The management review is one of the most under-used parts of an ISO management system. In most organisations, it is a sit-down where someone reads out a list of inputs from clause 9.3.2, the senior team nods, the minutes get filed, and nothing changes. The standard is clear that this is not the point. Clause 9.3.3 requires outputs: decisions on improvements, changes to the management system, and resource needs. A review without outputs is not a management review, it is a status update.
What an ISO Management Review Has to Cover
Clause 9.3.2 lists the required inputs. Status of actions from previous reviews. Changes in external and internal issues, including legal and regulatory changes. Performance information from monitoring, audits, nonconformities, and customer feedback. Risks and opportunities. Adequacy of resources. Effectiveness of actions taken to address risks. Opportunities for improvement. The 14001, 27001 and 45001 versions add their own specific inputs, which is why most organisations end up running separate reviews for each standard. They do not have to.
Why Most Management Reviews Fail
The first failure is treating the review as an audit exercise rather than a planning meeting. The agenda mirrors clause 9.3.2 verbatim, the comments column gets a sentence each, and the meeting ends without any decisions being made. The second is running the review immediately before the external audit, so it becomes a paperwork tidy-up rather than a strategic conversation. The third is excluding people who could actually act on findings. If the only person who can authorise a change is not in the room, the review will produce noted observations and no actions.
What a Management Review Should Actually Produce
Clause 9.3.3 is short and specific. The outputs of the management review must include decisions related to continual improvement opportunities and any need for changes to the management system. The phrase "must include decisions" is the part most organisations skip. A management review without documented decisions, named owners, and target dates does not meet the clause. Reviewing your objectives sits naturally here. Were last year's objectives achieved? If not, why not? What objectives will the organisation set for the next period, who owns them, how will success be measured? This is the half that turns a clause-tick exercise into a meeting that runs the management system.
The Management Review as a Surveillance Audit Checklist
A well-structured management review form doubles as the preparation checklist for next year's surveillance audit. Every section the form covers - legal compliance, training records, supplier performance, audit findings, risk register currency, objectives progress - is something the surveillance auditor will check. Working through the form properly each year means there is no last-minute scramble before the audit, no panic about whether registers are up to date, and no surprises in the assessor's findings. Clients who get in touch a year after certification asking what they need to do for their surveillance visit are usually directed straight back to the management review form. If it has been completed properly, the answer is not much.
How to Run a Management Review That Works
An integrated review covers all your ISO standards in a single sitting, with optional sections for whichever standards apply. There is no requirement in any of the standards to run separate reviews for quality, environmental, health and safety, and information security. Run them together, structure the agenda around how the business actually operates rather than around clause numbers, and include the people who can make decisions. Build in the objectives review and objectives-setting at the end so the review of and setting of objectives is completed or signposted. If you can't get everyone to attend a management review meeting it's no big deal - 'management review' is just something that needs to be documented so you can simply distribute the meeting notes to collect contributions and comments from the key people.
Our F-Q3 Management Review Form is structured around business operations rather than ISO clauses, with optional sections for ISO 14001, 27001, 45001 and 22301 marked clearly. The form includes a built-in objectives review and objectives-setting table per standard, with columns for actions, success measures, ownership and target dates.
Download the F-Q3 Management Review Form
Published: 1 May 2026
