ISO 27001 Management Review Minutes Template

Rafia Rizwan

March 3, 2026

A complete ISO 27001 management review minutes template for Clause 9.3. Includes agenda structure, required inputs and outputs, evidence checklist, and common audit findings to avoid.

ISO/IEC 27001:2022 • Clause 9.3 • Audit-Ready Minutes

ISO 27001 Management Review Minutes Template

Agenda, Inputs, Outputs, and Evidence (ISO/IEC 27001:2022 Clause 9.3)

Management Review is one of the easiest ISO 27001 requirements to “do,” and one of the easiest to fail on evidence.
This blog gives you a complete, internal-audit-ready minutes template plus a practical agenda, required inputs/outputs,
and the exact proof auditors look for.

What 9.3 proves

Top management is governing the ISMS using evidence and decisions.

Why audits fail

Minutes list topics, but no decisions, no owners, no evidence references.

Fast win

Standard agenda + action tracker + evidence pack folder.

Why management review minutes matter (and why auditors focus on them)

Clause 9.3 Management Review proves one thing: top management is actually governing the ISMS.

Auditors don’t just want to see that a meeting happened. They want evidence that management:

reviewed the required inputs,
made decisions,
assigned owners and timelines,
and followed up.

High-intent reality

If you’re preparing for ISO 27001 certification (or a surveillance audit), clean 9.3 minutes can save you from avoidable nonconformities.

What ISO 27001 Clause 9.3 requires (plain English)

Management must review the ISMS at planned intervals to ensure it remains suitable,
adequate, effective, and aligned with strategic direction.

The review must include specific inputs and produce specific outputs. That’s why auditors ask for:

an agenda that maps to 9.3 inputs,
minutes showing discussion and decisions,
evidence attachments (reports, KPIs, audit results),
and action tracking (owners, due dates, status).

Management Review Agenda (ISO 27001:2022 Clause 9.3 Inputs)

Use this agenda structure to keep your meeting factual and auditor-ready.

Clause 9.3 agenda structure (copy/paste)

Agenda item	What to cover	Output to record
1) Opening (meeting details)	Date/time, attendees, scope reviewed, last actions status	Status decisions + carry-forward actions
2) Changes that affect the ISMS	Internal + external changes and impact	Risk/control updates required
3) ISMS performance results	Objectives, KPIs, monitoring results, incidents, nonconformities	Decisions on targets, actions, priorities
4) Audit results	Internal/external audits + closure effectiveness	Closure decisions + resourcing
5) Feedback from interested parties	Customer questionnaires, contracts, complaints, regulator/insurer feedback	Actions for obligations and responses
6) Risk + treatment status	Top risks, movement, acceptances, RTP, SoA updates	Accept/mitigate decisions + dates
7) Resource adequacy	Staffing, tooling, budget, training needs	Approvals, constraints, risk decisions
8) Opportunities for improvement	Controls, processes, automation, policy/training	Approved improvements + owners
9) Decisions and actions (outputs)	Decisions, actions, owners, due dates, approvals	Action tracker + sign-offs

What auditors look for in management review minutes

Auditors typically look for these proof points:

✅ Meeting happened at planned interval (annual minimum; many do quarterly)
✅ Inputs are explicitly covered (not implied)
✅ Outputs are clearly recorded
✅ Actions have owners + deadlines
✅ Evidence is attached or referenced
✅ Follow-up exists from previous review

Common audit finding

Minutes list topics, but no decisions, no owners, and no evidence references.

ISO 27001 Management Review Minutes Template (Copy/Paste)

Tip

Keep minutes factual. Avoid storytelling. Capture decisions, evidence reviewed, and actions assigned.

ISO 27001 ISMS Management Review Minutes (Template)

Organization: [Company Name]

ISMS Scope: [Scope statement or reference]

Meeting Type: Management Review (ISO 27001:2022 Clause 9.3)

Period Covered: [e.g., Q1 2026 / Jan–Mar 2026]

Date/Time: [YYYY-MM-DD, Time]

Location/Mode: [In-person / Teams / Zoom]

Chair: [Name, Title]

Minute Taker: [Name, Title]

Attendees

[Name, Role/Title]
[Name, Role/Title]
[Name, Role/Title]

Absentees

[Name, Role/Title]

Agenda Reference

This meeting followed the Management Review agenda aligned to ISO 27001:2022 Clause 9.3 inputs.

1) Review of Previous Actions

Summary of last review actions:
Action #1: [Description] — Owner: [Name] — Due: [Date] — Status: [Open/Closed]
Action #2: [Description] — Owner: [Name] — Due: [Date] — Status: [Open/Closed]Notes / Evidence reviewed:
[Link/report name/version]
[Ticket IDs / tracker reference]

Decisions:
[Decision, if any]

2) Changes in Internal and External Issues (Clause 4.1 + 9.3 input)

Internal changes since last review: [System/org/process changes]
External changes since last review: [Regulatory/customer/threat changes]
Impact on ISMS: [Risk/control priority changes]Evidence reviewed:
[Risk register update]
[Change log / project list]
[Legal/regulatory tracking list]