Ga naar inhoud

Audit & bewijs ·

ISO 27001 management review: content auditors expect in 2026

July 2026. ISO 27001 requires periodic management review of the ISMS. At surveillance auditors ask: did leadership see risks, incidents and resources — and decide on acceptance, investment and priority?

Required input (minimum)

  • status of actions from prior reviews;
  • changes in context, scope, risks, requirements;
  • internal audit, external audit, CAP results;
  • incidents, near-misses, complaints, metrics;
  • vendors/chain, awareness, continual improvement.

Output that counts

Minutes with decisions: which risks accepted, which investment approved, which scope change. Generic “we are progressing” without decision is insufficient. Link output to improvement register and budget.

More: ISMS and audit preparation. Add NIS2/GDPR items where relevant — one agenda.

Board presence: CEO or delegated leadership must be visible — CISO-only review is weak evidence for NIS2 and ISO.

KPIs leadership understands

Translate security metrics to business language: outage minutes, open major CAPs, phishing click rate, average patch time, open chain risks at top vendors. Avoid jargon without explanation.

Actions from management review must sit in improvement register with owner — follow-up next review is mandatory input. Auditors sample closed loop.

NIS2 and GDPR items on the same agenda prevent leadership hearing two stories. One minutes set, tags per framework.

Next steps in your ISMS

Turn this article into one concrete action in your risk register or improvement plan: owner, deadline, expected evidence. Discuss progress in the next management review — auditors and chain partners want decisions, not policy intent alone. Link where possible to existing ISO 27001, NIS2 or GDPR documentation so you do not maintain parallel folders.

Questions on scope, certification or chain requirements? Use our readiness overview and knowledge base for deeper guidance. This article does not replace legal or audit advice for your situation.

Share relevant findings briefly with line management and procurement — compliance becomes workable when the whole organisation recognises the same priorities. Repeat the chosen action quarterly in team meetings and update evidence locations in your SoA or control plan so surveillance samples are easy to answer.

What to do this week

Pick one concrete action from this article, assign an owner and add it to your risk or improvement register with a deadline. Share briefly in team meetings so compliance is something the line recognises. Repeat quarterly in management review so leadership sees progress, not only intent.

Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.

Evidence and governance

Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.

Chain and contracts

Many 2026 requirements come via customers, not only formal law scope. Align contract SLAs with your ISMS: incident notification, audit rights, patch timelines and exit. Document where contract is stricter than internal policy — management review must explicitly accept that gap or plan investment.

Continual improvement

Plan a short quarterly review: what worked, which near-miss stood out, which control needs extra attention? Record three improvement actions with owners — that is what ISO 27001, NIS2 and GDPR supervision want to see: PDCA in practice, not paper only.

Knowledge base and readiness

For deeper guidance see our knowledge base on ISMS, ISO 27001, NIS2 and GDPR. Use the readiness overview to compare priorities with your current maturity. This article is educational; engage specialists for legal or audit decisions.

Evidence and governance

Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.

Chain and contracts

Many 2026 requirements come via customers, not only formal law scope. Align contract SLAs with your ISMS: incident notification, audit rights, patch timelines and exit. Document where contract is stricter than internal policy — management review must explicitly accept that gap or plan investment.

Continual improvement

Plan a short quarterly review: what worked, which near-miss stood out, which control needs extra attention? Record three improvement actions with owners — that is what ISO 27001, NIS2 and GDPR supervision want to see: PDCA in practice, not paper only.

Deep dive in the knowledge base

Check audit readiness

Keep evidence, actions and open items aligned for stage 1 and stage 2.

View audit readiness

← Back to overview