Management reviews is the workflow for running the periodic top-management review of the ISMS that ISO 27001 clause 9.3 (and similar) mandate — inputs collected, meeting conducted, decisions and actions recorded. Auditors will ask for evidence of this, and the workflow produces it directly.
🆕 What's new: The Management reviews workflow brings together what used to be spread across themed lists. Your existing reviews, decisions, and review-driven improvements are all here, exactly as they were — just on one focused page.
Setting it up
Management reviews is an Advanced workflow — there's no separate guided setup. The workflow is available directly; configuration (lead, cadence, scope) happens inline when you create your first review. Most organisations land here when an annual or twice-yearly review date is approaching.
What's on the page
Main metrics
The header carries four views of how your management review programme is doing:
- Closed management reviews over time — a monthly trend chart
- Next management review — a concrete date (e.g. Sep 15, 2026)
- Improvements from reviews — count from the latest review, with a delta vs the previous one (e.g. 12, +5 above last review)
- Closed reviews this year — against an annual goal (e.g. 8 / 12)
Actions to focus on
A prioritised list of what to handle next, grouped into three buckets:
- Unblock — issues stopping the workflow from running properly. For Management reviews: Create first management review and Management review missing date.
- Strengthen — recommended next moves to make this workflow more robust. Items like Add next management review (when no open reviews) and Review open management reviews.
- Maintain — scheduled reviews and check-ins on what's already in place. Review improvement actions from last management reviews.
Clicking into a bucket opens a focused list — you can resolve, refine, or check off each item without leaving the workflow page.
Documentation
The documentation that backs your management-review practice:
- Management reviews — log of scheduled and completed top-management reviews
- Improvements — review-driven improvement actions, with owner and due date
Each documentation row shows the total item count, items still to work on, the related ISMS theme, and the responsible owner.
Tasks
Below the documentation, the workflow page lists the operational tasks — for example, implementation and documentation of management reviews, and evaluation process and documentation of significant security topics. Each task shows its theme, status (Untreated / Partly done / Mostly done / Fully done), owner, priority (Low / Normal / High / Critical), and due date.
Reports
The audit-ready output Management reviews produces:
- Monthly management report — overview of management-review activity, outcomes, and progress for the period
Reports refresh from your live data, so they're always current.
How it connects to other workflows
The AI-assembled input pack pulls live state from Risk management, Incident management, Internal audits, Employee awareness, and others — so the review reflects how the ISMS is actually running, not what someone manually wrote up. Actions decided in the review feed into Continuous improvement.
