# ISO 27001 Management Review > Prepare, validate, and document the ISO 27001:2022 management review per Clause 9.3. Compiles input pack from workspace ISMS artifacts, validates all 10 mandatory input categories (Clause 9.3.2) and 3 required output decisions (Clause 9.3.3), and checks that every action has an owner, due date, and expected outcome. Produces review agenda, input pack, minutes, and action tracker. Tags: ISO 27001, ISMS, Management Review, GRC, Compliance, Clause 9.3 ## Example Prompts - Prepare a management review input pack for our ISO 27001 ISMS - Validate our management review minutes for Clause 9.3 completeness - Compile available ISMS artifacts for the management review - Check that our management review actions have owners and due dates - Draft management review minutes from our input pack URL: https://rakenne.app/skills/iso27001-management-review/index.md Try this skill: https://rakenne.app/a/?skill=iso27001-management-review ## Overview Prepare, validate, and document the ISO 27001:2022 management review per Clause 9.3. The management review is the PDCA "Act" capstone — it consumes outputs from monitoring (Clause 9.1), internal audit (Clause 9.2), risk assessment (Clause 6.1), and corrective actions (Clause 10.2), producing top-management decisions that drive continual improvement. The skill compiles an input pack from existing ISMS artifacts in the workspace, validates completeness against all 10 mandatory input categories and 3 required output decisions, and ensures every action is trackable with an owner, date, and expected outcome. For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the [**ISO 27001 ISMS workspace tutorial**](/learn/tutorials/iso27001-isms-workspace-guide/). ### What It Covers - **Input pack compilation** — scans workspace for ISMS artifacts (audit reports, monitoring reports, risk registers, CAPA logs) and maps them to Clause 9.3.2 input categories - **Mandatory input validation** — checks all 10 required input categories are substantively addressed, not just mentioned - **Output decision verification** — ensures Clause 9.3.3 required outputs (improvement, ISMS changes, resources) have explicit decisions - **Action completeness** — validates every action has an assigned owner, due date, and measurable expected outcome - **Four document templates** — agenda, input pack, minutes, and action tracker ## Example Conversation > **You:** We need to prepare a management review for our ISO 27001 ISMS. We're a SaaS company with 80 employees, certified last year. > > **Agent:** I'll help you prepare the management review per Clause 9.3. Let me first check what ISMS artifacts are available in your workspace. Running `input_pack_compiler`... > > **Results — 7/10 input categories have backing artifacts:** > > | Input Category | Status | Source Artifact | > |---------------|--------|----------------| > | Previous review actions | Found | management-review-2024-Q2.md (2024-06-15) | > | Changes in external/internal issues | Found | organization-profile.json (2024-11-20) | > | Nonconformities and corrective actions | Found | capa-log.md (2024-12-01) | > | Monitoring and measurement results | Found | monitoring-report-2024-H2.md (2024-12-10) | > | Audit results | Found | internal-audit-report-2024.md (2024-11-15) | > | Risk assessment results | Found | risk-register.md (2024-10-30) | > | Opportunities for improvement | Found | gap-assessment-remediation.md (2024-08-20) | > | Interested party feedback | **Missing** | No artifact found | > | Changes in interested party needs | **Missing** | No artifact found | > | IS objectives fulfilment | **Missing** | No artifact found | > > Three inputs need manual data. Let me help you fill the gaps: > > 1. **Interested party feedback** — Have you received customer security questionnaires, complaints, partner feedback, or regulator communications since the last review? > 2. **Interested party changes** — Any new contractual requirements, regulation changes, or partner expectations? > 3. **IS objectives** — What were your information security objectives and how did you perform against them? > > **You:** We had 3 customer security questionnaires — all satisfactory. No regulatory changes. Our objectives were: zero critical incidents (achieved), 100% training completion (92% — missed target), and vulnerability remediation within SLA (met for critical, missed for high severity). > > **Agent:** Good. I'll populate those into the input pack. Now let me compile the full input pack using data from the found artifacts... > > Here's a summary of key findings from your ISMS artifacts: > > - **Previous review**: 5 actions from Q2 review — 4 closed, 1 overdue (MFA rollout for contractors) > - **CAPA status**: 3 NCs in period — 2 closed with verified effectiveness, 1 open (access review delays) > - **Monitoring**: 8 of 10 KPIs met. Two missed: training completion (92% vs 100%) and high-severity vuln remediation (35d avg vs 30d target) > - **Audit**: 2 minor NCs, 4 OFIs from November internal audit. Both NCs have CAPAs initiated. > - **Risk register**: 2 new risks added (supply chain, remote work). Risk profile: 0 critical, 3 high, 12 medium. > - **Risk treatment**: 2 of 3 high-risk treatments on track, 1 delayed (WAF deployment) > > I've drafted the input pack. Shall I proceed with the agenda and minutes template? > > **You:** Yes, and after the meeting I'll need to validate the minutes. > > **Agent:** Here's the agenda with time allocations... After the meeting, paste your minutes and I'll validate them. Running `mandatory_input_validator`... > > **Result: 9/10 inputs covered, 3/3 outputs covered** > > | Category | Status | > |----------|--------| > | Previous review actions | PASS | > | Context changes | PASS | > | Interested party changes | PASS | > | Nonconformities & CAPA | PASS | > | Monitoring results | PASS | > | Audit results | PASS | > | IS objectives | PASS | > | Interested party feedback | PASS | > | Risk results & treatment | PASS | > | Improvement opportunities | WARNING — mentioned but may lack substance | > | Output: Improvement decisions | PASS | > | Output: ISMS changes | PASS | > | Output: Resource needs | PASS | > > Running `action_completeness_checker`... > > **Result: 6 actions found, 1 issue:** > - Action 4 (line 87): No due date — "Investigate automated vulnerability scanning options" > > Add a target date and you're good. All other actions have owners, dates, and outcomes. ## Sample Output Excerpt Below is a representative excerpt from generated management review minutes showing the decisions and action tracker sections. --- ### Decisions Summary (Clause 9.3.3 Outputs) #### Continual Improvement | Decision | Description | Owner | Due Date | Expected Outcome | |----------|-------------|-------|----------|-----------------| | D-001 | Implement automated security awareness training platform to replace manual tracking | Head of Engineering | 2025-03-31 | 100% training completion rate; automated reminders and reporting | | D-002 | Add high-severity vulnerability remediation SLA to monitoring dashboard | Information Security Manager | 2025-02-15 | Real-time tracking of 30-day SLA for high-severity findings | #### Changes to the ISMS | Decision | Description | Owner | Due Date | Expected Outcome | |----------|-------------|-------|----------|-----------------| | D-003 | Update ISMS scope to include new mobile application launched in Q3 | Information Security Manager | 2025-02-28 | Scope statement, risk register, and SoA updated for mobile app | | D-004 | Revise access control procedure to address contractor MFA requirement | Head of Engineering | 2025-03-15 | PROC-002 updated; all contractor accounts MFA-enabled | #### Resource Needs | Decision | Description | Owner | Due Date | Expected Outcome | |----------|-------------|-------|----------|-----------------| | D-005 | Approve budget for WAF deployment (delayed from previous quarter) | CTO | 2025-01-31 | WAF operational in production; risk R-008 treatment complete | | D-006 | Approve 1 FTE for dedicated security operations role | CEO | 2025-Q2 | Reduced MTTD; dedicated incident response capacity | ### Action Tracker | Action ID | Description | Owner | Due Date | Priority | Related Document | Status | |-----------|-------------|-------|----------|----------|-----------------|--------| | MR-003-A01 | Complete MFA rollout for contractors (carried from previous review) | Head of Engineering | 2025-01-31 | High | access-control-procedure.md | In progress | | MR-003-A02 | Deploy automated training platform | Head of Engineering | 2025-03-31 | Medium | — | Not started | | MR-003-A03 | Update ISMS scope for mobile app | Information Security Manager | 2025-02-28 | High | scope-statement.md, risk-register.md, soa.md | Not started | | MR-003-A04 | Deploy WAF to production | Head of Engineering | 2025-01-31 | High | risk-register.md (R-008) | In progress | | MR-003-A05 | Add high-severity vuln SLA to dashboard | Information Security Manager | 2025-02-15 | Medium | monitoring-report.md | Not started | | MR-003-A06 | Hire security operations FTE | CEO | 2025-06-30 | Medium | — | Not started | **Next review date:** 2025-06-30 ## Extension Tools ### `mandatory_input_validator` Validates a management review document against Clause 9.3.2 input requirements and Clause 9.3.3 output requirements: **Clause 9.3.2 Inputs (10 categories):** | # | Input Category | Severity if Missing | |---|---------------|:-------------------:| | 1 | Status of actions from previous management reviews | ERROR | | 2 | Changes in external and internal issues | ERROR | | 3 | Changes in needs and expectations of interested parties | ERROR | | 4a | Nonconformities and corrective actions | ERROR | | 4b | Monitoring and measurement results | ERROR | | 4c | Audit results | ERROR | | 4d | Fulfilment of information security objectives | ERROR | | 5 | Feedback from interested parties | ERROR | | 6 | Risk assessment results and treatment plan status | ERROR | | 7 | Opportunities for continual improvement | ERROR | **Clause 9.3.3 Outputs (3 categories):** | Output | Severity if Missing | |--------|:-------------------:| | Continual improvement opportunities | ERROR | | Needs for changes to the ISMS | ERROR | | Resource needs | ERROR | Inputs matched by multiple patterns are marked PASS; single-pattern matches are marked WARNING (may lack substance). ### `input_pack_compiler` Scans the workspace for ISMS artifacts and maps them to management review input categories. Uses the same file-naming patterns as the gap assessment's `mandatory_artifact_detector` for consistency across the skill suite. | Artifact Type | File Pattern | Maps to Input | |--------------|-------------|---------------| | Previous review minutes | `management-review`, `mgmt-review` | Previous actions | | Organization profile | `organization-profile` | Context changes | | CAPA log | `corrective-action`, `capa`, `nonconformit` | Nonconformities | | Monitoring report | `monitor`, `measurement`, `kpi`, `metric` | Monitoring results | | Audit report | `internal-audit`, `audit-report` | Audit results | | IS objectives | `security-objective` | Objectives fulfilment | | Risk register | `risk-register`, `risk-assessment` | Risk results | | Risk treatment plan | `risk-treatment`, `treatment-plan` | Risk results | | Gap assessment | `gap-assessment`, `remediation` | Improvement | For each found artifact, reports the file path, last modified date, and a content preview. ### `action_completeness_checker` Validates management review actions for trackability: | Check | Severity | |-------|----------| | Action has assigned owner | ERROR if missing | | Action has due date (not placeholder) | ERROR if missing | | Action has expected outcome / deliverable | WARNING if missing | | Clause 9.3.3 improvement decisions present | ERROR if missing | | Clause 9.3.3 ISMS change decisions present | ERROR if missing | | Clause 9.3.3 resource decisions present | ERROR if missing | Extracts actions from table rows and bullet lists within "Decisions", "Actions", and "Action Tracker" sections. ## Getting Started Activate the *ISO 27001 Management Review* skill. For best results, complete these skills first — they produce the artifacts the management review consumes: 1. **Monitoring, Measurement & Evaluation** — provides KPI results and control effectiveness data (Clause 9.1) 2. **ISMS Internal Audit Report** — provides audit findings, NCs, and OFIs (Clause 9.2) 3. **Risk Assessment** — provides current risk profile and treatment plan status (Clause 6.1) 4. **Organization Profile** — provides organizational context for detecting changes Have this information ready: - Previous management review minutes (if this is not the first review) - Customer feedback, complaints, or security questionnaire results - Any organizational changes since the last review (new systems, staff changes, office moves) - Current information security objectives and progress against targets - Names and titles of attendees (top management must be present) The agent guides you through a 6-step workflow: gather context, compile input pack, prepare agenda, draft minutes, validate completeness, and cross-reference with other ISMS documents. --- Back to [Skill Library](https://rakenne.app/skills/index.md)