Management review outputs

ISO 22301 Clause 9.3.3 requires that your management review produce documented outputs that make clear decisions on (1) improvement, (2) changes to the BCMS, and (3) resource needs. To operationalize it, run each review to a decision log: assign owners, due dates, and approval, then retain minutes and action tracking as evidence. ¹

Key takeaways:

• Management review is not “meeting held”; it is “decisions recorded and followed through” on improvement, BCMS change, and resourcing. ¹
• Your primary deliverable is a controlled set of outputs: minutes, decisions, action register entries, and approved change records. ¹
• Auditors look for traceability from review inputs to outputs to implemented changes, with accountability and status tracking. ¹

Clause 9.3.3 is easy to miss because it is short, but it is a common audit “tripwire”: teams hold management reviews and can show a calendar invite and slides, yet they cannot show what top management decided, what changed in the BCMS, or what resources were approved or denied. The clause forces you to turn discussion into controlled, auditable outcomes. ¹

For a CCO, GRC lead, or business continuity lead, the fastest path is to treat “management review outputs” as a standard packet and decision workflow. Every management review should end with (a) a decision record, (b) an action plan with accountable owners, and (c) updates to the BCMS where needed, such as policy statements, objectives, scope, roles, or documented procedures. ¹

This page tells you exactly what to produce, how to run the workflow, what evidence to retain, and what auditors ask so you can close the requirement with minimal ambiguity. ¹

Regulatory text

ISO 22301:2019 Clause 9.3.3 states: “Outputs shall include decisions on improvement, changes to the BCMS, and resource needs.” ¹

What this means operationally

• You must document the results of management review as decisions, not just notes. ¹
• Those decisions must explicitly cover:
  1. Improvement (what will be improved, and what action follows),
  2. Changes to the BCMS (what documents/processes/scope/controls will change), and
  3. Resource needs (what people, budget, tools, training, or time are required, and what was approved or deferred). ¹
• You must retain documented information as evidence of the review results (minutes/records/approvals), consistent with ISO 22301’s expectation that management review is demonstrable. ¹

Plain-English interpretation (requirement-level)

If you cannot answer “What did leadership decide?” with a controlled record, you have not met Clause 9.3.3. The required outputs are the decisions and actions that come out of the review, plus proof that the BCMS is updated and resourced based on those decisions. ¹

A practical interpretation you can implement immediately:

• Every management review ends with a decision log.
• Every decision maps to an owner and a change mechanism (update a document, open a corrective action, approve a budget request, assign staffing, commission a test, etc.).
• Every decision has status tracking until it is closed or formally deferred. ¹

Who it applies to

Entity types

• Any organization operating an ISO 22301-aligned Business Continuity Management System (BCMS), including organizations pursuing certification or maintaining it. ¹

Operational context

• Applies whenever “top management” (or an equivalent governance body) performs the required management review for the BCMS. ¹
• Relevant to centralized BC programs, federated programs across business units, and regulated environments where continuity and resilience decisions require formal approval and evidence. ¹

What you actually need to do (step-by-step)

1) Standardize the “management review outputs” packet

Create a controlled template that forces the required outputs:

• Decisions on improvement (what, why, priority, expected outcome)
• Decisions on BCMS changes (document/process affected, versioning, approver)
• Decisions on resource needs (request, decision, constraints, next steps) ¹

Tip from practice: Put these as mandatory sections at the end of your minutes. If they are blank, the meeting is not “done.”

2) Run the review to decisions, not discussion

During the meeting:

• Park open issues in a visible list.
• For each issue, force one of three dispositions: approve, reject, or defer with condition.
• Capture the rationale briefly, especially for resource decisions and scope-impacting BCMS changes. ¹

3) Translate decisions into controlled actions

For each decision, create a trackable action that fits your operating model:

• Corrective action / improvement ticket (for improvement decisions)
• Document change request (for BCMS changes)
• Funding/staffing request (for resource needs)

Minimum fields to capture in the action register:

• Decision statement
• Owner
• Due date or target window (your choice; make it consistent)
• Dependencies
• Status
• Evidence of completion (link to updated policy, approved budget, completed exercise report, etc.) ¹

4) Update the BCMS through change control

If the output includes “changes to the BCMS,” you need to show those changes were governed:

• Identify impacted BCMS elements (policy, objectives, scope, roles, procedures, testing approach, supplier/third-party continuity expectations).
• Route changes through your document control and approval process.
• Publish and communicate changes where relevant. ¹

5) Close the loop before the next review

Between reviews:

• Track open items to closure or formal deferral.
• If resource needs are denied or delayed, record compensating steps (risk acceptance, phased approach, scope adjustment) and who approved that position. ¹

6) Make it auditable (traceability model)

Auditors commonly test traceability. Build it deliberately:

• Meeting record → decision log → action register → completed artifacts → BCMS document versions. ¹

If you use Daydream to manage compliance work, treat Clause 9.3.3 as a workflow: store the minutes as the review record, generate actions directly from decisions, and attach evidence to each action so you can show end-to-end traceability without chasing files across email and shared drives.

Required evidence and artifacts to retain

Retain documented information that proves the outputs occurred and were acted on. Typical artifacts:

• Management review minutes with a clearly labeled “Outputs” section covering improvement, BCMS changes, and resource needs. ¹
• Decision log (can be embedded in minutes or maintained as a standalone register). ¹
• Action register entries for each decision, including assignment and status. ¹
• Change control records for BCMS updates (document version history, approvals). ¹
• Resource decision records (budget approval, headcount request disposition, training approval, tool procurement outcome). ¹
• Evidence of completion (updated policy, revised objectives, completed exercises, post-exercise improvement plan closure evidence). ¹

Common exam/audit questions and hangups

Expect auditors to probe these areas:

• “Show me the outputs of the last management review. Where are the decisions on improvement, BCMS changes, and resource needs?” ¹
• “Which outputs resulted in actual BCMS document changes? Show version history and approvals.” ¹
• “How do you track management review actions to closure? What happens when items are overdue?” ¹
• “Where are resource needs documented, and who decided?” ¹

Hangup to avoid: presenting a slide deck as “the output.” Slides can support the review, but the clause requires decisions and resource/change outcomes captured as documented information. ¹

Frequent implementation mistakes (and how to avoid them)

Mistake: Minutes with no decisions

Fix: Add a mandatory “Decisions/Outputs” section with a table and do not close the meeting without completing it. ¹

Mistake: Improvements are listed but not owned

Fix: Every improvement decision must create an action with a named owner and evidence link. If ownership is unclear, the decision is incomplete. ¹

Mistake: BCMS changes happen informally

Fix: Route changes through document control (versioning, approvals). Keep the before/after trail. ¹

Mistake: Resource needs are “discussed” but never decided

Fix: Record the disposition: approved, rejected, deferred. If deferred, state the condition that would trigger reconsideration. ¹

Mistake: No linkage between review and action tracking

Fix: Assign each decision an ID and reference it in your action register and change records. This makes audit sampling painless. ¹

Enforcement context and risk implications

No public enforcement cases were provided for this requirement in the approved source catalog, so you should treat enforcement context here as audit and certification risk, not legal penalty risk.

Operationally, weak management review outputs create two failure modes:

• Paper BCMS risk: your BCMS stops reflecting reality because agreed changes never land in controlled documents. ¹
• Known-gap risk: resource needs get discussed repeatedly without recorded decisions, leaving gaps unaddressed and hard to explain after an incident. ¹

Practical 30/60/90-day execution plan

Because no timeline requirements are stated in Clause 9.3.3, treat the phases below as an execution pattern you can adapt to your governance cadence. ¹

First 30 days (Immediate stabilization)

• Publish a management review minutes template with an “Outputs” section that forces the three required output types. ¹
• Stand up a single action register for BCMS management review outputs (even a controlled spreadsheet is fine if governed).
• Train the meeting chair and BCMS owner on “decision hygiene”: every output has an owner and a tracking record. ¹

By 60 days (Traceability and control)

• Implement or tighten document control for BCMS changes so each change output results in an approved update.
• Add a lightweight approval step for resource decisions so you can show who decided and why.
• Run one management review using the new format and verify you can trace two samples end-to-end (decision → action → evidence). ¹

By 90 days (Operational maturity)

• Normalize reporting: open outputs, aging, blocked items, and resource constraints get reviewed by the same management body.
• Add a “deferred decisions” list with revisit triggers so deferrals do not become silent rejections.
• If you are scaling, move from shared files to a system of record (for example, Daydream) where outputs, actions, and evidence live together for audits and continuity leadership reporting. ¹

Frequently Asked Questions

Do management review outputs have to be in meeting minutes?

The standard requires outputs as documented information, not a specific format. Minutes are the common container, but a separate decision log plus action register works if it clearly captures improvement decisions, BCMS changes, and resource needs. ¹

What counts as a “change to the BCMS” for Clause 9.3.3?

Any management review decision that updates BCMS policy, objectives, scope, roles, procedures, or other controlled BCMS elements should be recorded as a BCMS change output and processed through change control. ¹

If leadership denies a resource request, can we still comply?

Yes, if the output records the resource need and the decision (including denial or deferral) and you track resulting actions, such as risk acceptance, reprioritization, or alternative controls. The compliance gap is failing to document the decision. ¹

How detailed do improvement decisions need to be?

Detailed enough that someone can execute without re-litigating the meeting. Capture the improvement, the owner, the expected outcome, and what evidence will demonstrate completion. ¹

Can we track outputs in our enterprise ticketing tool?

Yes, if the tickets preserve decision context, ownership, and completion evidence, and you can show the tickets came from management review. Make sure BCMS document changes still follow document control. ¹

What is the fastest way to get audit-ready evidence?

Start with a standard outputs table inside the minutes and require that every row produces either an action register entry or a controlled document change. Then keep everything linked so you can show traceability during sampling. ¹

Footnotes

1. ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements