Management review

ISO/IEC 20000-1 Clause 9.3 requires top management to review the service management system (SMS) at planned intervals to confirm it remains suitable, adequate, and effective. To operationalize this fast, establish a documented management review cadence, define required inputs/outputs, run a structured agenda led by accountable executives, and retain minutes plus resulting decisions through tracked actions.

Key takeaways:

• Management review is an executive control: top management must actively evaluate the SMS on a planned cadence, not delegate it away.
• Auditors look for more than a meeting; they expect defined inputs, recorded outputs, and closed-loop corrective actions tied to SMS performance.
• The fastest path to compliance is a repeatable agenda, a standard evidence pack, and action tracking that shows follow-through.

“Management review” in ISO/IEC 20000-1 is not a ceremonial quarterly meeting. Clause 9.3 is a governance requirement that forces the people with authority (top management) to periodically test whether the service management system still fits the organization, still works as intended, and still produces acceptable outcomes. The clause is short, but auditors treat it as a proof point that leadership owns the SMS rather than treating it as an IT process set.

Operationally, you should treat management review as a decision-making forum with a fixed agenda and a predictable evidence package: performance trends, nonconformities, corrective actions, risk and opportunity items, and changes that could impact the SMS. The output should be decisions and actions: what will change, who owns it, and how you will verify effectiveness.

If you support services delivered through third parties (outsourcers, SaaS, managed service providers, critical subcontractors), management review is also where you demonstrate executive awareness of service delivery dependencies and whether the SMS controls still cover them. Done well, this review becomes the backbone of continuous improvement; done poorly, it becomes an easy audit finding because it leaves little objective evidence. The requirement is explicit: planned intervals, top management review, and a focus on suitability, adequacy, and effectiveness. ¹

Regulatory text

Requirement (excerpt): “Top management shall review the service management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.” ¹

What the operator must do

You must implement a planned, repeatable management review process where top management evaluates the SMS and makes decisions based on evidence. The review must address three tests:

• Suitability: Does the SMS still fit the organization’s purpose, service portfolio, customer needs, and operating model?
• Adequacy: Is the SMS sufficiently resourced and designed to meet requirements (scope, policies, processes, tools, roles)?
• Effectiveness: Is the SMS achieving intended outcomes (service performance, control performance, continual improvement)?

A compliant implementation is one where an auditor can see: (1) the schedule, (2) who attended and their authority, (3) what evidence was reviewed, (4) what decisions/actions were made, and (5) proof those actions were completed and validated.

Plain-English interpretation (what this really means)

Top management has to periodically “call the question” on whether service management is working. You are not being asked to prove perfection. You are being asked to prove that leadership is informed, engaged, and driving improvement using a structured review.

If your “management review” is a slide deck with no decisions, or it’s run only by the SMS manager without executive participation, you will struggle to defend compliance. If it happens ad hoc with no plan, you will struggle to show “planned intervals.”

Who it applies to

Entity types

• Service providers delivering services internally or to external customers.
• Organizations operating a service management system within their service scope. ¹

Operational contexts where this shows up in audits

• Central IT / enterprise service management (ITSM) organizations
• Managed service providers and cloud/service operations teams
• Shared services (HR IT, facilities IT, internal platforms) with defined service catalogs
• Regulated environments where service availability and change governance are high-risk
• Environments with material third-party delivery (critical SaaS/outsourcing)

What you actually need to do (step-by-step)

1) Define the management review procedure (lightweight, but explicit)

Write a short procedure (or integrate into your SMS governance doc) that states:

• Review cadence (“planned intervals”)
• Minimum attendance/roles required to count as “top management review”
• Required inputs (evidence pack)
• Required outputs (decisions/actions, resource commitments, improvement items)
• Recordkeeping requirements (minutes, action log, approvals)

Keep it operational. Auditors prefer a simple, followed process over a long, ignored one.

2) Set a cadence and lock it to the business calendar

Pick an interval that matches how fast your services and risks change. Define a calendar for the year (even if it’s subject to rescheduling) and record it.

Practical tip: align the review with an existing executive rhythm (service ops QBRs, risk committee, or leadership meetings), but do not let it disappear into a broader agenda. You need a distinct SMS management review section with its own evidence and minutes.

3) Define “top management” participation and accountability

Decide which roles constitute top management for your SMS scope (for example: CIO/CTO, Head of Service Delivery, VP Operations, or equivalent). Document:

• Who chairs the review
• Who is accountable for decisions
• Who can approve resources and priorities

If executives cannot attend, define a documented delegate model only for presentation; ensure final decisions and approvals still come from top management (for example, written approval of outputs).

4) Build a standard evidence pack (inputs) that you can generate repeatedly

Create a consistent template that includes, at minimum:

• SMS performance overview: major incidents, trends, SLA/OLA performance, customer complaints, service availability themes
• Internal audit results and status of corrective actions
• Nonconformities and root cause themes
• Status of continual improvement items
• Changes that could impact the SMS: organizational changes, tooling/process changes, new services, major third-party changes
• Risks and opportunities affecting service management outcomes
• Resourcing and competency concerns (skills, staffing, training)
• Third-party service dependencies and problem themes (if material to service delivery)

The point is repeatability. A management review that depends on heroic manual assembly tends to degrade over time.

5) Run the meeting with a decision-driven agenda (outputs)

Use an agenda that forces outcomes:

• Confirm scope still matches reality (services, locations, teams, third-party dependencies)
• Review performance and control signals (what improved, what degraded, what is unstable)
• Decide on corrective actions and improvement priorities
• Confirm whether policy/process changes are required
• Decide on resource changes (funding, staffing, tooling) where needed
• Assign owners and due dates in an action log
• Define how effectiveness will be verified (what evidence will prove the action worked)

A reliable pattern is: signal → decision → action → verification method.

6) Track actions to closure (and validate effectiveness)

Treat management review actions like corrective actions: they must be tracked, completed, and checked for effectiveness. The most common audit failure is “great minutes, no follow-through.”

If you use a GRC or ITSM tool, track actions as tasks with owners and evidence attachments. If you use a spreadsheet, control it: versioning, ownership, and status updates.

7) Retain evidence in an audit-ready package

Keep a single folder or record per review cycle with:

• agenda
• evidence pack
• attendance record
• minutes
• action log export
• approvals/sign-off (where applicable)

If you support multiple service lines, keep the central review plus any scoped reviews that feed it.

Required evidence and artifacts to retain

Auditors typically ask for objective evidence that the review occurred, was led by top management, and resulted in change control. Retain:

• Management review schedule (annual calendar or planned intervals statement)
• Management review procedure (or SMS governance document)
• Agenda and evidence pack for each review
• Attendance list with titles/roles (to prove top management participation)
• Minutes/notes capturing what was reviewed and key discussion points
• Decisions and actions log with owners and status
• Proof of completion for actions (tickets, change records, updated policies, training records)
• Effectiveness checks (post-implementation metrics, audit follow-up, trend analysis)

Common exam/audit questions and hangups

Expect questions like:

• “Show me your planned intervals. Where is the schedule documented?”
• “Who is top management for the SMS scope, and how do you prove their participation?”
• “What inputs does management review require, and where are they defined?”
• “What were the outputs of the last review? Show the action log and closure evidence.”
• “How do you confirm the SMS is still suitable/adequate/effective?”
• “How do management review actions flow into change management and continual improvement?”

Hangups that trigger findings:

• Minutes exist but are vague (“discussed performance”) with no decisions.
• Actions exist but have no owners, no completion evidence, or no effectiveness validation.
• The meeting happens, but attendance does not include top management.

Frequent implementation mistakes (and how to avoid them)

1. Treating management review as a presentation

• Fix: Require at least a few explicit decisions per review cycle (policy/process changes, risk acceptances, improvement priorities, resourcing calls).

2. No defined inputs

• Fix: Maintain a stable evidence pack checklist. If data is missing, record it as an action (for example, “create KPI report for X”).

3. Top management absent

• Fix: Put the review on executive calendars well in advance and tie it to existing governance. If attendance slips, reschedule rather than downgrading the session.

4. Actions don’t close

• Fix: Use the same rigor as corrective action tracking: owner, due date, status, evidence, effectiveness check.

5. Scope drift

• Fix: Include a scope confirmation item each review. If services moved to a third party, call out what SMS controls change.

Enforcement context and risk implications

No public enforcement cases were provided for this requirement. Practically, the risk is audit nonconformity and loss of confidence that the SMS is governed. Management review is also where systemic failures surface: recurring incidents, weak change outcomes, chronic third-party issues, and under-resourcing. If you cannot show executive review and decisions, you will struggle to prove the SMS is controlled and improving. ¹

A practical 30/60/90-day execution plan

First 30 days (stand up the mechanism)

• Identify who qualifies as top management for the SMS scope and confirm a chairperson.
• Draft the management review procedure and templates (agenda, minutes, action log).
• Build the initial evidence pack outline and assign data owners (ITSM, audit, incident/problem, change, supplier/third-party management).
• Publish the planned review cadence on the governance calendar.

By 60 days (run the first review and produce audit-ready outputs)

• Assemble the first evidence pack using real operational data.
• Conduct the management review with documented attendance and minutes.
• Capture a prioritized action list with owners and due dates.
• Route approvals/sign-off according to your governance model and store records centrally.

By 90 days (prove follow-through and effectiveness)

• Close the highest-risk actions or document justified delays with compensating controls.
• Show effectiveness checks for completed actions (trend improvement, reduced recurrence, audit follow-up).
• Refine the evidence pack based on what executives found useful and what auditors asked for.
• Integrate management review actions into your continual improvement and change management workflows.

Where Daydream fits (practical, not theoretical)

If you struggle with repeatable evidence and action closure, Daydream can act as the system of record for management review: templated agendas and evidence requests, centralized minutes, and tracked actions with attachments. The goal is not more tooling; it’s fewer “lost” decisions and a clean audit trail when ISO/IEC 20000-1 auditors ask for proof.

Frequently Asked Questions

What counts as “planned intervals” for management review?

ISO/IEC 20000-1 Clause 9.3 requires planned intervals but does not prescribe a specific frequency. Pick an interval that matches your service volatility, document it, and follow it consistently. ¹

Can the SMS manager run the review without executives present?

You can have the SMS manager present the pack, but Clause 9.3 requires top management to conduct the review. If executives cannot attend, you still need evidence that top management reviewed and approved the outputs. ¹

What’s the minimum evidence an auditor will expect?

Expect to show a schedule, attendance proving top management participation, the evidence pack, minutes, and an action log with closure evidence. Weakness in any one of these usually becomes an audit hangup. ¹

How do we show “suitability, adequacy, and effectiveness” without writing a long narrative?

Use a structured minutes template with three headings and bullet decisions under each. Tie each heading to concrete signals (performance trends, audit results, resourcing gaps, major changes) and record resulting actions. ¹

Do third-party services need to be part of management review?

If third parties are in scope for service delivery, the SMS review should consider whether controls and performance oversight still work across those dependencies. Include third-party performance issues and major changes in the evidence pack when they affect service outcomes. ¹

How do we prevent management review actions from stalling?

Assign a single owner for each action, track it in the same system you use for operational work, and require evidence of completion plus an effectiveness check. Make action status a standing agenda item in the next review. ¹

Footnotes

1. ISO/IEC 20000-1:2018 Information technology — Service management