Why management review is not a meeting formality
Auditors look for real decisions and follow-ups in your management review, not a calendar invite. Here is what a substantive review actually produces.
By Kellwick Team · April 1, 2026 · 3 min read
Management review is one of the most under-rated requirements in ISO 27001. Teams treat it as a box to tick, then wonder why it draws auditor attention. Done properly, it is where leadership actually looks at the ISMS and decides what changes. Done badly, it is a nonconformity with a timestamp.
What the auditor is really checking
An auditor reading your management review is asking a simple question: did leadership genuinely engage, or did someone write minutes to satisfy the standard? They look for evidence of real review and real decisions - the kind you cannot fabricate after the fact.
That means they check who attended, whether the right inputs were considered, and whether anything actually changed as a result. A review with no decisions and no follow-ups reads as theatre, however polished the document.
The inputs that must be on the table
ISO 27001 expects management review to consider a defined set of inputs. Skipping them is a common finding. At minimum, put these in front of leadership:
- Status of actions from previous reviews.
- Changes in internal and external issues relevant to the ISMS.
- Feedback on security performance, including trends in incidents and monitoring.
- Results of internal audits and any external audits.
- Status of risks and risk treatment.
- Progress against your security objectives.
- Opportunities for improvement and resource needs.
You do not need a hundred slides. You need each input covered honestly, with enough data for leadership to make a judgement rather than nod along.
The outputs that prove it happened
Inputs show you prepared. Outputs show leadership actually reviewed. A substantive management review produces decisions, and those decisions should be specific:
- Named actions with owners and dates, not vague intentions.
- Resource decisions - approving a hire, a tool or a budget, or explicitly declining one.
- Changes to objectives or risk appetite where the data warrants it.
- Escalations that leadership chose to prioritise.
If your minutes record discussion but no decisions, the review did not do its job. The follow-up in the next review - showing those actions were tracked and closed - is what proves the cycle is real.
Common failure patterns
The reviews that generate findings tend to share a few traits:
- Delegated too far down. If no one with real authority attended, no real decisions could be made. Leadership presence is the point.
- Held once, in a panic, before the audit. A single review the month before certification tells the auditor the process is not routine.
- All input, no output. Pages of metrics, no decisions. This is the most common version of the mistake.
- Actions that never close. Last year's actions still open this year signals a review that talks but does not act.
How often and how much
You do not need monthly reviews. Most organisations run a substantive management review once or twice a year, with lighter touchpoints in between if the pace of change demands it. What matters is that it is regular, planned and consistent - not a scramble triggered by an upcoming audit. Keep the minutes clear: attendees, inputs considered, decisions made, actions assigned. That record is your evidence.
Bottom line
Management review is where your ISMS proves that leadership owns it. Real inputs, real decisions and tracked follow-ups are what separate a governing review from a calendar formality. If your last review produced minutes but no decisions, that is worth fixing before an auditor points it out - and a short readiness review can tell you whether your cycle would hold up.
Need a second pair of eyes before the auditor does?
A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.