee awareness.
- The most important output of the review is concrete decisions and action items with responsible persons and deadlines, not general statements of intent.
- Most organizations conduct one to two reviews per year. In dynamic risk environments or in the first year after ISMS implementation, a higher frequency may be appropriate.
Why the Management Review Is More Than a Formality
Chapter 9.3 of ISO 27001 is short — barely two pages in the standard. Yet the management review is among the requirements that certification audits fail on most frequently. Not because the requirements are particularly complex, but because many organizations treat the review as a bureaucratic box-ticking exercise. Block an hour in the calendar, click through a presentation, sign the minutes. Done, check the box, next topic.
The problem: a management review conducted this way misses its purpose. The idea behind the review is that senior management regularly checks whether the ISMS is fulfilling its purpose, whether it is adequately resourced, and whether the strategic direction is still correct. It is the place where operational data meets strategic decisions. And it is the only process in the ISMS where top management cannot delegate.
This is the crucial point: the standard explicitly refers to "top management." The information security officer can prepare, moderate, and follow up on the review. But the assessment and the resulting decisions must come from senior management. If the CEO is not in the room during the review, you have a problem — both normatively and practically.
Who Participates?
The participant list depends on the size and structure of your organization, but certain roles are indispensable:
Top management (mandatory): CEO, board, or the persons who determine the strategic direction of the company and can approve resources. Without them, the review is not a management review in the sense of the standard.
Information security officer (ISO): Prepares the review, provides the data, and moderates the session. The ISO is typically the person with the deepest insight into the ISMS status and brings the operational perspective.
IT management: Brings the technical perspective. Which systems are critical? What technical risks exist? What investments are needed? Especially for decisions about technical measures or resources, IT management is indispensable.
Data protection officer: If applicable, brings the data protection perspective. Many information security measures overlap with data protection requirements, and an integrated view avoids duplication of effort.
Additional participants depending on the agenda: Department heads affected by specific audit findings, the head of risk management, the quality manager (if an integrated management system exists), or external consultants for specific topics.
In a company with 100 employees, the review group typically consists of four to six people: CEO, ISO, IT management, and depending on need, one or two additional subject matter experts. That is enough to make well-founded decisions without ending up in a large gathering where nobody really gets to speak.
The Nine Mandatory Inputs per ISO 27001
Chapter 9.3 of the standard explicitly defines which information must feed into the management review. These inputs are not recommendations — they are mandatory. A certification auditor will verify that each point was addressed in your review.
1. Status of Actions from Previous Management Reviews
What was decided last time? Were the action items implemented? If not, why not? This point ensures that the management review does not become a ritual without consequences. If decisions are made but never implemented, that is a systemic problem that must be addressed.
Prepare an overview showing each action item from the last review: what was the assignment? Who was responsible? What is the current status? Clearly mark open items so they can be discussed in the session.
2. Changes to External and Internal Issues
Your organization's context changes continuously. New laws (NIS2, DORA), changed threat landscapes, organizational changes (mergers, new locations, personnel changes), technological developments (cloud migration, AI adoption). All of this affects your ISMS and must feed into the assessment.
Typical questions that fall under this point:
- Have regulatory requirements changed?
- Were there organizational changes affecting the ISMS scope?
- Has the threat landscape in our industry changed?
- Are there new business relationships or partnerships that impact information security?
3. Feedback on Information Security Performance
The standard explicitly requires information about ISMS performance in the following areas:
a) Nonconformities and corrective actions: How many deviations were identified in the reporting period? How many were closed? What is the trend compared to the previous year? Are there recurring patterns indicating systemic weaknesses?
b) Monitoring and measurement results: The KPIs of your ISMS (more on this in the next section). Are we meeting our targets? Where are we below expectations? Where have we improved?
c) Audit results: What did the internal audits find? What findings were there? Which areas were particularly strong, which particularly weak? If a certification audit took place, what were its results?
d) Achievement of information security objectives: You have (hopefully) defined measurable information security objectives. The management review is where it is checked whether these objectives were achieved. If not, it must be discussed whether the objectives were unrealistic or the measures insufficient.
4. Feedback from Interested Parties
What do customers, partners, suppliers, or authorities say about information security? Were there complaints? Were there requests for security evidence? Have customers imposed new requirements (such as ISO 27001 certification as a contract prerequisite)?
Positive feedback also belongs here: if a major customer explicitly praised the good security documentation or if the certification won a tender, that is relevant for the strategic assessment.
5. Results of Risk Assessment and Status of the Risk Treatment Plan
What risks are currently in the risk register? Have risk assessments changed? Are there new risks that did not exist at the last review? What is the implementation status of the risk treatment plan?
Prepare a compact risk overview: the five to ten largest risks, their current risk assessment, the status of treatment measures, and an assessment of whether the overall risk position has improved or deteriorated.
6. Opportunities for Continual Improvement
What improvement opportunities have been identified? These may be suggestions from internal audits, lessons from security incidents, ideas from employees, or industry best practices. This input makes the management review forward-looking: not just retrospectively assessing, but actively seeking improvements.
KPIs That Belong on the Agenda
The standard requires monitoring and measurement of ISMS performance but does not prescribe specific KPIs. This is intentional, because meaningful metrics depend on the size, industry, and maturity of the ISMS. A freshly implemented ISMS needs different KPIs than one that has been running for five years.
Nevertheless, there are metrics that make sense in almost every management review. A comprehensive collection is provided in the article on ISMS metrics and KPIs. Here is a selection, organized by category:
Technical KPIs
| KPI | Metric | Target Value (Example) |
|---|---|---|
| Patch rate for critical systems | Percentage of systems patched within 30 days of a critical patch release | > 95% |
| Backup success rate | Percentage of successful backups out of planned backups | > 99% |
| Backup restore tests | Number of restore tests conducted in the reporting period | >= 4/year |
| MFA coverage | Percentage of user accounts with multi-factor authentication enabled | > 90% |
| Vulnerability remediation time | Average time from identification to remediation of a critical vulnerability | < 14 days |
| Availability of critical systems | Uptime of business-critical IT systems | > 99.5% |
Process KPIs
| KPI | Metric | Target Value (Example) |
|---|---|---|
| Incident response time | Average time from detection to first response | < 4 hours |
| Open corrective actions | Number of open corrective actions whose deadline has passed | 0 |
| Audit coverage | Percentage of ISMS areas audited in the last year | 100% |
| Policy currency | Percentage of policies reviewed within the defined review cycle | 100% |
| Change management | Percentage of IT changes that went through the defined approval process | > 95% |
People KPIs
| KPI | Metric | Target Value (Example) |
|---|---|---|
| Training completion rate | Percentage of employees who completed the annual awareness training | > 95% |
| Phishing simulations | Click rate on simulated phishing emails | < 10% |
| Incident reports by employees | Number of security incidents or suspected incidents reported by employees | Increasing (trend) |
| Management training | Training of top management conducted in the reporting period | Yes/No |
Presenting KPIs Effectively
A common mistake in KPI presentation during the management review: too many numbers, too little context. Senior management does not want to go through twenty metrics one by one. They want to understand whether the ISMS is in good shape, where the greatest risks lie, and where action is needed.
The following format has proven effective:
- Traffic light display: Each KPI receives a traffic light color (green = target met, yellow = close to target, red = significantly missed). Management sees at a glance where things are going well and where not.
- Trend display: Show not just the current value but also the development over the last three to four reporting periods. A KPI at 92% that is steadily rising requires a different response than one at 92% that is falling.
- Context information: For each yellow or red KPI, include a brief explanation: what is the cause? What is already being done? What is recommended?
Limit the presentation to ten to fifteen KPIs. More will lose management's attention. If you want to go deeper, provide the detailed data as an appendix.
Documenting Decisions and Action Items
The most important output of the management review is decisions. The standard explicitly requires in Chapter 9.3 that the review leads to decisions and actions regarding:
- Opportunities for continual improvement: What should be improved? Which improvement projects are approved?
- Need for changes to the ISMS: Does the scope need to be adjusted? Do new policies need to be created? Does the risk assessment need to be updated?
- Resource needs: Are additional staff, budget, or tools needed? Senior management must be prepared to release the necessary resources.
Good vs. Bad Decisions in the Minutes
The way decisions are formulated determines whether they will be implemented. Here is a comparison:
Bad: "Management acknowledges the audit results and instructs the IT department to remediate the identified vulnerabilities."
Why bad? No specific assignment, no responsible person, no deadline, no measurability. This formulation will lead to nothing.
Good: "Management instructs Mr. Schneider (IT Manager) to present a concept for implementing automated vulnerability management by June 30, 2026. The concept should include tool selection, resource requirements, and an implementation timeline. Budget for the tool up to EUR 15,000 is pre-approved."
Why good? Specific assignment, named responsible person, deadline, defined deliverable, already-approved resources. This decision can be tracked and reviewed at the next review.
Tracking Action Items
Every action item from the management review needs:
| Field | Description |
|---|---|
| Number | Unique identifier (e.g., MR-2026-001) |
| Assignment | Concrete description of the task |
| Responsible | Name of the responsible person |
| Deadline | Date by which the assignment must be completed |
| Status | Open / In progress / Completed / Overdue |
| Result | What was actually delivered? |
This table becomes the first agenda item of the next management review. This is how the cycle closes.
The Minutes: Structure and Template
The management review minutes are documented evidence per ISO 27001. They must be treated as controlled documented information — with versioning, date, approval, and controlled access.
Minutes Structure
1. Formal details:
- Date and time of the session
- Participants (names and roles)
- Minute-taker
- Version number and approval status
2. Status of actions from the last review: For each open action: what was the assignment? What is the current status? Management's assessment (accepted, further action needed, deadline extended).
3. Changes in context: Which external and internal changes were discussed? What impacts on the ISMS were identified? What measures are derived from them?
4. ISMS performance: Summary of KPIs with assessment. Highlighting of areas requiring special attention. Discussion of causes of target deviations.
5. Audit results: Summary of internal audit results. Number and type of findings. Status of corrective actions. Management's assessment.
6. Risk status: Current risk situation. New or changed risks. Status of the risk treatment plan. Decision on acceptance of residual risks.
7. Feedback from interested parties: Feedback from customers, partners, authorities. New requirements or expectations.
8. Improvement opportunities: Identified improvement potentials. Approved improvement projects.
9. Decisions and action items: All decisions and action items with responsible persons and deadlines. This section is the most important part of the minutes and will be the first thing reviewed at the next management review.
10. Next review: Planned date for the next management review.
Sample Minutes (Excerpt)
Here is what a concrete minutes entry might look like:
Management Review ISMS — Minutes Date: March 15, 2026, 10:00 AM - 12:00 PM Participants: J. Fischer (CEO), M. Schneider (IT Manager), K. Weber (ISO), L. Braun (DPO) Minutes: K. Weber Version: 1.0 | Status: Approved
Item 1: Status of Actions from MR-2025-02
| No. | Action | Resp. | Deadline | Status |
|---|---|---|---|---|
| MR-2025-007 | Implement MFA for all remote access | Schneider | Jan 31, 2026 | Completed. MFA via Microsoft Authenticator active for all VPN and cloud access. Coverage: 98% (2 service accounts excluded, documented). |
| MR-2025-008 | Vendor assessment for top 5 IT service providers | Weber | Feb 28, 2026 | Completed. 4 of 5 assessments completed. Assessment for cloud provider X pending (questionnaire not answered). CEO decides: escalation through account manager by April 15, 2026. |
| MR-2025-009 | Budget for security awareness platform | Fischer | Dec 31, 2025 | Completed. Budget of EUR 8,000 approved. Platform in use since Feb 1, 2026. |
Item 4: ISMS Performance (KPIs Q4/2025 and Q1/2026)
Patch rate for critical systems: 94% (Target: 95%). Cause: Two legacy systems in production cannot be patched promptly. Discussion: CEO approves project to replace legacy systems (see action item MR-2026-003).
Training completion rate: 97% (Target: 95%). Positive: All new employees completed onboarding training within the first week.
Phishing click rate: 8% (Target: < 10%). Improvement over previous quarter (12%). Positive trend.
Item 9: Decisions and Action Items
| No. | Assignment | Resp. | Deadline |
|---|---|---|---|
| MR-2026-001 | Escalation of vendor assessment for cloud provider X through account manager | Weber | Apr 15, 2026 |
| MR-2026-002 | Prepare ISMS scope extension to new Munich location (scope analysis, risk identification) | Weber | Jun 30, 2026 |
| MR-2026-003 | Present concept for replacing the two legacy production systems | Schneider | Jun 30, 2026 |
| MR-2026-004 | Test business continuity plan for ransomware scenario (tabletop exercise) | Weber, Schneider | May 31, 2026 |
Next Management Review: September 15, 2026, 10:00 AM
This template shows the essential elements: clear structure, traceable decisions, concrete action items with responsible persons and deadlines. It does not need to be pretty, but it must be complete and traceable.
Typical Frequency and Timing
The standard does not prescribe a fixed frequency but speaks of "planned intervals." In practice, the following models have become established:
Annually: The minimum that most certification bodies accept. One management review per year is sufficient for organizations with a stable ISMS and low change dynamics. The typical timing: four to six weeks after the internal audit, so that audit results can be incorporated.
Semi-annually: Recommended for organizations that have just built their ISMS or are preparing for initial certification. The higher frequency enables faster course correction and shows the certification auditor that management is actively involved.
Quarterly: Appropriate in highly regulated industries (financial sector, healthcare) or for organizations with high change dynamics. However, the effort for preparation and execution increases considerably. A compromise: a brief quarterly status update (30 minutes) and a full semi-annual review (two hours).
Event-driven: In addition to regular reviews, an extraordinary review may be necessary, for example after a serious security incident, a fundamental organizational change, or a significant shift in the threat landscape. These event-driven reviews do not need to cover the full scope but should assess the relevant context and document decisions.
Practical Time Planning
For an annual management review, the following timeline is recommended:
| When | What | Who |
|---|---|---|
| T minus 8 weeks | Complete internal audit | Audit team |
| T minus 4 weeks | Collect and prepare KPI data | ISO |
| T minus 3 weeks | Update risk report | ISO / risk owners |
| T minus 2 weeks | Update status of open actions | All responsible persons |
| T minus 1 week | Send review documents to participants | ISO |
| T | Conduct management review | All participants |
| T plus 1 week | Create minutes and submit for approval | ISO |
| T plus 2 weeks | Minutes approved and distributed | CEO / ISO |
Plan three to five working days total for preparation. That sounds like a lot, but collecting the data, preparing it, and putting it into an understandable format takes time. ISMS Lite aggregates risk status, audit results, open actions, and KPIs automatically, so you can compile the review documents in hours instead of weeks. 500 Euro pro Jahr you get all modules including KPI dashboards and audit documentation, without user limits.
Common Mistakes in the Management Review
To close, the mistakes that most frequently cause a management review to be challenged during a certification audit:
Senior management not present. If the CEO is absent from the review and the IT manager signs the minutes instead, that is a nonconformity. Top management must attend personally. There is no delegation arrangement for this.
Mandatory inputs missing. A review that only discusses risk status and audit results is incomplete. All nine mandatory inputs must be addressed. This does not mean each point requires pages of analysis. If there was no relevant feedback from interested parties, one sentence suffices: "No relevant feedback from interested parties was received during the reporting period." But the point must appear in the minutes.
No concrete decisions. "Management acknowledges the report" is not a decision. The management review must lead to concrete measures. If everything is truly in order, the decision can be: "The ISMS will be continued in its current form. The information security objectives for 2027 are confirmed." But even that is a deliberate decision that gets documented.
Results are not followed up. The most common mistake of all. Action items are assigned, but at the next review nobody asks about their status. A certification auditor will take the action items from the last review and ask about implementation status. If embarrassed silence follows, that is a clear sign of a non-functioning ISMS.
Minutes too vague. Minutes that only contain "The risk situation was discussed" are worthless. What was discussed? What was the result? What decision was made? The minutes must make it traceable that a genuine assessment took place — not just an exchange of information.
Review as a lecture. If the ISO presents for 90 minutes and management just nods, no real review has occurred. Management must ask questions, make assessments, and take decisions. This requires that documents are sent in advance and the session is designed as a discussion, not a presentation.
Further Reading
- Conducting an Internal ISMS Audit: Planning, Checklist, and Report
- Evaluating Audit Findings and Deriving Actions
- Building an ISMS: The Complete Guide for Organizations with 50 to 500 Employees
- The Key ISMS Roles: ISO, CISO, Risk Owner — Who Does What?
- Risk Assessment in the ISMS: Methodology, Matrix, and Practical Example
The management review is fundamentally a simple process: collect data, assess together, make decisions, document, follow up. The challenge lies not in the complexity but in the discipline. If you take this process seriously and execute it consistently, it will become one of the most valuable instruments of your ISMS. It forces senior management to regularly engage with information security, and it forces the ISMS team to make its work measurable and traceable. Both sides benefit from it.