§9.3 of ISO 22301 is the management-review clause. It is short — under a page of standard text — but it is one of the clauses Stage 2 auditors sample most predictably, because it is where they verify that top management is actually running the BCMS rather than rubber-stamping it.
This article gives a working template for a §9.3 review that holds up under audit. The parent topic is our ISO 22301 implementation pillar.
What §9.3 requires
The standard requires top management to review the BCMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The review must consider specific inputs and produce specific outputs.
Required inputs:
- Status of actions from previous management reviews
- Changes in external and internal issues relevant to the BCMS
- Information on BCM performance — non-conformities, monitoring and measurement results, audit results, performance of exercises and the BCP
- Feedback from interested parties
- Information about risks and opportunities not adequately addressed in the previous risk assessment
- Opportunities for continual improvement
Required outputs:
- Decisions related to continual-improvement opportunities
- Any need for changes to the BCMS
- Resource needs
The clause does not specify cadence, but most certification bodies expect at least an annual cycle, with quarterly or semi-annual reviews for larger or more regulated organisations.
A working template
Run management review as a structured meeting with a documented agenda and a meeting record that maps cleanly to the §9.3 requirements. The template below is what we have seen work across audits.
Section 1: Previous actions
For every action open at the last review:
- Action description and owner
- Original due date
- Current status (completed, in progress, blocked, deferred)
- If deferred or blocked, the rationale and revised target date
The single most common §9.3 finding is open actions ageing past their due date with no documented re-prioritisation. Catch this here.
Section 2: Context changes
What has changed since the last review that affects the BCMS?
- Regulatory changes (e.g. updated SAMA expectations, new data-residency requirements)
- Organisational changes (new business lines, new locations, restructures, acquisitions, divestments)
- Technology changes (new platforms, vendor changes, infrastructure migrations)
- External-event signals (industry incidents, peer-organisation disruptions)
Each change should have a documented impact assessment — "does this affect BCMS scope, BIA, plans or strategy?" Most won't. Those that do drive specific decisions later in the meeting.
Section 3: Performance information
The substantive content of the review. Cover:
- Non-conformities raised since the last review (internal audit, external audit, real-world incidents). Status of corrective actions.
- BCM performance metrics — exercises performed vs planned, plans currency status, BIA refresh status, real-world activations.
- Internal audit results since the last review. Open findings.
- Exercise outcomes — the AARs from the period. The pattern of findings (technical, process, people).
- §8.5 activation log review — real-world activations and outcomes.
Auditors will sample this section line by line in Stage 2. Make sure each bullet point is backed by a referenced artefact: AAR ID, exercise ID, audit-finding ID, plan ID.
Section 4: Interested-party feedback
Inputs from regulators (SAMA examinations, supervisory letters), customers (complaints or queries related to availability or resilience), and key vendors (their BCM-related communications).
For SAMA-regulated entities, this is where the SAMA examination findings and feedback live. Even informal supervisory feedback should be captured here.
Section 5: Risks and opportunities
Risks newly identified or escalated since the last review. New continuity-related opportunities — new tooling, new processes, new partnerships that could materially improve the BCMS.
Section 6: Decisions and outputs
The most-sampled section of the §9.3 record. Capture explicit decisions:
- Approved improvement actions, with owner and due date
- BCMS changes — scope additions/removals, methodology updates
- Resource decisions — headcount, budget, technology investment
- Communications to top management, the board, regulators
Common §9.3 failure modes
Across audits we have visibility into:
The attendance trap. Minutes record who attended but not what was decided. Audit finding.
Stale inputs. The "performance information" section references audit findings or AARs from three cycles ago, not the current period. The committee is reviewing yesterday's news. Audit finding.
Drift between minutes and improvement register. The minutes say five actions were agreed; the improvement register only contains three. Audit finding.
No top-management presence. Management review attended only by the BCM team. §9.3 explicitly requires top-management ownership. Major audit finding.
Cadence options
The standard is silent on cadence. In practice:
- Annual minimum. Acceptable for small organisations with stable scope. One full review covering all inputs.
- Semi-annual. Common for mid-market. Full review twice a year; lighter quarterly check-ins on action status.
- Quarterly. Larger or more regulated entities. Full structured review each quarter, with a designated "annual" review carrying additional scope (full BCMS assessment, certification cycle prep).
Whatever the cadence, lock it in the BCM policy and stick to it. Missed reviews are an immediate audit flag.
The output that matters
The single artefact that comes out of a §9.3 review and matters most to the rest of the BCMS is the updated improvement-action register. Every decision turns into a tracked action; every action has an owner, due date and source. The register feeds the next review. The cycle closes.
For the broader audit context, see the ISO 22301 implementation pillar. For the way this surface is operationalised, the BCMStack reporting module carries the §9.3 record alongside the underlying artefacts the review references.