Overview
Prepare, validate, and document the ISO 27001:2022 management review per Clause 9.3. The management review is the PDCA “Act” capstone — it consumes outputs from monitoring (Clause 9.1), internal audit (Clause 9.2), risk assessment (Clause 6.1), and corrective actions (Clause 10.2), producing top-management decisions that drive continual improvement.
The skill compiles an input pack from existing ISMS artifacts in the workspace, validates completeness against all 10 mandatory input categories and 3 required output decisions, and ensures every action is trackable with an owner, date, and expected outcome.
For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the ISO 27001 ISMS workspace tutorial .
What It Covers
- Input pack compilation — scans workspace for ISMS artifacts (audit reports, monitoring reports, risk registers, CAPA logs) and maps them to Clause 9.3.2 input categories
- Mandatory input validation — checks all 10 required input categories are substantively addressed, not just mentioned
- Output decision verification — ensures Clause 9.3.3 required outputs (improvement, ISMS changes, resources) have explicit decisions
- Action completeness — validates every action has an assigned owner, due date, and measurable expected outcome
- Four document templates — agenda, input pack, minutes, and action tracker
Example Conversation
You: We need to prepare a management review for our ISO 27001 ISMS. We’re a SaaS company with 80 employees, certified last year.
Agent: I’ll help you prepare the management review per Clause 9.3. Let me first check what ISMS artifacts are available in your workspace. Running
input_pack_compiler…Results — 7/10 input categories have backing artifacts:
Input Category Status Source Artifact Previous review actions Found management-review-2024-Q2.md (2024-06-15) Changes in external/internal issues Found organization-profile.json (2024-11-20) Nonconformities and corrective actions Found capa-log.md (2024-12-01) Monitoring and measurement results Found monitoring-report-2024-H2.md (2024-12-10) Audit results Found internal-audit-report-2024.md (2024-11-15) Risk assessment results Found risk-register.md (2024-10-30) Opportunities for improvement Found gap-assessment-remediation.md (2024-08-20) Interested party feedback Missing No artifact found Changes in interested party needs Missing No artifact found IS objectives fulfilment Missing No artifact found Three inputs need manual data. Let me help you fill the gaps:
- Interested party feedback — Have you received customer security questionnaires, complaints, partner feedback, or regulator communications since the last review?
- Interested party changes — Any new contractual requirements, regulation changes, or partner expectations?
- IS objectives — What were your information security objectives and how did you perform against them?
You: We had 3 customer security questionnaires — all satisfactory. No regulatory changes. Our objectives were: zero critical incidents (achieved), 100% training completion (92% — missed target), and vulnerability remediation within SLA (met for critical, missed for high severity).
Agent: Good. I’ll populate those into the input pack. Now let me compile the full input pack using data from the found artifacts…
Here’s a summary of key findings from your ISMS artifacts:
- Previous review: 5 actions from Q2 review — 4 closed, 1 overdue (MFA rollout for contractors)
- CAPA status: 3 NCs in period — 2 closed with verified effectiveness, 1 open (access review delays)
- Monitoring: 8 of 10 KPIs met. Two missed: training completion (92% vs 100%) and high-severity vuln remediation (35d avg vs 30d target)
- Audit: 2 minor NCs, 4 OFIs from November internal audit. Both NCs have CAPAs initiated.
- Risk register: 2 new risks added (supply chain, remote work). Risk profile: 0 critical, 3 high, 12 medium.
- Risk treatment: 2 of 3 high-risk treatments on track, 1 delayed (WAF deployment)
I’ve drafted the input pack. Shall I proceed with the agenda and minutes template?
You: Yes, and after the meeting I’ll need to validate the minutes.
Agent: Here’s the agenda with time allocations… After the meeting, paste your minutes and I’ll validate them. Running
mandatory_input_validator…Result: 9/10 inputs covered, 3/3 outputs covered
Category Status Previous review actions PASS Context changes PASS Interested party changes PASS Nonconformities & CAPA PASS Monitoring results PASS Audit results PASS IS objectives PASS Interested party feedback PASS Risk results & treatment PASS Improvement opportunities WARNING — mentioned but may lack substance Output: Improvement decisions PASS Output: ISMS changes PASS Output: Resource needs PASS Running
action_completeness_checker…Result: 6 actions found, 1 issue:
- Action 4 (line 87): No due date — “Investigate automated vulnerability scanning options”
Add a target date and you’re good. All other actions have owners, dates, and outcomes.
Sample Output Excerpt
Below is a representative excerpt from generated management review minutes showing the decisions and action tracker sections.
Decisions Summary (Clause 9.3.3 Outputs)
Continual Improvement
| Decision | Description | Owner | Due Date | Expected Outcome |
|---|---|---|---|---|
| D-001 | Implement automated security awareness training platform to replace manual tracking | Head of Engineering | 2025-03-31 | 100% training completion rate; automated reminders and reporting |
| D-002 | Add high-severity vulnerability remediation SLA to monitoring dashboard | Information Security Manager | 2025-02-15 | Real-time tracking of 30-day SLA for high-severity findings |
Changes to the ISMS
| Decision | Description | Owner | Due Date | Expected Outcome |
|---|---|---|---|---|
| D-003 | Update ISMS scope to include new mobile application launched in Q3 | Information Security Manager | 2025-02-28 | Scope statement, risk register, and SoA updated for mobile app |
| D-004 | Revise access control procedure to address contractor MFA requirement | Head of Engineering | 2025-03-15 | PROC-002 updated; all contractor accounts MFA-enabled |
Resource Needs
| Decision | Description | Owner | Due Date | Expected Outcome |
|---|---|---|---|---|
| D-005 | Approve budget for WAF deployment (delayed from previous quarter) | CTO | 2025-01-31 | WAF operational in production; risk R-008 treatment complete |
| D-006 | Approve 1 FTE for dedicated security operations role | CEO | 2025-Q2 | Reduced MTTD; dedicated incident response capacity |
Action Tracker
| Action ID | Description | Owner | Due Date | Priority | Related Document | Status |
|---|---|---|---|---|---|---|
| MR-003-A01 | Complete MFA rollout for contractors (carried from previous review) | Head of Engineering | 2025-01-31 | High | access-control-procedure.md | In progress |
| MR-003-A02 | Deploy automated training platform | Head of Engineering | 2025-03-31 | Medium | — | Not started |
| MR-003-A03 | Update ISMS scope for mobile app | Information Security Manager | 2025-02-28 | High | scope-statement.md, risk-register.md, soa.md | Not started |
| MR-003-A04 | Deploy WAF to production | Head of Engineering | 2025-01-31 | High | risk-register.md (R-008) | In progress |
| MR-003-A05 | Add high-severity vuln SLA to dashboard | Information Security Manager | 2025-02-15 | Medium | monitoring-report.md | Not started |
| MR-003-A06 | Hire security operations FTE | CEO | 2025-06-30 | Medium | — | Not started |
Next review date: 2025-06-30
Extension Tools
mandatory_input_validator
Validates a management review document against Clause 9.3.2 input requirements and Clause 9.3.3 output requirements:
Clause 9.3.2 Inputs (10 categories):
| # | Input Category | Severity if Missing |
|---|---|---|
| 1 | Status of actions from previous management reviews | ERROR |
| 2 | Changes in external and internal issues | ERROR |
| 3 | Changes in needs and expectations of interested parties | ERROR |
| 4a | Nonconformities and corrective actions | ERROR |
| 4b | Monitoring and measurement results | ERROR |
| 4c | Audit results | ERROR |
| 4d | Fulfilment of information security objectives | ERROR |
| 5 | Feedback from interested parties | ERROR |
| 6 | Risk assessment results and treatment plan status | ERROR |
| 7 | Opportunities for continual improvement | ERROR |
Clause 9.3.3 Outputs (3 categories):
| Output | Severity if Missing |
|---|---|
| Continual improvement opportunities | ERROR |
| Needs for changes to the ISMS | ERROR |
| Resource needs | ERROR |
Inputs matched by multiple patterns are marked PASS; single-pattern matches are marked WARNING (may lack substance).
input_pack_compiler
Scans the workspace for ISMS artifacts and maps them to management review input categories. Uses the same file-naming patterns as the gap assessment’s mandatory_artifact_detector for consistency across the skill suite.
| Artifact Type | File Pattern | Maps to Input |
|---|---|---|
| Previous review minutes | management-review, mgmt-review | Previous actions |
| Organization profile | organization-profile | Context changes |
| CAPA log | corrective-action, capa, nonconformit | Nonconformities |
| Monitoring report | monitor, measurement, kpi, metric | Monitoring results |
| Audit report | internal-audit, audit-report | Audit results |
| IS objectives | security-objective | Objectives fulfilment |
| Risk register | risk-register, risk-assessment | Risk results |
| Risk treatment plan | risk-treatment, treatment-plan | Risk results |
| Gap assessment | gap-assessment, remediation | Improvement |
For each found artifact, reports the file path, last modified date, and a content preview.
action_completeness_checker
Validates management review actions for trackability:
| Check | Severity |
|---|---|
| Action has assigned owner | ERROR if missing |
| Action has due date (not placeholder) | ERROR if missing |
| Action has expected outcome / deliverable | WARNING if missing |
| Clause 9.3.3 improvement decisions present | ERROR if missing |
| Clause 9.3.3 ISMS change decisions present | ERROR if missing |
| Clause 9.3.3 resource decisions present | ERROR if missing |
Extracts actions from table rows and bullet lists within “Decisions”, “Actions”, and “Action Tracker” sections.
Getting Started
Activate the ISO 27001 Management Review skill. For best results, complete these skills first — they produce the artifacts the management review consumes:
- Monitoring, Measurement & Evaluation — provides KPI results and control effectiveness data (Clause 9.1)
- ISMS Internal Audit Report — provides audit findings, NCs, and OFIs (Clause 9.2)
- Risk Assessment — provides current risk profile and treatment plan status (Clause 6.1)
- Organization Profile — provides organizational context for detecting changes
Have this information ready:
- Previous management review minutes (if this is not the first review)
- Customer feedback, complaints, or security questionnaire results
- Any organizational changes since the last review (new systems, staff changes, office moves)
- Current information security objectives and progress against targets
- Names and titles of attendees (top management must be present)
The agent guides you through a 6-step workflow: gather context, compile input pack, prepare agenda, draft minutes, validate completeness, and cross-reference with other ISMS documents.