Management Review in ISO Standards: How to Do It Right

Management review is a requirement in all modern ISO management system standards. Yet many organisations carry out this process as an administrative ritual without real value. In this guide, we explain what management review is, what the ISO standards require, and how to make it a strategic tool rather than a burden.

Important to know: This article provides practical guidance on management review based on ISO requirements. For the exact standard text, you need access to the official ISO standards.

What is Management Review?

Management review is a formal process where your top management (the management team) reviews the management system. The purpose is to verify that the system works, delivers the right results, and supports your business strategy.

All modern ISO management system standards require this in clause 9.3:

• ISO 9001 (quality management)
• ISO 14001 (environmental management)
• ISO 45001 (occupational health and safety)
• ISO 27001 (information security)

Thanks to ISO's common framework, all these standards have identical requirements for management review. This means companies with multiple certifications can conduct an integrated process covering all systems.

Why is Management Review Required?

The ISO standards require management review for five strategic reasons:

1. Engage leadership
Management systems must not become isolated projects run solely by the quality or environmental manager. Top management (the management team) must be involved and take responsibility.

2. Connect the system to strategy
The management system should support your business strategy, not run as a parallel track. Management review confirms this is the case.

3. Review performance
You review measurement data and results to see if the system delivers the desired effect. Are your processes working? Are you achieving your objectives?

4. Decide on improvements
Based on data, you make concrete decisions about changes, improvements, and priorities.

5. Allocate resources
You determine what resources (personnel, budget, tools) are needed for the management system to function.

What You Should Cover

The requirements for management review are essentially identical in ISO 9001, 14001, 45001, and 27001. Here is what you need to go through.

Inputs You Should Prepare

Follow-up from last timeStart by reviewing what you decided at the previous review. Have the actions been implemented? Did you achieve the expected effect?

Changes in the external environment and organisationHas anything significant happened since last time? New legislation, changed customer requirements, reorganisation, new products or services?

How you are performingReview key metrics and trends:

• Customer satisfaction and customer feedback
• Objective achievement – are you meeting your quality and environmental objectives?
• Process performance – are the processes working?
• Non-conformities – what problems have arisen and how have you handled them?
• Audit results – what have internal and external audits shown?
• Supplier performance – are suppliers meeting expectations?

ResourcesDo you have enough personnel, the right competencies, and functioning tools?

Risks and opportunitiesIs your risk management working? Have new risks emerged? Are you capitalising on opportunities?

Improvement suggestionsWhat ideas have come in? Where are the bottlenecks?

Standard-specific inputsDepending on which standards you are certified to, you also need to address:

• ISO 14001: environmental aspects, compliance with environmental requirements
• ISO 45001: incidents, work-related injuries, employee participation
• ISO 27001: security incidents, vulnerabilities, threat landscape

Decisions You Should Make

Management review should result in concrete decisions on:

ImprovementsWhat improvement actions should you implement? Who is responsible and when should it be completed?

Changes to the management systemDo you need to change processes, update policies, or introduce new working methods?

ResourcesWhat budget, personnel, or competencies are needed going forward?

Documentation

Save minutes and supporting materials from the review. The certification auditor will want to see them.

Practical Implementation: Step by Step

Here is how you conduct an effective management review:

Step 1: Plan the Process (3–4 weeks before)

Set date and participants

• Top management (the management team) should participate
• Management system manager (quality manager, environmental manager, etc.)
• Relevant department managers depending on the agenda

Create agenda
Structure the agenda according to the ISO requirement inputs:

1. Status from previous review (15 min)
2. Context and changes (15 min)
3. Performance and objective achievement (30 min)
4. Resource status (15 min)
5. Risks and opportunities (20 min)
6. Improvement suggestions (20 min)
7. Decisions and actions (25 min)

Total time: approximately 2–2.5 hours

Step 2: Gather Inputs (2–3 weeks before)

Prepare documents

• Compile key metrics and trend data
• Obtain results from internal audits
• Retrieve customer complaints or feedback data
• List identified risks and non-conformities
• Document resource status
• Collect improvement suggestions

Send out materials
Share the supporting materials at least one week in advance so participants can prepare. A summary of 5–10 pages works better than 50 pages of raw data.

Step 3: Conduct the Review

Focus on decisions, not just reporting

• Present data briefly (maximum 30% of time)
• Discuss: What does this mean? (40% of time)
• Make concrete decisions (30% of time)

Document in real-time
One person takes notes on decisions directly in the minutes. Document:

• What decisions were made
• Who is responsible for what
• When it should be completed
• What resources were allocated

Examples of concrete decisions:

• "We are increasing the budget for internal audits by SEK 50,000 next year" (resource decision)
• "Lars is responsible for revising our environmental policy by 15 December" (change decision)
• "We are implementing monthly energy measurements in production from January" (improvement decision)

Step 4: Follow Up After Implementation

Send out minutes
Send the minutes within 48 hours while the discussion is fresh.

Track actions
Add decided actions to your action tracking system or project plan. Follow up regularly.

Archive evidence
Save minutes and supporting materials. Certification auditors will review these.

Structured Checklist: How AmpliFlow Customers Do It in Practice

Management review becomes concrete when you link it to a clear, reusable checklist. Without structure, you easily miss areas or get stuck in discussions without decisions.

AmpliFlow includes a complete management review checklist that systematically covers all requirements in 9.3.2 (inputs) and 9.3.3 (outputs). The checklist guides you through 18 main areas – from stakeholder analysis to final summary.

[IMAGE: Screenshot of AmpliFlow checklist left menu showing all 18 steps, from "Before Stakeholder Analysis Review" to "Management Review Summary"]

Two Phases for Each Area: Prepare and Decide

Each area in the checklist has two phases:

1. "Before" phase – The responsible person prepares the inputs before the meeting. The checklist specifies exactly what to check and update.

2. "Review" phase – The management team reviews the inputs and makes decisions. The checklist indicates what should be documented.

The structure separates preparation from decisions and ensures the right people do the right things.

The 18 Areas in Management Review

Here is an overview of what a complete management review covers:

• 1–2. Stakeholder analysis – Registered stakeholders, their interest and influence
• 3–4. Customer requirements – Customer requirements matrix with relevance and compliance
• 5–6. Legal requirements – Legal register with status and responsible parties
• 7–8. Strategy – Strategy's connection to external changes
• 9–10. Processes – Process maps, flows, and activities
• 11–12. Audits – Internal and external audit results, action plans
• 13–14. Customer feedback – Trends, grading, customer satisfaction
• 15–16. Non-conformities – Internal non-conformities, trends, severity
• 17–18. Improvement suggestions – Received suggestions, prioritisation
• 19–20. Suppliers – Supplier performance, risk assessment, surveys
• 21–22. Operational risks – Risk register, action plans, new risks
• 23–24. Environmental aspects – Significant environmental aspects, risk assessment, environmental objectives
• 25–26. Objectives – Quality and environmental objectives, objective achievement, action plans
• 27–28. Policies – Policy currency, CEO signature, communication
• 29–30. HR – Competency, training, resources
• 31. Annual calendar – Planned activities for the coming year
• 32–33. Previous minutes – Follow-up of previous decisions
• 34–36. System improvements – Identified improvements, summary

Example: How the Customer Requirements Review Works in Practice

Here is what "Before Customer Requirements Review" contains in AmpliFlow:

The responsible person checks before the meeting:

• All known customer requirements are registered in the customer requirements matrix
• Relevance has been indicated for all requirements
• A summary of the requirement is documented
• How you fulfil each requirement is described
• An internal knowledge expert has been identified for each requirement
• Reference to detailed information exists

[IMAGE: Screenshot of AmpliFlow checklist "Before Customer Requirements Review" with checkboxes and link to customer requirements matrix]

Question for management: "Are there new or changed customer requirements that management needs to be informed about?"

At "Customer Requirements Review": The management team makes decisions and documents them, e.g.: "The following new customer requirements have been identified: X. Management decides that Y is responsible for updating working methods by Z."

What Makes the Difference

The AmpliFlow checklist gives you:

• Direct links to the right view – stakeholder analysis, customer requirements matrix, legal register, non-conformity dashboard, risk register. Click and see current data directly.
• Concrete checkpoints – No guessing about what "review stakeholders" means. Each point specifies exactly what you should check.
• Decision support – Suggestions for how to formulate decisions, e.g. "Management notes that the environmental legal register is updated, but we need to create action plans for some of the new legislation."
• Action tracking – Decisions automatically become trackable activities with responsible party and deadline.
• Connection to the rest of the system – Non-conformities, risks, objectives, and suppliers you review are the same data you work with daily.

[IMAGE: Screenshot showing how a decision from management review creates a trackable action in AmpliFlow]

Why It Matters

Without a structured checklist, it often happens that:

• You miss areas (the supplier review or environmental aspects)
• Preparation takes unnecessary time
• Decisions become vague ("we should improve customer satisfaction") instead of concrete
• The auditor finds gaps in documentation

With AmpliFlow's checklist, you know exactly what to do, who is responsible, and when it should be completed. You avoid building your own structure – and can focus on content instead of form.

How Often Should Management Review Be Conducted?

The ISO standards say "at planned intervals" – you decide the frequency yourself. Here is how to choose:

Annual Review (most common)

Suits you if:

• Stable operations with few major changes
• Established management system that works well
• Limited resources for reviews

Common timing:

• In connection with annual accounts and planning (January–March)
• Before certification audit
• At management's strategy meeting

Semi-annual Review

Suits you if:

• Changing industry with rapid shifts
• Growing company with many new projects
• Multiple certifications requiring coordinated governance

Quarterly Review

Suits you if:

• High-risk environment where safety is critical
• Significant compliance requirements (regulatory oversight)
• Ongoing major changes (restructuring, new product lines)

Important: "Planned intervals" means you decide frequency in advance and maintain it. You cannot wait until the auditor asks and improvise.

Common Mistakes – and How to Avoid Them

Mistake 1: The Ritual Without Content

Symptom: You go through a checklist, nod, and finish in 30 minutes without real decisions.

Solution: Prepare data in advance so time can focus on discussion and decisions. Ask questions: "What does this mean for our strategy?" "What actions should we take?"

Mistake 2: Delegation to Middle Manager

Symptom: The quality manager conducts management review with their team without the management team participating.

Solution: The ISO requirement is clear – top management (the management team) should participate. Book in the management team well in advance and explain why they must be present.

Mistake 3: Incomplete Inputs

Symptom: You go through some key metrics but miss half of the ISO requirements for inputs.

Solution: Use a checklist based on 9.3.2 in your standard. Tick off all points in the agenda.

Mistake 4: No Concrete Decisions

Symptom: The minutes say "we note that customer satisfaction is declining" but no action is decided.

Solution: Every problem you find should lead to: decision on action, responsible person, and deadline. If you choose not to act, document why.

Mistake 5: Poor Documentation

Symptom: Thin notes without evidence of what decisions were made or what inputs were reviewed.

Solution: Create a template for minutes that covers all ISO requirements. Attach inputs (key metrics, audit reports) as appendices.

Mistake 6: No Follow-Up

Symptom: Last year's decisions are forgotten, no actions are implemented.

Solution: The first item at every review is status from the previous one. Track actions in a system and follow up quarterly.

Difference Between Management Review and Other Activities

"Can't we just address this at our regular management team meeting?" Understandable question, but there are important differences:

Management Review vs. Management Team Meeting

Management review aims to review the management system strategically. It occurs at planned intervals (often annually) and focuses on the system's suitability and effectiveness. The inputs are defined by ISO standard (9.3.2), and the outcome is specific decisions that ISO requires. Documentation is a formal protocol for certification.

Management team meeting aims to run operations. It occurs regularly (weekly or monthly) and focuses on daily issues and projects. The agenda is free and based on needs, and the outcome is operational decisions and follow-up. Documentation is regular meeting minutes.

Can you combine them? Yes, but only if:

• The agenda covers ALL ISO requirements for inputs
• Top management (the management team) participates
• You document decisions according to ISO requirements
• You plan timing and frequency in advance (not ad hoc)

Management Review vs. Board Meeting

Management review is the executive management's responsibility and focuses on the management system according to ISO requirements. Participants are the management team and system managers, and requirements come from the ISO standard.

Board meeting is the board's (owner representatives') responsibility and focuses on corporate governance from an owner perspective. Participants are board members and CEO, and requirements come from company law and articles of association.

Management review is the executive management's responsibility, not the board's. They cannot replace each other.

Management Review vs. Internal Audit Reporting

Management review means top management reviews the system. The outcome is decisions on system changes.

Internal audit means the auditor reviews compliance. The outcome is non-conformities and recommendations.

Internal audit results are inputs for management review – internal audit provides data that management uses. Internal audit is a tool that provides inputs to management review, but not the same thing.

How AmpliFlow Supports Management Review

Management review is just one part of a management system. What makes a real difference is how well all parts connect – from daily non-conformities to annual strategic review.

AmpliFlow is a complete management system where all the tools you need are gathered:

All Inputs in One Place

Stakeholder analysis and context
Your stakeholder analysis is in AmpliFlow. At management review, you click the link in the checklist and see current data – no manual compilation needed. Read more in our guide on stakeholder analysis in ISO 9001. Want to deepen the context analysis with SWOT? That's included in our MAXI package where you get help from a management consultant.

Customer requirements matrix and legal register
All customer requirements and legal requirements are registered with status, responsible party, and how you fulfil them. The checklist leads you directly to the right view.

Risk register
Your risk management provides direct inputs on how well you are handling risks and opportunities. See our guide on operational risk management.

Objectives and KPIs
Quality objectives and environmental objectives gathered in one place. You track objective achievement continuously, not just at annual review.

Non-conformity dashboard
All non-conformities, customer feedback, and improvement suggestions are gathered with grading and trends. Filter by severity, time period, or process – you create the inputs in minutes instead of hours.

[IMAGE: Screenshot of AmpliFlow non-conformity dashboard with graph showing non-conformities by severity level]

Checklist That Guides You Through the Entire Process

AmpliFlow's cloud library contains ready-made checklists for management review according to ISO 9001, 14001, 45001, and integrated systems. The checklist:

• Guides you through all 18 areas step by step
• Indicates who is responsible for each part (CEO, quality manager, environmental manager, etc.)
• Contains direct links to the right data in the system
• Provides decision suggestions so you don't have to formulate from scratch
• Automatically creates trackable actions from your decisions

Documentation the Auditor Wants to See

Automatic archiving
Minutes and supporting materials are saved with version and timestamp. You can always go back and see exactly what you decided.

Complete audit trail
When the certification auditor asks "Show me the latest management review," you retrieve everything in seconds – checklist, inputs, decisions, and follow-up.

Actions that are followed up
Decisions from management review become actions with responsible party and deadline. The next review starts with a status report on what has happened.

[IMAGE: Screenshot showing how management review minutes are archived in AmpliFlow with links to decided actions]

Integration: One Management Review for Multiple ISO Standards

If you are certified to multiple ISO standards (e.g. ISO 9001 + ISO 14001 + ISO 45001), you can conduct one management review for all systems simultaneously. Here is how:

Preparation

Create integrated agenda
Structure the agenda so each input area covers all standards:

Example: Performance and objective achievement

• Quality objectives (ISO 9001): customer satisfaction, delivery precision
• Environmental objectives (ISO 14001): energy consumption, waste reduction
• Occupational health and safety objectives (ISO 45001): incident frequency, absence

Gather standard-specific inputs
Some input requirements are unique to each standard:

• ISO 9001: supplier performance, product conformity
• ISO 14001: environmental aspects, environmental legal compliance
• ISO 45001: work-related injuries, employee consultation
• ISO 27001: security incidents, vulnerability analyses

Group these under common headings for flow.

Standard-specific focus in management review

Management review according to ISO 14001 focuses on environmental aspects, legal compliance, and environmental performance. Management review according to ISO 45001 requires employee consultation, incident analysis, and occupational health and safety objectives. Management review according to ISO 9001 reviews supplier performance, product conformity, and customer satisfaction. By integrating these into one process, you get a holistic perspective on your operations.

Documentation

One protocol, clear connections
Write one joint protocol but be clear about which decisions relate to which standard:

Example:

• "Decision: Increase internal audits from 4 to 6 per year (ISO 9001, 14001, 45001)"
• "Decision: Revise information security classification by 31 March (ISO 27001)"

Benefits of Integration

• Time-efficient: One process instead of three
• Holistic perspective: See connections between quality, environment, and safety
• Better decisions: Integrated actions have greater effect
• Less administration: One protocol, one follow-up

Requirements for Integration

• You must cover all input requirements from all standards
• You must make all output decisions that the standards require
• Documentation must clearly show which standard requirements you fulfil
• Participants must have competence for all system areas (or invite experts as needed)

Summary: Make Management Review a Strategic Tool

Management review does not have to be an administrative burden. When you do it right, it becomes a strategic tool that:

• Provides overview: Top management sees how the management system is performing
• Drives improvement: Concrete decisions that raise performance
• Connects to strategy: The system supports your business strategy
• Allocates resources: You prioritise the right investments
• Fulfils ISO requirements: You pass certification audit

Next Steps

If you want to do it yourself:

1. Plan your next management review – choose a date at least 4 weeks ahead
2. Create an agenda based on the 18 areas in this guide
3. Start gathering data from your processes, risks, and objectives
4. Conduct the review with focus on decisions, not just reporting

If you want support:

AmpliFlow gives you:

• A complete checklist with 18 areas that guides you step by step
• Tools for all the data you need: stakeholder analysis, risk register, non-conformity management, objective management, legal register, supplier register, process maps, and more
• Tools for managing documents and files – no need for file servers or SharePoint
• Connection between daily work and annual review
• Documentation the auditor wants to see

Management review is just the beginning. With AmpliFlow, you get a complete management system where everything connects – from the employee's non-conformity report to management's strategic decisions.

[IMAGE: Screenshot of AmpliFlow main menu showing all tools: Processes, Risks, Objectives, Non-conformities, Audits, Checklists, etc.]

Related articles:

• Stakeholder Analysis in ISO 9001 – How to build the foundation for management review
• SWOT Analysis for Management Systems – Deepen the context analysis (common for larger organisations)
• Operational Risk Management – Connect the risk register to management review
• Non-conformity Management – How to handle non-conformities that become inputs at the review
• Supplier Management in ISO 9001 and 14001 – Review supplier performance
• Objectives and Goal Management – Follow up objective achievement at management review

Want to see how it works? Book a demo so we can show you how AmpliFlow's management review checklist works in practice.