Management Review for ISO 22301 Business Continuity

ISO 22301 Clause 9.3

This sub-clause requires top management to review the BCMS at planned intervals to confirm continuing suitability, adequacy and effectiveness, with structured inputs and outputs.

ISO 22301 Clause 9.3 - Management Review

Clause 9.3 closes the performance evaluation loop. Where 9.1 monitors and 9.2 audits, 9.3 brings the findings together for top management to consider and act on. The clause is prescriptive about the inputs that have to be considered and the outputs that have to be produced - it is one of the more structured clauses in the standard.

What ISO 22301 Clause 9.3 Requires

Under Clause 9.3.1, top management must review the BCMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness.

Under Clause 9.3.2, the review must consider the status of actions from previous reviews, changes in internal and external issues, information on BCMS performance (including non-conformity and corrective action, monitoring and measurement results, audit results, feedback from interested parties), the need for change to the BCMS, resources and procedures that could improve effectiveness, information from the risk assessment and BIA, the output from the evaluation of business continuity documentation and capabilities at Clause 8.6, risks or issues not adequately addressed in earlier risk assessments, lessons learned and actions arising from near-misses and disruptions, and opportunities for continual improvement.

Under Clause 9.3.3, the outputs must include decisions related to continual improvement, opportunities and any need for changes to the BCMS to improve effectiveness. They must include variations in scope, updates to the BIA, risk assessment, strategies, solutions and plans, modifications to procedures and controls, and how the effectiveness of controls will be measured. Documented information must be retained as evidence. Results must be communicated to relevant interested parties and appropriate actions taken.

Running the Management Review

Most organisations conduct a single annual management review covering all the management systems they hold, with BCMS-specific items added to the standard agenda. That keeps the cycle manageable and avoids duplication. The agenda flows naturally from the input list - previous actions, context changes, performance data, audit results, BIA and risk assessment outputs, capability evaluation, lessons learned, opportunities. The output is recorded in a structured way against each input area, with actions, owners and dates assigned for follow-through.

For ISO 22301 specifically, the inputs from Clause 8.6 (capability evaluation) deserve direct attention - the management review should be where top management hears the conclusions of the year's exercises, incidents and supplier reviews and decides what to change.

A pre-prepared management review template that lists every required input area saves a lot of time. People populate the template in the days before the review, the meeting itself focuses on the discussion and the decisions, and the outputs are captured in the same template. Top management contribute to it; they do not have to prepare the inputs themselves.

I want to see a documented management review with all the required inputs covered and clear outputs - decisions, actions, owners and dates. If the review is just a meeting note that says "BCMS is performing well", that is not enough. I am looking for evidence of considered decisions and follow-through into action.

Practical Compliance Guidance

The F-Q3 Management Review form provides the structured template covering all the inputs and outputs required by the standard. Actions arising are recorded on the ER1 Issues and Actions Register and tracked through to closure. The F-IMS21 Business Continuity Register summarises the BCMS arrangements and feeds into the review.

alphaZ document	How to use it
ISO 22301 Toolkit	The full set of policies, procedures, registers and plans that build a BCMS to the requirements of the standard.
F-Q3 Management Review	The management review template covering all the inputs and outputs required by Clause 9.3.
ER1 Issues and Actions Register	The register that captures actions arising from management review and tracks them through to closure.
F-IMS21 Business Continuity Register	The register that summarises BCMS arrangements and provides input data for the management review.

Subscribers to alphaZ have access to all of these documents and supporting material. Find out more about the alphaZ subscription.

Frequently Asked Questions

How often should management review take place?

At planned intervals - typically annually. Some organisations hold a full annual review with shorter quarterly check-ins on specific areas. The frequency must be sufficient to keep top management informed and able to act on changes.

Can the BCMS management review be combined with other management reviews?

Yes, and most integrated organisations do exactly this. A single management review covering quality, environment, health and safety, information security and business continuity is efficient and helps top management see the connections between the systems.

Who has to attend the management review?

Top management has to take part - the standard is clear about that. Other contributors typically include the Business Continuity Lead, internal auditors, function heads with BCMS responsibilities, and anyone else whose input is relevant to the agenda.

Further Resources