Management review is a requirement in all modern ISO management system standards. Yet many organisations carry out this process as an administrative ritual without real value. In this guide, we explain what management review is, what the ISO standards require, and how to make it a strategic tool rather than a burden.
Important to know: This article provides practical guidance on management review based on ISO requirements. For the exact standard text, you need access to the official ISO standards.
What is Management Review?
Management review is a formal process where your top management reviews the management system. The purpose is to verify that the system works, delivers the right results, and supports your business strategy.
All modern ISO management system standards require this in clause 9.3:
- ISO 9001 (quality management)
- ISO 14001 (environmental management)
- ISO 45001 (occupational health and safety)
- ISO 27001 (information security)
Thanks to ISO’s common framework, all these standards have identical requirements for management review. This means companies with multiple certifications can conduct an integrated process covering all systems.
Why is Management Review Required?
The ISO standards require management review for five strategic reasons:
1. Engage leadership — Management systems must not become isolated projects run solely by the quality or environmental manager. Top management must be involved and take responsibility.
2. Connect the system to strategy — The management system should support your business strategy, not run as a parallel track. Management review confirms this is the case.
3. Review performance — You review measurement data and results to see if the system delivers the desired effect. Are your processes working? Are you achieving your objectives?
4. Decide on improvements — Based on data, you make concrete decisions about changes, improvements, and priorities.
5. Allocate resources — You determine what resources (personnel, budget, tools) are needed for the management system to function.
What ISO Requires: Inputs and Decisions
The requirements for management review are essentially identical in ISO 9001, 14001, 45001, and 27001. Here is what you need to prepare and what decisions to make.
Inputs You Should Prepare
Follow-up from last time — Start by reviewing what you decided at the previous review. Have the actions been implemented? Did you achieve the expected effect?
Changes in the external environment and organisation — Has anything significant happened since last time? New legislation, changed customer requirements, reorganisation, new products or services?
How you are performing — Review key metrics and trends:
- Customer satisfaction and customer feedback
- Objective achievement – are you meeting your quality and environmental objectives?
- Process performance – are the processes working?
- Non-conformities – what problems have arisen and how have you handled them?
- Audit results – what have internal and external audits shown?
- Supplier performance – are suppliers meeting expectations?
Resources — Do you have enough personnel, the right competencies, and functioning tools?
Risks and opportunities — Is your risk management working? Have new risks emerged? Are you capitalising on opportunities?
Improvement suggestions — What ideas have come in? Where are the bottlenecks?
Standard-specific inputs — Depending on which standards you are certified to, you also need to address:
- ISO 14001: environmental aspects, compliance with environmental requirements
- ISO 45001: incidents, work-related injuries, employee participation
- ISO 27001: security incidents, vulnerabilities, threat landscape
Decisions You Should Make
Management review should result in concrete decisions on:
- Improvements — What improvement actions should you implement? Who is responsible and when should it be completed?
- Changes to the management system — Do you need to change processes, update policies, or introduce new working methods?
- Resources — What budget, personnel, or competencies are needed going forward?
Documentation
Save minutes and supporting materials from the review. The certification auditor will want to see them.
Practical Implementation: Step by Step
Here is how you conduct an effective management review in four steps:
Plan the process
3–4 weeks before- Set date and participants
- Top management (the management team) should participate
- Management system manager (quality manager, environmental manager, etc.)
- Relevant department managers depending on the agenda
- Create agenda structured according to ISO requirement inputs
Gather inputs
2–3 weeks before- Compile key metrics and trend data
- Obtain results from internal audits
- Retrieve customer complaints or feedback data
- List identified risks and non-conformities
- Document resource status
- Collect improvement suggestions
- Send out materials at least one week in advance
Conduct the review
2–2.5 hours- Present data briefly (maximum 30% of time)
- Discuss: What does this mean? (40% of time)
- Make concrete decisions (30% of time)
- Document decisions in real-time: who is responsible, when complete, what resources
Follow up
Within 48 hours- Send out minutes within 48 hours
- Add decided actions to action tracking system or project plan
- Follow up regularly
- Archive minutes and supporting materials for certification auditor
Examples of concrete decisions:
- “We are increasing the budget for internal audits by SEK 50,000 next year” (resource decision)
- “Lars is responsible for revising our environmental policy by 15 December” (change decision)
- “We are implementing monthly energy measurements in production from January” (improvement decision)
Interactive Checklist: All 18 Areas
Management review becomes concrete when you link it to a clear, reusable checklist. Without structure, you easily miss areas or get stuck in discussions without decisions.
Below you can explore all agenda items — the same structure AmpliFlow customers use in practice. Click each item to see what data is needed, where it lives, and what decisions management should make.
Management review checklist
ISO requires specific inputs for management review. With a checklist template in AmpliFlow, you ensure nothing is missed — and the data is already in the system.
Status of internal and external audits since last review.
Relevant data available in
- AuditsCompleted audits, findings and status
- DeviationsAudit-related deviations and their action status
Sample data
Decisions to make
- Does the audit frequency need adjusting?
- Are extra resources needed to close open deviations?
Customer satisfaction, complaints, and feedback.
Relevant data available in
- ImprovementsIncoming customer complaints and status
- GoalsCustomer satisfaction targets and outcomes
Sample data
Decisions to make
- Are there patterns in customer complaints?
- Does customer communication need improvement?
How well processes deliver against established goals.
Relevant data available in
- ProcessesProcess map with linked data
- GoalsGoal achievement per process
- ReportsKPIs and trend data
Sample data
Decisions to make
- Which processes need resources or improvement efforts?
- Do the goals need adjusting?
Trends in nonconformities and the effectiveness of corrective actions.
Relevant data available in
- DeviationsAll deviations with category, cause and status
- ActionsCorrective actions and their effectiveness
Sample data
Decisions to make
- Is root cause analysis working? Are the same types of deviations recurring?
- Are preventive actions needed?
Changes in the risk landscape and new opportunities.
Relevant data available in
- RisksRisk register with current assessments
- StakeholdersChanged stakeholder requirements
Sample data
Decisions to make
- Are the risk treatments sufficient?
- Should we act on identified opportunities?
Resource requirements to maintain and improve the management system.
Relevant data available in
- CompetenceCompetence needs and training plan
- ActionsResource-intensive actions
Sample data
Decisions to make
- What investments are needed for the coming period?
- Is there sufficient competence for planned improvements?
AmpliFlow's cloud library includes ready-made checklist templates for management review — download, customise and go. All the data you need is already in the system.
Book a demoTwo Phases per Area: Prepare and Decide
Each area in the checklist above has two phases:
- “Before” phase – The responsible person prepares the inputs before the meeting. The checklist specifies exactly what to check and update.
- “Review” phase – The management team reviews the inputs and makes decisions. The checklist indicates what should be documented.
The structure separates preparation from decisions and ensures the right people do the right things.
Example: Customer Requirements Review in Practice
Here is what “Before Customer Requirements Review” contains in AmpliFlow:
The responsible person checks before the meeting:
- All known customer requirements are registered in the customer requirements matrix
- Relevance has been indicated for all requirements
- A summary of the requirement is documented
- How you fulfil each requirement is described
- An internal knowledge expert has been identified for each requirement
- Reference to detailed information exists
Question for management: “Are there new or changed customer requirements that management needs to be informed about?”
At “Customer Requirements Review”: The management team makes decisions and documents them, e.g.: “The following new customer requirements have been identified: X. Management decides that Y is responsible for updating working methods by Z.”
What Makes the Difference
The AmpliFlow checklist gives you:
- Direct links to the right view – stakeholder analysis, customer requirements matrix, legal register, non-conformity dashboard, risk register. Click and see current data directly.
- Concrete checkpoints – No guessing about what “review stakeholders” means. Each point specifies exactly what you should check.
- Decision support – Suggestions for how to formulate decisions, e.g. “Management notes that the environmental legal register is updated, but we need to create action plans for some of the new legislation.”
- Action tracking – Decisions automatically become trackable activities with responsible party and deadline.
- Connection to the rest of the system – Non-conformities, risks, objectives, and suppliers you review are the same data you work with daily.
How Often Should Management Review Be Conducted?
The ISO standards say “at planned intervals” – you decide the frequency yourself. Here is how to choose:
Annual Review (most common)
Suits you if: Stable operations with few major changes, established management system that works well, or limited resources for reviews.
Common timing: In connection with annual accounts and planning (January–March), before certification audit, or at management’s strategy meeting.
Semi-annual Review
Suits you if: Changing industry with rapid shifts, growing company with many new projects, or multiple certifications requiring coordinated governance.
Quarterly Review
Suits you if: High-risk environment where safety is critical, significant compliance requirements (regulatory oversight), or ongoing major changes (restructuring, new product lines).
Important: “Planned intervals” means you decide frequency in advance and maintain it. You cannot wait until the auditor asks and improvise.
Common Mistakes – and How to Avoid Them
Difference Between Management Review and Other Activities
“Can’t we just address this at our regular management team meeting?” Understandable question, but there are important differences:
Management Review vs. Management Team Meeting
| Management Review | Management Team Meeting | |
|---|---|---|
| Purpose | Review the management system strategically | Run operations |
| Frequency | Planned intervals (often annually) | Regular (weekly/monthly) |
| Focus | System suitability and effectiveness | Daily issues and projects |
| Inputs | Defined by ISO standard (9.3.2) | Free agenda based on needs |
| Outcome | Specific decisions required by ISO | Operational decisions and follow-up |
| Documentation | Formal protocol for certification | Regular meeting minutes |
Management Review vs. Board Meeting
| Management Review | Board Meeting | |
|---|---|---|
| Responsibility | Executive management | Board (owner representatives) |
| Focus | Management system per ISO requirements | Corporate governance from owner perspective |
| Participants | Management team and system managers | Board members and CEO |
| Requirements | ISO standard | Company law and articles of association |
Management Review vs. Internal Audit
| Management Review | Internal Audit | |
|---|---|---|
| Performed by | Top management reviews the system | Auditor reviews compliance |
| Outcome | Decisions on system changes | Non-conformities and recommendations |
| Relationship | Uses audit data as input | Provides data to management review |
How AmpliFlow Supports Management Review
Management review is just one part of a management system. What makes a real difference is how well all parts connect – from daily non-conformities to annual strategic review.
AmpliFlow is a complete management system where all the tools you need are gathered:
All Inputs in One Place
Stakeholder analysis and context — Your stakeholder analysis is in AmpliFlow. At management review, you click the link in the checklist and see current data – no manual compilation needed. Read more in our guide on stakeholder analysis in ISO 9001. Want to deepen the context analysis with SWOT? That’s included in our MAXI package where you get help from a management consultant.
Customer requirements matrix and legal register — All customer requirements and legal requirements are registered with status, responsible party, and how you fulfil them. The checklist leads you directly to the right view.
Risk register — Your risk management provides direct inputs on how well you are handling risks and opportunities. See our guide on operational risk management.
Objectives and KPIs — Quality objectives and environmental objectives gathered in one place. You track objective achievement continuously, not just at annual review.
Non-conformity dashboard — All non-conformities, customer feedback, and improvement suggestions are gathered with grading and trends. Filter by severity, time period, or process – you create the inputs in minutes instead of hours.
Checklist That Guides You Through the Entire Process
AmpliFlow’s cloud library contains ready-made checklists for management review according to ISO 9001, 14001, 45001, and integrated systems. The checklist:
- Guides you through all 18 areas step by step
- Indicates who is responsible for each part (CEO, quality manager, environmental manager, etc.)
- Contains direct links to the right data in the system
- Provides decision suggestions so you don’t have to formulate from scratch
- Automatically creates trackable actions from your decisions
Documentation the Auditor Wants to See
Automatic archiving — Minutes and supporting materials are saved with version and timestamp. You can always go back and see exactly what you decided.
Complete audit trail — When the certification auditor asks “Show me the latest management review,” you retrieve everything in seconds – checklist, inputs, decisions, and follow-up.
Actions that are followed up — Decisions from management review become actions with responsible party and deadline. The next review starts with a status report on what has happened.
One Management Review for Multiple ISO Standards
If you are certified to multiple ISO standards (e.g. ISO 9001 + ISO 14001 + ISO 45001), you can conduct one management review for all systems simultaneously. Here is how:
Preparation
Create integrated agenda — Structure the agenda so each input area covers all standards:
Example: Performance and objective achievement
- Quality objectives (ISO 9001): customer satisfaction, delivery precision
- Environmental objectives (ISO 14001): energy consumption, waste reduction
- Occupational health and safety objectives (ISO 45001): incident frequency, absence
Gather standard-specific inputs — Some input requirements are unique to each standard:
- ISO 9001: supplier performance, product conformity
- ISO 14001: environmental aspects, environmental legal compliance
- ISO 45001: work-related injuries, employee consultation
- ISO 27001: security incidents, vulnerability analyses
Group these under common headings for flow.
Standard-specific focus — Management review according to ISO 14001 focuses on environmental aspects, legal compliance, and environmental performance. ISO 45001 requires employee consultation, incident analysis, and occupational health and safety objectives. ISO 9001 reviews supplier performance, product conformity, and customer satisfaction. By integrating these into one process, you get a holistic perspective on your operations.
Documentation
Write one joint protocol but be clear about which decisions relate to which standard:
- “Decision: Increase internal audits from 4 to 6 per year (ISO 9001, 14001, 45001)”
- “Decision: Revise information security classification by 31 March (ISO 27001)“
Benefits and Requirements
Benefits: One process instead of three. See connections between quality, environment, and safety. Integrated actions have greater effect. One protocol, one follow-up.
Requirements: You must cover all input requirements from all standards, make all output decisions that the standards require, clearly show which standard requirements you fulfil in documentation, and have competence for all system areas (or invite experts as needed).
Summary
Management review does not have to be an administrative burden. When you do it right, it becomes a strategic tool that:
- Provides overview — Top management sees how the management system is performing
- Drives improvement — Concrete decisions that raise performance
- Connects to strategy — The system supports your business strategy
- Allocates resources — You prioritise the right investments
- Fulfils ISO requirements — You pass certification audit
Next Steps
If you want to do it yourself:
- Plan your next management review – choose a date at least 4 weeks ahead
- Create an agenda based on the checklist above
- Start gathering data from your processes, risks, and objectives
- Conduct the review with focus on decisions, not just reporting
If you want support:
AmpliFlow gives you a complete checklist with 18 areas that guides you step by step, tools for all the data you need (stakeholder analysis, risk register, non-conformity management, objective management, legal register, supplier register, process maps), connection between daily work and annual review, and documentation the auditor wants to see.
Management review is just the beginning. With AmpliFlow, you get a complete management system where everything connects – from the employee’s non-conformity report to management’s strategic decisions.
Related articles:
- Stakeholder Analysis in ISO 9001 – How to build the foundation for management review
- SWOT Analysis for Management Systems – Deepen the context analysis
- Operational Risk Management – Connect the risk register to management review
- Non-conformity Management – How to handle non-conformities that become inputs at the review
- Supplier Management in ISO 9001 and 14001 – Review supplier performance
- Objectives and Goal Management – Follow up objective achievement at management review
Want to see how it works? Book a demo so we can show you how AmpliFlow’s management review checklist works in practice.
