Management Review Meetings, Inputs and Outputs Explained

Management Review in Brief

Top management reviews the system at planned intervals
Required inputs include audit results, performance, customer feedback and risk
Outputs are decisions, actions and resource commitments

Management review explained

The management review is a documented review process required by every ISO management system standard. It applies in essentially the same way across ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 22301, ISO 37001, ISO 22458 and ISO 42001. The clause numbering is identical in each of them - Clause 9.3 - and the structure is the same: a defined set of inputs is considered, top management makes decisions and identifies actions, and the whole thing is recorded.

The review is not a meeting. The standard requires top management to be accountable for the review and to engage with the outputs, but it does not require everyone to sit in a room together. The alphaZ F-Q3 Management Review form reflects this by listing contributors rather than attendees. Some organisations hold a formal review session, others circulate the populated form for comment and approval, and others fold the review into existing senior leadership routines. Any of these is acceptable as long as the inputs are genuinely considered, the outputs are owned by top management and the record is retained.

The purpose is genuine governance. The review is the point at which top management asks whether the management system is doing what it is meant to do, whether anything has changed that means it needs to be adjusted, and what resources are needed to keep it effective. A management review completed without engagement from senior leaders is a paperwork exercise that adds no value and is usually obvious to an auditor.

How often the management review should be done

None of the ISO standards specifies a frequency. They require the review at planned intervals - the organisation decides what planned means.

In practice an annual review is the norm and is what most external auditors expect to see as a minimum. Annual fits the typical certification audit cycle and gives enough operational data to identify trends. Smaller organisations and those with stable operations usually find annual works well. Larger or more dynamic organisations may review more often - quarterly or six-monthly - or split the review across the year so that different inputs are looked at at different points. A common pattern is a quarterly performance check feeding into a single annual full review.

The frequency should be set in the management system itself, usually in the manual or a procedure, and then actually followed. An annual review that slips by six months looks worse to an auditor than a six-monthly cycle that has been kept to. The next review date is best agreed at the end of each review and recorded on the F-Q3 form so that it is not forgotten.

Additional reviews can also be triggered by significant change - a major incident, a restructure, a new product line, a change of ownership, a major regulatory change, or a serious nonconformity raised at audit. These ad hoc reviews do not replace the planned cycle but sit alongside it.

Inputs to the management review

The standard requires a defined set of inputs to be considered at every management review. These are the same across the ISO standards with minor variations to suit the discipline (environmental aspects for ISO 14001, incidents for ISO 45001, information security events for ISO 27001, and so on). The core inputs are:

The status of actions from previous management reviews
Changes in internal and external issues relevant to the management system, including changes in the needs and expectations of interested parties
Information on management system performance and effectiveness, including trends in customer satisfaction and feedback from interested parties, the degree to which objectives have been met, process performance and conformity of products and services, nonconformities and corrective actions, monitoring and measurement results, audit results, and the performance of external providers
The adequacy of resources
The effectiveness of actions taken to address risks and opportunities
Opportunities for improvement

For ISO 14001 and ISO 45001 a 2024 amendment added climate change as a specific consideration. Where climate change is a relevant issue for the organisation, it must be addressed as part of the review of internal and external issues. The alphaZ F-IMS38 Climate Change Review form provides a structured way to capture this so it can be referenced as an input to the management review rather than redone each cycle.

Each of these inputs is required - the standard does not allow them to be skipped. What varies is the level of detail. A small organisation with three suppliers will have a brief external provider performance section; a manufacturer with a hundred suppliers will need a more substantial review. The point is that every input is considered, not that every input takes the same amount of space on the page.

Outputs of the management review

The outputs of the management review must include decisions and actions related to opportunities for improvement, any need for changes to the management system, and resource needs. Documented information must be retained as evidence of the review and its outputs.

Outputs are where the review either earns its keep or becomes a paper exercise. A management review that records all the inputs faithfully but produces no decisions, no actions and no resource changes is not really a review - it is a status report. Auditors look for a clear connection between what was discussed in the inputs and what came out as decisions or actions. If customer satisfaction has dropped, there should be an output addressing it. If audit findings show a recurring issue, there should be an action to deal with it. If objectives are not being met, there should be either revised objectives or new resources allocated.

Output actions should have an owner and a target date so they can be tracked through to closure. The most common practice is to log them on the issues and actions register so they sit alongside other improvement actions, are visible day to day and are reviewed at the next management review under "status of actions from previous management reviews".

Who contributes to the management review

Top management is accountable for the review. In a small business this is usually the owner or managing director. In a larger organisation it is the senior leadership team - whoever has overall authority for the management system within the certification scope.

Contributors typically include the people who own the data being reviewed - the quality manager or SHEQ manager, the operations manager, the HR lead for training and competence, the IT lead for information security, the H&S adviser, the finance lead for resource decisions. They prepare the inputs from their areas, present or submit them, and act on the outputs that fall within their remit. The F-Q3 form is designed to be populated collaboratively in this way - sections can be completed by the relevant person before top management reviews and signs off the whole.

The accountability sits with top management - they cannot delegate that. But the legwork of pulling the data together and preparing the inputs is done across the team. This is why the F-Q3 Management Review form lists contributors rather than attendees.

Management review in an integrated management system

Where an organisation operates an integrated management system covering multiple standards, the management review can and usually should be done as a single integrated review rather than separate reviews per standard. The inputs and outputs overlap heavily and a single integrated review avoids duplication, gives a coherent view of the system as a whole, and saves a substantial amount of time.

The F-Q3 Management Review form is designed for integrated use. It has core sections that apply to all standards and additional sections that are completed only where the relevant standard is in scope. An organisation certified to ISO 9001 alone uses the core sections plus the quality objectives section. One certified to ISO 9001, ISO 14001 and ISO 45001 also completes the environmental and health and safety sections and sets objectives for each. The same logic applies to ISO 27001, ISO 22301, ISO 37001 and the others.

External auditors auditing against multiple standards expect to see one integrated record covering all of them, with each standard's required inputs clearly addressed. Separate management reviews held at different times for different standards usually create more audit work, not less.

Common problems with management reviews

The most common problem at audit is missing or skipped inputs. The standard lists them and the auditor will check each one. A management review that does not address audit results, for example, or skips external provider performance, will pick up a finding even if the rest is well done. Using a form that prompts every required input - the F-Q3 does this - removes that risk.

The second most common problem is reviews that record everything but decide nothing. The output section is blank or contains only generic statements like "continue to monitor". A review with no real outputs invites a finding that top management is not engaged.

The third is gap between reviews - the previous review was eighteen months ago because no one diarised the next one. Setting and recording the next review date at the close of each review prevents this.

The fourth is data that is out of date or invented for the review. The inputs should be drawn from the live operational records - the issues and actions register, the audit schedule, customer feedback, objective tracking - not constructed retrospectively. Auditors can usually tell the difference.

Most of the management review effort sits in preparing the inputs, not the review itself. If the underlying records are kept up to date through the year - the issues and actions register, audit findings, objective progress, customer feedback - the review becomes a relatively quick exercise of pulling that material together and asking what it tells you. Where it gets painful is when organisations think about it the week before and chase data they should have had all along.

When auditing the management review I look first for the record - usually the F-Q3 form or equivalent - and check that it has been completed at the planned interval, that all required inputs are addressed and that the outputs include decisions, actions, owners and dates. Then I look for the connection between the review and what is happening in the business. If the review identified a need for additional resources or a change to the system, I expect to find evidence that this has been acted upon by the time of my visit.

I also pay attention to the previous-actions section. A review that closes its actions cycle on cycle, with evidence, tells me the system is working. A review that carries the same open actions forward year after year tells me something else.

Top management has to own this one. You cannot delegate the management review to the quality team and expect a tick from the auditor. The team can prepare the paperwork and pull the data together, no problem - but the decisions need to come from the people who can actually authorise change and spend money. That is what the standard means by top management engagement.

Practical Compliance Guidance

IMS1 Section 2.4 covers management review arrangements at the management system level. The section sets out who is responsible, the planned frequency and how the review is recorded, so that it is documented in one place rather than reconstructed from individual review records.

The alphaZ documents below are designed to make the management review and the records that feed into it work as an integrated set across whichever standards an organisation is certified to.

alphaZ document	How to use it
ISO 9001/14001/45001 IMS Toolkit	Integrated toolkit including the IMS1 Manual and all the registers, forms and procedures needed to run an integrated management system. Useful where an organisation is certified to multiple standards and wants a single coherent set of documents.
ISO 9001 Management System Toolkit	Quality-only toolkit including the IMS1 Manual, F-Q3 Management Review form and supporting documents. Suitable where ISO 9001 is the only standard in scope.
F-Q3 Management Review	Structured review form covering every required input across the ISO management system standards. Sections specific to individual standards are clearly marked so only the relevant ones need completing.
GG-1-11 Management Review and Objectives Guidance	Guidance note explaining how to conduct the management review and how to set, track and review objectives that come out of it.
ER1 Issues and Actions Register	Central register for logging issues, improvement opportunities and actions arising from any source, including the management review. Use it to track agreed actions from the review through to closure.
F-IMS22 Interested Parties Register	Record of interested parties and their needs and expectations. Reviewed at each management review under changes in internal and external issues.
F-IMS23 Opportunities and Risks Register	Register of risks and opportunities and the actions taken to address them. Reviewed at each management review for the effectiveness of actions taken.
F-IMS38 Climate Change Review	Captures the organisation's review of climate change impacts and risks relevant to the management system. Provides the climate change input required for ISO 14001 and ISO 45001 management reviews following the 2024 amendment.
F-Q16 Improvement Request	Form for raising specific improvement actions, including those identified as outputs of the management review. Use alongside the issues and actions register where a more detailed record of an individual improvement is needed.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does the management review have to be a meeting?

No. The standard requires top management to engage with the review and its outputs but does not specify a meeting format. A documented review with contributions from the relevant people, decisions made by top management and a record retained meets the requirement, whether or not anyone sat in a room together.

How often should we hold a management review?

There is no fixed frequency in any of the ISO standards. Annual is the norm and is what most external auditors expect to see as a minimum. The organisation chooses and records its planned interval, then keeps to it. Larger or more dynamic organisations sometimes review quarterly or six-monthly, or split the review across the year.

Can one management review cover multiple ISO standards?

Yes, and an integrated review is usually preferable where multiple standards are in scope. The inputs and outputs overlap heavily, and a single integrated review gives a coherent view of the whole system. The F-Q3 Management Review form is structured for integrated use, with optional sections for each standard that are completed only where relevant.

What happens if we miss a planned management review?

A missed review is likely to be picked up at the next external audit as a nonconformity against Clause 9.3. The practical fix is to complete the review as soon as possible, record what happened, and reset the review cycle going forward. Setting the next review date at the end of each review and adding it to a calendar prevents this.

What evidence does an external auditor look for?

The auditor looks for a documented record showing the review took place at the planned interval, that every required input was considered, and that the outputs include decisions and actions with owners and dates. They also look for evidence that the agreed actions have been followed up - either closed or being progressed - by the time of the audit.

UK Legislation relevant to the management review

The management review under the ISO standards is a contractual requirement of certification rather than a legal requirement. No UK statute mandates an ISO-style management review. Several pieces of UK legislation do require organisations to keep their management arrangements under review for specific risks, and the management review is the natural place for those reviews to be evidenced. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.

Further Resources