ISO 9001 Management Review: What to Cover and How Often
Published 10 May 2026 · Last reviewed 26 April 2026
The ISO 9001 management review is one of the most audited — and most frequently botched — requirements in the standard. Clause 9.3 requires top management to review the QMS at planned intervals. That sounds simple. In practice, UK SMBs either skip it, treat it as a rubber-stamping exercise, or hold the meeting but fail to record the right information.
Here's what Clause 9.3 demands, a ready-to-use agenda template, and guidance on frequency.
What Clause 9.3 Requires
Three sub-clauses:
- 9.3.1 — General: Top management must review the QMS at planned intervals for continuing suitability, adequacy, effectiveness, and alignment with strategic direction.
- 9.3.2 — Inputs: Specific items that must be considered.
- 9.3.3 — Outputs: Specific decisions and actions that must result.
"Top management" means the most senior person — MD, CEO, owner. Delegating entirely to a quality manager doesn't satisfy the requirement.
Required Inputs (Clause 9.3.2)
Your review must address each of these:
a) Status of actions from previous reviews. What was decided last time? What's done? What's outstanding?
b) Changes in external/internal context. Link to Clause 4.1. New regulations (e.g., the UK Product Security and Telecommunications Infrastructure Act 2022, which took effect April 2024), market shifts, staffing changes. If you haven't mapped your context yet, the gap analysis checklist walks through Clauses 4.1 and 4.2 systematically.
c) QMS performance data: customer satisfaction (complaints, survey results, NPS), quality objectives progress, process KPIs (reject rates, on-time delivery), nonconformities and corrective actions, monitoring results, audit findings (internal and external), and supplier performance.
d) Resource adequacy. People, equipment, infrastructure — enough to deliver?
e) Risk and opportunity actions. Review your risk register. Did planned actions reduce risks? New risks emerged?
f) Improvement opportunities. Not just fixing problems — what could be done better?
Required Outputs (Clause 9.3.3)
This is where most SMBs fall short. Outputs must include decisions and actions on: opportunities for improvement, any changes to the QMS, and resource needs.
Every output must be a decision or action. "Discussed customer complaints" is not an output. "Operations director to implement new complaint triage process by 30 June, £2,000 budget for CRM module" is.
You must retain documented information as evidence. Meeting minutes, an action log, or a completed template — format doesn't matter, content does.
ISO 9001 Management Review Agenda Template
| # | Agenda Item | Clause | Source |
|---|---|---|---|
| 1 | Actions from previous review | 9.3.2(a) | Previous minutes |
| 2 | External/internal context changes | 9.3.2(b) | Context register |
| 3 | Customer satisfaction data | 9.3.2(c) | Complaint log, surveys |
| 4 | Quality objectives progress | 9.3.2(c) | Objectives tracker |
| 5 | Process KPIs | 9.3.2(c) | KPI dashboard |
| 6 | Nonconformities and corrective actions | 9.3.2(c) | NCR log |
| 7 | Audit results | 9.3.2(c) | Audit reports |
| 8 | Supplier performance | 9.3.2(c) | Supplier data |
| 9 | Resource adequacy | 9.3.2(d) | Headcount, budget |
| 10 | Risk and opportunity review | 9.3.2(e) | Risk register |
| 11 | Improvement opportunities | 9.3.2(f) | Suggestions |
| 12 | Decisions and actions | 9.3.3 | Completed during meeting |
For each item, record: what was discussed, what was decided, who owns the action, and the target date.
How Often Should You Hold Management Reviews?
The standard says "planned intervals" without specifying frequency.
Minimum: annually. Acceptable for small businesses. Most certification bodies accept it.
Recommended: every 6 months. Enough time to accumulate meaningful data while keeping the QMS responsive. For 10–50 employees, this is the sweet spot.
For fast-moving businesses: quarterly. Keep reviews shorter (60–90 minutes) since you're covering a smaller window.
What doesn't work: Reviewing only when the auditor is coming. Certification bodies check dates. If you only hold reviews in the month before surveillance audits, the pattern is obvious.
The frequency you commit to must be documented in your QMS. Stick to it — missing a committed review is a potential nonconformity.
Common Mistakes
No actions recorded. Good meeting, everyone leaves, minutes say "all items reviewed, no issues." Always record 3–5 specific actions per review.
Quality manager runs it alone. If the MD doesn't attend and isn't named in the minutes, the "top management" requirement isn't met.
Missing inputs. Auditors check every 9.3.2 sub-clause against your records. Missing supplier data or a forgotten risk register review creates gaps.
No link to previous review. Each review should start with a status update on previous actions. Without this, reviews are isolated events, not a continuous cycle.
No data. "Quality is good" isn't evidence. "Customer complaints dropped from 12 in Q1 to 7 in Q2 — a 42% reduction" is evidence. Bring numbers.
If you're not sure your processes are ready for a management review, our ISO 9001 readiness quiz covers Clause 9.3 requirements in under 5 minutes.
Management Review Checklist
Before each review, confirm:
- Top management (MD/CEO) is attending and will be named in minutes
- Data packs prepared for all Clause 9.3.2 inputs
- Previous actions tracked with known status
- Customer satisfaction data covers the period since last review
- Quality objectives progress is quantified
- Internal audit results summarised, including open findings
- Risk register updated and ready for review
- Action log template ready to capture outputs
- Minutes will record specific decisions, owners, and deadlines
Your management review is where the QMS comes together as a system, not a collection of documents. The data should flow from your quality manual processes and your internal audit results — each feeding decisions that drive improvement.
This article is for general informational purposes only and does not constitute legal, regulatory, or professional compliance advice. ISO certification requirements vary by scope, sector, and certification body. Always verify requirements with your UKAS-accredited certification body or a qualified consultant before making compliance decisions.
ClauseWise is coming soon
Generate your ISO 9001 and ISO 27001 documentation without consultant fees.