Management Review Explained for ISO 42001

ISO 42001 Clause 9.3

The management review is where top management formally engages with the AI management system. The standard sets out the inputs and outputs in detail.

ISO 42001 Clause 9.3 - Management Review Explained

Clause 9.3 follows the standard Annex SL management review requirements. The management review is the periodic activity where top management reviews the management system as a whole, considers its performance, and directs continual improvement. For an AI management system integrated with other management system standards, the AI dimension is added to the existing management review rather than creating a separate review.

What ISO 42001 Clause 9.3 requires

Top management must review the organisation's AI management system at planned intervals to make sure of its continuing suitability, adequacy and effectiveness. The review must consider a defined set of inputs and produce a defined set of outputs. Documented information must be available as evidence of the results of management reviews.

Management review inputs

The standard requires the management review to include the status of actions from previous management reviews, changes in external and internal issues that are relevant to the AI management system, changes in the needs and expectations of interested parties that are relevant to the AI management system, information on the AI management system performance including trends in nonconformities and corrective actions, monitoring and measurement results, audit results, and opportunities for continual improvement.

For an AI management system, the input on changes in external issues typically covers regulatory developments such as the EU AI Act, sector-specific AI guidance, and emerging case law. The input on changes in interested party expectations covers customer concerns about AI, regulator priorities, and societal expectations about transparency and fairness. The performance information covers AI risk register status, AI impact assessment outputs, AI incident statistics, and AI objective progress.

Management review outputs

The results of the management review must include decisions related to continual improvement opportunities and any need for changes to the AI management system. In practice this means a documented record of the review, the issues considered, the conclusions reached, and the actions agreed.

Common outputs of an AI management review include changes to the scope, updates to the AI policy, revisions to AI objectives, decisions on resourcing for AI activities, approval of changes to the Statement of Applicability, and direction on emerging AI risks and opportunities.

The management review is not a meeting

The standard requires top management to review the management system. It does not require this to take the form of a meeting. Management review can be conducted as a meeting, a series of meetings, a written review with documented input from contributors, or any combination that produces the required inputs and outputs. The form should suit the organisation. The substance is what the standard cares about.

The convention in many organisations is to refer to those involved in the management review as contributors rather than attendees, recognising that the review is an activity rather than an event. For organisations with multiple sites or complex governance structures, the management review may unfold over weeks rather than hours.

Frequency of management review

The standard requires review at planned intervals but does not specify a frequency. Annual review is the most common cadence and aligns well with annual audit programmes, annual objective setting and annual reporting cycles. Some organisations conduct more frequent partial reviews focused on specific aspects of the management system, with an annual full review pulling everything together.

The management review is the moment in the management system year where everything comes together. The risk register, the audit findings, the objective progress, the incident log, the regulatory landscape - all of it feeds in, and the outputs shape the next year's management system activity.

For organisations with integrated management systems, treating the management review as a single integrated activity covering all standards is efficient and produces a more coherent set of outputs. Treating ISO 42001 as a separate review parallel to the existing review usually creates duplication and missed connections.

When auditing Clause 9.3, I look for documented evidence of the management review with all required inputs covered and all required outputs produced. I want to see top management contribution, not just the attendance of the IMS lead. The management review record should make clear who contributed, what was considered, what was decided and what actions were agreed.

The most common finding is reviews that cover the wider integrated management system thoroughly but treat the AI dimension as an afterthought. Each AI-specific input needs to be identifiable in the record, and the AI-specific outputs need to be visible alongside the wider conclusions.

Our management review is annual and integrated. AI is now a section of the input pack alongside ISO 9001, ISO 14001, ISO 27001 and the rest. The MD chairs, the IMS lead presents, the section leads contribute. The output is a single management review record with the AI-specific decisions clearly identified.

Practical Compliance Guidance

IMS1 Section 2.4 Management Review sets out the procedure for the management review and confirms it is completed at least annually. The review documents both the inputs and the outputs, with the AI-specific dimension added alongside the existing inputs and outputs of the integrated management system.

The following alphaZ documents support compliance with ISO 42001 Clause 9.3.

alphaZ document	How to use it
ISO 42001 AI Management System Toolkit	The full toolkit containing the AI management system documentation including the IMS1 Manual where management review arrangements are defined.
F-Q3 Management Review	The form used to document management review contributors, inputs, discussion and outputs, including the AI-specific section required for ISO 42001.
F-Q11 Company Objectives	Provides the AI objective progress that feeds into the management review and the updated objectives that result from it.
ER1 Issues and Actions Register	Provides the audit and incident data that feed into the management review and records the actions agreed at the review.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does the management review have to be a meeting?

No. The standard requires top management to review the AI management system, not that the review take the form of a meeting. The review can be a meeting, a series of meetings, a written review with documented contributions, or any combination that delivers the required inputs and outputs. The form should suit the organisation.

Can the AI management review be combined with reviews of other management systems?

Yes. An integrated management review covering multiple standards is efficient and produces a more coherent set of outputs. The AI-specific inputs and outputs need to be identifiable within the integrated review record, but the review itself is one activity rather than several.

Who should contribute to the management review?

Top management must lead the review. Contributors typically include the AI management system lead, the leads of any other integrated management systems, the people responsible for the inputs (audit results, objective progress, risk register status), and any subject matter experts whose input is relevant. The contributor list is a matter for the organisation to determine but should be sufficient to support a meaningful review.

How often should the management review be conducted?

At planned intervals. Annual review is the most common cadence. More frequent reviews are appropriate where the AI environment is changing rapidly or where the management system is new and being actively developed.

Further Resources