To help you prepare confidently, here’s a detailed breakdown of everything that must be reviewed according to ISO 27001:2022 clause 9.3.
Each item includes what it means, why it matters, and what type of evidence or data you should present.
1. Status of Previous Actions
This is where you confirm progress from the last Management Review. Any open tasks, corrective actions, or decisions previously assigned must be tracked and reported.
Why it matters:
Auditors want proof of continuous improvement, not repeated discussions with no action.
What to prepare:
- A list of previously agreed actions
- Status (Completed, In Progress, Delayed, Canceled)
- Owners and reason for any delays
✔ Example: “Access review automation rollout scheduled for Q4; delayed due to vendor onboarding.”
2. Changes Affecting the ISMS
Organizations evolve, and so do security risks. This section highlights any changes in:
- Business structure (new departments, mergers, outsourcing)
- Legal, regulatory, or contractual obligations
- IT infrastructure (new systems, SaaS platforms, cloud migration)
- Stakeholders, supply chain, or security expectations
Why it matters: Changes influence risk level and control effectiveness. ISO requires security to adapt, not remain static.
3. ISMS Objectives & Key Performance Indicators (KPIs)
Present measurable progress toward your information security goals. KPIs should be meaningful, measurable, and aligned with business priorities, not vague.
4. Results of Internal and External Audits
Summarize the findings, not the full reports.
Include:
- Audit scope and date
- Number and type of findings (minor, major, OFI)
- Root causes and trends (recurring issues)
- Status of corrective actions
Tip: If the same findings appear multiple times, auditors will question control effectiveness.
5. Risk Management and Risk Treatment Status
Review your current risk register and treatment plan.
Include:
- New risks identified
- Changes in risk levels (increased or reduced)
- Status of ongoing risk treatment activities
- Residual risks that require acceptance or escalation
Why it matters:
ISO 27001 is risk-based, your decisions must reflect real, documented risk posture.
6. Information Security Incidents and Trends
Even if no incidents occurred, this must still be reported.
Include:
- Number of incidents during the reporting period
- Severity classification (low, medium, high)
- Root cause analysis
- Time taken to detect, respond, and resolve incidents
- Preventive actions or lessons learned
7. Compliance and Stakeholder Feedback
Report how well the organization meets legal, regulatory, and contractual security requirements.
Include:
- Client or regulatory feedback
- Customer questionnaires (e.g., vendor security assessments)
- New compliance drivers (e.g., Cyber Essentials, SOC 2, NIS2)
This shows alignment with market expectations and external obligations.
8. Resource Needs and Improvement Opportunities
Based on performance, risk exposure, and audit results, discuss whether the ISMS needs:
- Additional staff
- New tools (e.g., SIEM, vulnerability scanner, GRC tool)
- Budget allocation
- More training or awareness materials
This is also where proposed improvements, innovations, or simplifications can be raised.
Goal: Enable leadership to make informed investment decisions.
Compliance Reminder:
The contents of this checklist aren’t just talking points, and they must be documented. The Minutes of the Meeting from Management Review are mandatory audit evidence and will be reviewed during ISO 27001 Surveillance Audits to confirm that decisions, accountability, and improvements are being tracked.
Ready to strengthen your ISO 27001 compliance and streamline your Management Review process?
Our team can help you prepare documentation, run the session, and ensure you’re audit-ready.
Book a free consultation today.
