DraftInternalISO 9001ISO 14001ISO 27001

SW-IMS-PRO-004

Management Review Procedure

Version

1.0

Owner

IMS Owner

Effective Date

TBD

Review Date

TBD

Management Review Procedure

Document ID: SW-IMS-PRO-004-v1.0
Effective Date: [TBD]
Review Date: [TBD]
Owner: IMS Owner
Approved by: [TBD]

1. Purpose

This procedure defines how Swedwise's management reviews the Integrated Management System (IMS) to ensure its continuing suitability, adequacy, effectiveness, and alignment with strategic direction. The purpose is to:

Fulfill top management's accountability for the IMS
Review system performance against objectives and targets
Identify opportunities for improvement
Make decisions on resource allocation and strategic direction
Ensure the IMS adapts to changes in internal and external context
Integrate quality, environmental, and information security management reviews

Management review is a strategic decision-making forum, not an operational meeting.

2. Scope

This procedure applies to systematic reviews of:

Quality Management System (ISO 9001) performance
Environmental Management System (ISO 14001) performance
Information Security Management System (ISO 27001) performance
IMS integration and effectiveness
Strategic alignment and resource allocation
Compliance with legal and regulatory requirements

The procedure covers planning, conducting, documenting, and following up on management reviews.

3. Definitions

Term	Definition
Management Review	Formal assessment by top management of the IMS status and performance to ensure continuing suitability, adequacy, and effectiveness.
Top Management	Person or group of people who directs and controls Swedwise at the highest level (CEO and Management Team).
Suitability	Degree to which the IMS is appropriate for the organization's context, strategic direction, and objectives.
Adequacy	Degree to which the IMS is sufficient to meet ISO requirements and organizational needs.
Effectiveness	Extent to which planned activities are realized and planned results achieved.
Continual Improvement	Recurring activity to enhance performance.
IMS Objective	Result to be achieved related to quality, environment, or information security.
Key Performance Indicator (KPI)	Measurable value demonstrating effectiveness of achieving objectives.
Management Review Input	Information provided for management consideration.
Management Review Output	Decisions and actions resulting from the review.

4. Management Review Principles

Principle	Description
Strategic Focus	Reviews focus on strategic issues, not operational details. Escalate only issues requiring top management decision.
Data-Driven	Decisions based on objective data, metrics, and evidence, not opinions.
Forward-Looking	Balance past performance review with future planning and improvement.
Integrated	Quality, environmental, and information security are reviewed together for synergy and efficiency.
Actionable	Reviews result in clear decisions, actions, and accountability.
Regular and Systematic	Conducted at planned intervals; not ad-hoc or reactive only.

5. Frequency and Timing

5.1 Review Frequency

Management reviews are conducted quarterly (minimum) to ensure timely oversight:

Quarter	Typical Month	Focus
Q1	January/February	Year-end review, annual objectives setting, audit program approval
Q2	April/May	Mid-year performance check, risk review, resource planning
Q3	July/August	Customer feedback review, environmental performance, SaaS operations
Q4	October/November	Year-end planning, budget allocation, certification preparation

Rationale for quarterly reviews in a ~35-person company:

More frequent oversight allows faster response to issues
Smaller organization = faster decision-making possible
Aligns with common quarterly business cycles
ISO standards require "planned intervals" but don't specify frequency; quarterly is practical and sufficient

5.2 Additional Reviews

Management reviews are also conducted when:

Major organizational changes occur (new services, locations, acquisitions)
Significant incidents or crises happen (security breach, major customer complaint, environmental incident)
External audit findings require management attention
Major regulatory or legal changes affect the IMS
Customer or stakeholder requirements significantly change

6. Roles and Responsibilities

Role	Responsibilities
CEO	- Chair management reviews - Ensure reviews are conducted at planned intervals - Make strategic decisions on IMS direction - Approve resource allocation for improvement initiatives - Ensure management review outputs are implemented
Management Team	- Attend management reviews (mandatory) - Provide input from their areas of responsibility - Participate in decision-making - Approve IMS objectives and targets - Commit resources for agreed actions - Ensure communication of decisions to their teams
IMS Owner	- Schedule and coordinate management reviews - Prepare agenda and consolidate inputs - Distribute materials in advance - Present IMS performance data - Record minutes and decisions - Track action items to completion - Maintain management review records
CISO	- Provide information security performance input - Present security risks and incidents - Recommend security improvement actions
Quality Lead	- Provide quality performance input - Present customer feedback and satisfaction data - Recommend quality improvement actions
Environmental Lead	- Provide environmental performance input - Present environmental aspects and impacts - Recommend environmental improvement actions
Department Heads	- Provide information from their areas when requested - Implement management review decisions in their departments - Communicate outcomes to their teams

7. Management Review Inputs

Management reviews consider the following inputs, as required by ISO standards:

7.1 Status of Actions from Previous Reviews

Review action items from the last management review
Report completion status and effectiveness
Identify overdue or blocked actions requiring escalation
Document lessons learned from completed actions

Data Source: Management review action tracker

7.2 Changes in External and Internal Issues

External Context Changes:

Market conditions (competition, customer demand, economic trends)
Regulatory and legal changes (new laws, updated standards, procurement requirements)
Technological changes (emerging threats, new tools, cloud provider changes)
Stakeholder expectations (customer requirements, investor concerns, employee expectations)
Environmental conditions (climate goals, energy costs, sustainability trends)

Internal Context Changes:

Organizational structure (new departments, role changes, headcount)
Strategic direction (new services like SaaS offerings, market focus)
Resource availability (budget changes, key staff turnover)
Locations and facilities (new offices, remote work policies)
Culture and capability (competence levels, employee engagement)

Data Source: Strategic planning documents, market analysis, regulatory monitoring

7.3 Information on Performance and Effectiveness

Quality Performance (ISO 9001):

Customer satisfaction scores and feedback
Service delivery performance (project completion rates, timelines, budget adherence)
Product and service conformity (defect rates, rework, customer complaints)
Process performance (efficiency metrics, cycle times)
Consultant utilization rates and availability

Environmental Performance (ISO 14001):

Energy consumption (electricity, heating, cooling)
Carbon footprint (business travel, cloud infrastructure, office operations)
Waste generation and recycling rates
Compliance with environmental legal requirements
Progress toward environmental objectives (e.g., carbon reduction targets)

Information Security Performance (ISO 27001):

Security incidents (number, severity, resolution time)
Vulnerability management (scan results, patching rates)
Access control effectiveness (access reviews completed, revocations)
Backup and recovery testing results
Compliance with security policies (training completion, policy exceptions)

Integrated Metrics:

Overall IMS maturity and effectiveness
Cross-functional process performance
SaaS service uptime and reliability (if applicable)

Data Source: KPI dashboards, performance reports, monitoring logs

7.4 Customer Feedback

Customer satisfaction survey results
Customer complaints and their resolution
Compliments and positive feedback
Service level agreement (SLA) performance
Customer retention and churn rates
Net Promoter Score (NPS) or similar metrics
Project retrospectives and lessons learned

Data Source: Customer Success team, CRM system, survey platforms

7.5 Extent to Which Objectives Have Been Met

Review progress against IMS objectives:

Quality Objectives (examples):

Achieve 90% customer satisfaction score ➔ [Current: X%]
Deliver 95% of projects on time and on budget ➔ [Current: X%]
Reduce customer complaints by 20% year-over-year ➔ [Current: X%]

Environmental Objectives (examples):

Reduce carbon emissions by 10% annually ➔ [Current: X%]
Increase virtual meetings to reduce travel by 25% ➔ [Current: X%]
Achieve 80% recycling rate in all offices ➔ [Current: X%]

Information Security Objectives (examples):

Zero major security incidents ➔ [Current: X incidents]
100% staff completion of annual security training ➔ [Current: X%]
Remediate all high-risk vulnerabilities within 30 days ➔ [Current: X% on time]

Data Source: Objective tracking logs, KPI dashboards

7.6 Process Performance and Product/Service Conformity

Internal audit results and trends
Nonconformity statistics (number, type, recurrence)
Corrective action effectiveness
Process capability and efficiency
Service delivery performance
Compliance with specifications and requirements

Data Source: Internal audit reports, nonconformity register, process performance reports

7.7 Adequacy of Resources

Staffing levels and competence gaps
Budget availability for IMS activities
Infrastructure and technology adequacy (tools, systems, office facilities)
Time allocation for IMS responsibilities
Training and development needs
Supplier and vendor performance

Data Source: HR reports, budget reviews, resource planning

7.8 Effectiveness of Actions Taken to Address Risks and Opportunities

Risk register review (new risks, closed risks, risk score changes)
Effectiveness of risk treatments implemented
Opportunities identified and pursued
Preventive actions taken
Emerging threats or opportunities on the horizon

Data Source: Risk register (SW-IMS-PRO-002), risk review reports

7.9 Opportunities for Improvement

Improvement suggestions from staff
Benchmarking against industry best practices
Lessons learned from projects, incidents, and audits
Technology or process innovations
Feedback from internal and external audits
Competitive intelligence

Data Source: Improvement suggestion register, audit findings, staff feedback

7.10 Need for Changes to the IMS

Changes to IMS scope (new locations, services, organizational units)
Updates to policies, procedures, or documentation
Changes to IMS structure or roles
Integration of new standards or requirements
Retirement of obsolete processes

Data Source: Document control register, change requests

7.11 Information Security-Specific Inputs (ISO 27001)

Results of risk assessments and risk treatment plans
Security incidents and their trends
Effectiveness of security controls (Statement of Applicability)
Compliance with legal and contractual security requirements
Security audit results (internal and external)
Threat intelligence and emerging threats

Data Source: Security incident logs, risk assessments, SoA, threat feeds

7.12 Environmental-Specific Inputs (ISO 14001)

Status of environmental aspects and impacts
Compliance with legal and other environmental requirements
Results of environmental monitoring and measurement
Progress toward environmental targets
Communication from external interested parties (e.g., customers, regulators, community)

Data Source: Environmental aspects register, compliance calendar, monitoring reports

8. Management Review Process

8.1 Planning and Preparation (2 Weeks Before Review)

IMS Owner responsibilities:

Schedule the review:
- Send calendar invitation to all required attendees
- Block 2-3 hours for thorough discussion
- Select appropriate venue or virtual meeting platform
Gather inputs:
- Request inputs from CISO, Quality Lead, Environmental Lead, Department Heads
- Compile data from Section 7 (inputs)
- Consolidate reports, dashboards, and metrics
- Review previous management review action items
Prepare agenda (see Section 8.2)
Distribute materials:
- Send agenda and input materials at least 3 days in advance
- Provide executive summary highlighting key issues
- Include supporting data (charts, tables, reports)
- Clearly indicate decisions required
Confirm attendance and logistics

8.2 Management Review Agenda Template

INTEGRATED MANAGEMENT SYSTEM REVIEW
Date: [Date]
Time: [Start] - [End]
Location: [Venue or Virtual Platform]

Time	Agenda Item	Presenter	Input Ref
0:00-0:10	1. Opening and Introduction - Welcome and objectives - Review of agenda	CEO	-
0:10-0:20	2. Actions from Previous Review - Status of previous action items - Effectiveness of completed actions	IMS Owner	Section 7.1
0:20-0:35	3. Context Changes - External context (market, regulatory, technology) - Internal context (organization, resources, strategy)	CEO / IMS Owner	Section 7.2
0:35-1:00	4. Performance Review - Quality performance and customer feedback - Environmental performance - Information security performance - Objectives achievement status	Quality Lead Environmental Lead CISO	Sections 7.3, 7.4, 7.5, 7.6
1:00-1:20	5. Internal Audit Results - Summary of audits conducted - Key findings and trends - Status of corrective actions	IMS Owner	Section 7.6
1:20-1:35	6. Risks and Opportunities - Risk register review (top risks) - Effectiveness of risk treatments - New risks and opportunities identified	IMS Owner / CISO	Section 7.8
1:35-1:50	7. Resource Adequacy and Improvement Opportunities - Resource assessment (staff, budget, infrastructure) - Improvement suggestions and initiatives - Need for changes to IMS	IMS Owner / Dept Heads	Sections 7.7, 7.9, 7.10
1:50-2:10	8. Decisions and Actions - Discuss and decide on required actions - Assign responsibilities and deadlines - Approve changes to IMS, objectives, resources	CEO / Management Team	-
2:10-2:20	9. Closing - Summary of decisions - Confirm action items - Next review date	CEO	-

Attendees:

CEO (Chair)
Management Team members
IMS Owner
CISO
Quality Lead
Environmental Lead
Other invitees as needed

8.3 Conducting the Management Review

CEO's role as Chair:

Open the meeting and set the tone (strategic focus, data-driven, collaborative)
Ensure all agenda items are covered
Facilitate discussion and decision-making
Keep discussion focused (avoid operational details; delegate those issues)
Ensure decisions are clear and actionable
Summarize outcomes and confirm action items

Discussion guidelines:

Focus on trends and strategic implications, not isolated incidents
Use data and evidence to support recommendations
Encourage candid discussion; psychological safety for raising concerns
Distinguish between information items (for awareness) and decision items (requiring action)
Prioritize issues requiring management attention or resources

Decision-making:

Clearly state decisions and rationale
Assign accountability (owner) for each action
Set realistic deadlines
Identify resource requirements and approve allocations
Document decisions in minutes

Example discussion flow for a topic:

Presenter shares data and analysis (5 min)
Management asks clarifying questions (3 min)
Discussion of options and implications (7 min)
Decision or action assignment (2 min)

8.4 Management Review Outputs (Decisions and Actions)

ISO standards require management reviews to include decisions and actions related to:

8.4.1 Continual Improvement Opportunities

Decisions on:

Which improvement initiatives to pursue
Priority and sequencing of improvements
Resources allocated to improvements
Expected outcomes and success criteria

Example:

Decision: Implement automated security awareness training platform
Owner: CISO
Deadline: Q3 2025
Budget: 100,000 SEK
Expected Outcome: Reduce phishing click rate from 12% to <5%

8.4.2 Need for Changes to the IMS

Decisions on:

Changes to IMS scope (new locations, services, units)
Updates to policies, procedures, or processes
Changes to IMS structure, roles, or responsibilities
Integration of new standards or requirements

Example:

Decision: Expand IMS scope to include new Uddevalla office
Owner: IMS Owner
Deadline: Q2 2025
Actions: Update IMS Manual Section 4.3 (scope), conduct gap assessment, plan Uddevalla audit

8.4.3 Resource Needs

Decisions on:

Additional staffing or competence development
Budget allocation for IMS activities
Technology or infrastructure investments
External support or consulting needs

Example:

Decision: Hire dedicated SaaS Operations Manager to support ISO 27001 compliance
Owner: CEO / HR
Deadline: Q3 2025
Budget: [Salary allocation]

8.4.4 Objectives and Targets

Decisions on:

Setting or revising IMS objectives
Adjusting targets based on performance
Cascading objectives to departments or individuals
Retiring achieved or obsolete objectives

Example:

Decision: Revise environmental objective - reduce business travel CO2 by 15% (increased from 10% based on strong Q1-Q2 performance)
Owner: Environmental Lead
Deadline: End of 2025
Actions: Update objective register; communicate to all staff

8.4.5 Implications for Strategic Direction

Decisions on:

Alignment of IMS with business strategy
Support for new strategic initiatives (e.g., SaaS launch)
Risk appetite and risk treatment priorities
Integration of IMS into strategic planning

Example:

Decision: Prioritize ISO 27001 certification to support SaaS service credibility and public sector procurement
Owner: CEO / CISO
Deadline: Certification by Q4 2025
Actions: Accelerate ISMS implementation, engage certification body, allocate resources

8.5 Action Item Tracking

All management review decisions are recorded in an Action Tracker with:

Action ID	Description	Owner	Deadline	Status	Progress Notes
MR-2025-Q1-01	Implement automated security training platform	CISO	2025-09-30	In Progress	Vendor evaluation underway
MR-2025-Q1-02	Expand IMS scope to Uddevalla office	IMS Owner	2025-06-30	Not Started	Pending budget approval

Status tracking:

IMS Owner reviews action status monthly
Overdue actions escalated in next management review
Completed actions marked with completion date and outcomes

9. Management Review Minutes

9.1 Minutes Requirements

The IMS Owner prepares minutes documenting:

Required content:

Date, time, location, attendees
Summary of inputs reviewed
Key discussion points and concerns raised
Decisions made (with rationale where helpful)
Actions assigned (owner, deadline, resources)
Next review date

Distribution:

Draft minutes circulated within 5 working days of review
Final minutes approved by CEO and filed within 10 working days

Retention: Management review minutes retained for 7 years (ISO requirement)

9.2 Minutes Template

MANAGEMENT REVIEW MINUTES

Review Date: [Date]
Review ID: MR-[YYYY]-[Q#]
Location: [Venue or Virtual]

ATTENDEES:

Present: [Names and roles]
Apologies: [Names and roles]

1. OPENING

[Brief summary of opening, objectives of this review]

2. ACTIONS FROM PREVIOUS REVIEW

[Summary of action item status from last review]

Action ID	Description	Owner	Status	Notes
[ID]	[Description]	[Name]	[Completed / In Progress / Overdue]	[Update]

3. CONTEXT CHANGES

[Summary of external and internal changes]

External:

[Key external change 1]
[Key external change 2]

Internal:

[Key internal change 1]
[Key internal change 2]

4. PERFORMANCE REVIEW

Quality Performance:

[Key metrics and trends]
[Notable successes or concerns]

Environmental Performance:

[Key metrics and trends]
[Notable successes or concerns]

Information Security Performance:

[Key metrics and trends]
[Notable successes or concerns]

Objectives Achievement:

[Objective 1]: [Status and progress]
[Objective 2]: [Status and progress]

5. INTERNAL AUDIT RESULTS

[Number of audits conducted since last review]
[Summary of findings: X conformities, Y minor NCs, Z major NCs]
[Trends or systemic issues identified]
[Status of corrective actions]

6. RISKS AND OPPORTUNITIES

Top Risks Reviewed:

[Risk 1]: [Current risk level, treatment status]
[Risk 2]: [Current risk level, treatment status]

New Risks Identified:

[New risk description and proposed treatment]

Opportunities:

[Opportunity description and proposed action]

7. RESOURCE ADEQUACY AND IMPROVEMENTS

Resource Assessment:

[Adequacy of staffing, budget, infrastructure]
[Gaps or needs identified]

Improvement Opportunities:

[Improvement suggestion 1]
[Improvement suggestion 2]

IMS Changes Needed:

[Proposed changes to IMS scope, structure, or documentation]

8. DECISIONS AND ACTIONS

DECISION 1: [Clear statement of decision]

Rationale: [Why this decision was made]
Actions: [Specific actions required]
Owner: [Name]
Deadline: [Date]
Resources: [Budget, staff, etc.]

DECISION 2: [Clear statement of decision]

Rationale: [Why this decision was made]
Actions: [Specific actions required]
Owner: [Name]
Deadline: [Date]
Resources: [Budget, staff, etc.]

[Continue for all decisions...]

9. ACTION ITEMS SUMMARY

Action ID	Description	Owner	Deadline	Resources
MR-2025-Q1-01	[Action description]	[Name]	[Date]	[Resources]
MR-2025-Q1-02	[Action description]	[Name]	[Date]	[Resources]

10. CLOSING

Next Management Review: [Date]

Overall Conclusion: [High-level summary of IMS status: effective/needs improvement/concerns]

APPROVAL

Role	Name	Signature	Date
CEO (Chair)	[Name]		[Date]
IMS Owner (Minutes)	[Name]		[Date]

10. Communication of Management Review Outcomes

Management review outcomes are communicated to relevant stakeholders:

10.1 Internal Communication

To All Staff:

High-level summary of review outcomes (via email, intranet, or all-hands meeting)
Key decisions affecting staff (new objectives, policy changes, initiatives)
Recognition of achievements and successes
Opportunities for staff input or involvement

To Department Heads:

Full management review minutes
Detailed action items relevant to their departments
Expectations for cascading decisions to their teams

To IMS Process Owners:

Specific actions or changes affecting their processes
Resource allocations or priority shifts

10.2 External Communication (if applicable)

Certification Body: Summaries of management reviews may be requested during certification audits
Customers: High-level assurance of management oversight (if contractually required)
Regulators: Compliance reporting (if required by law)

Note: Management review minutes are classified as Internal and contain commercially sensitive and strategic information. External sharing requires approval.

11. Roles and Responsibilities Summary

Role	Responsibilities
CEO	- Chair management reviews - Ensure reviews conducted quarterly - Make strategic decisions - Approve resource allocation and objectives - Ensure outputs are implemented
Management Team	- Attend reviews (mandatory) - Provide input from their areas - Participate in decisions - Commit resources for actions - Implement decisions in their areas
IMS Owner	- Schedule and coordinate reviews - Prepare agenda and materials - Present IMS performance data - Record minutes and decisions - Track actions to completion - Maintain review records
CISO	- Provide security performance input - Present security risks and incidents - Recommend security improvements
Quality Lead	- Provide quality performance input - Present customer feedback - Recommend quality improvements
Environmental Lead	- Provide environmental performance input - Present environmental aspects and impacts - Recommend environmental improvements
Department Heads	- Provide information from their areas - Implement decisions in their departments - Communicate outcomes to teams

12. Inputs and Outputs

Inputs:

Previous management review action tracker
IMS performance data (quality, environmental, security)
Internal audit reports
Customer feedback and satisfaction data
Risk register and risk treatment plans
Incident and nonconformity reports
Objectives and KPI dashboards
Resource utilization and budget reports
Regulatory and market intelligence
Improvement suggestions
Changes in organizational context

Outputs:

Management review minutes (documented decisions)
Action items with owners and deadlines
Revised IMS objectives and targets
Approved changes to IMS scope, policies, or procedures
Resource allocation decisions
Approved improvement initiatives
Strategic direction for IMS

13. Records

Record	Retention Period	Location	Owner
Management Review Minutes	7 years	[TBD]	IMS Owner
Management Review Agenda and Input Materials	3 years	[TBD]	IMS Owner
Action Item Tracker	Current + 3 years	[TBD]	IMS Owner
Attendance Records	3 years	[TBD]	IMS Owner
Decision Documentation	7 years	[TBD]	IMS Owner

SW-IMS-POL-001 - Integrated Management System Policy
SW-IMS-PRO-001 - Document Control Procedure
SW-IMS-PRO-002 - Risk Assessment Procedure
SW-IMS-PRO-003 - Internal Audit Procedure
SW-IMS-PRO-005 - Nonconformity and Corrective Action Procedure
SW-IMS-FRM-006 - Management Review Action Tracker Template
ISO 9001:2015 - Clause 9.3 (Management Review)
ISO 14001:2015 - Clause 9.3 (Management Review)
ISO 27001:2022 - Clause 9.3 (Management Review)

15. Continuous Improvement

The management review process itself is subject to improvement:

Effectiveness metrics (reviewed annually):

Percentage of scheduled reviews conducted on time
Percentage of action items completed by deadline
Quality of inputs (completeness, timeliness, relevance)
Management Team satisfaction with review process
Impact of review decisions on IMS performance

Feedback collection:

Annual survey of Management Team on review effectiveness
Continuous feedback from participants on agenda, materials, facilitation
Benchmarking against best practices (ISO 19011, other management standards)

Improvement areas to consider:

Streamlining input preparation (dashboards, automated reports)
Balancing level of detail (strategic vs. operational)
Improving action item tracking and follow-through
Better integration of review outcomes into strategic planning

Appendix A: Management Review Dashboard Template

IMS PERFORMANCE DASHBOARD
Period: [Date Range]
Prepared for: Management Review [MR-YYYY-Q#]

1. OBJECTIVES STATUS

Objective	Target	Current	Status	Trend
Customer satisfaction score	≥ 90%	88%	⚠️ Needs improvement	➘ Decreasing
Projects on time/budget	≥ 95%	97%	✅ On target	➚ Improving
Carbon emissions reduction	-10% YoY	-12%	✅ Exceeding	➚ Improving
Security incidents (major)	0	1	❌ Not met	➙ Stable
Security training completion	100%	95%	⚠️ Needs improvement	➚ Improving

2. KEY PERFORMANCE INDICATORS

Metric	Q1	Q2	Q3	Q4	Target	Status
Quality
Customer complaints	3	2	[TBD]	[TBD]	≤ 5/quarter	✅
Project defect rate	2%	1.5%	[TBD]	[TBD]	≤ 3%	✅
NPS score	45	48	[TBD]	[TBD]	≥ 50	⚠️
Environmental
Energy consumption (kWh)	15,200	14,800	[TBD]	[TBD]	-5% YoY	✅
Business travel CO2 (tons)	8.5	7.2	[TBD]	[TBD]	-10% YoY	✅
Information Security
Security incidents (total)	4	3	[TBD]	[TBD]	≤ 5/quarter	✅
Vulnerability remediation rate	92%	95%	[TBD]	[TBD]	≥ 90%	✅
Phishing simulation click rate	12%	9%	[TBD]	[TBD]	≤ 5%	⚠️

3. INTERNAL AUDIT SUMMARY

Audits Conducted: [Number] audits completed in [period]
Conformities: [Number] areas fully conforming
Minor Nonconformities: [Number] (down/up from last period)
Major Nonconformities: [Number] (down/up from last period)
Open Corrective Actions: [Number] (X overdue)

Trend Analysis: [Brief summary of audit trends]

4. RISK PROFILE

Risk Level	Number of Risks	Change from Last Review
Critical	0	➙ Stable
High	5	➘ -1
Medium	12	➚ +2
Low	18	➙ Stable

Top 5 Risks:

[Risk ID]: [Risk description] - Risk Score: [#] - Treatment Status: [Status]
[Risk ID]: [Risk description] - Risk Score: [#] - Treatment Status: [Status]
[Risk ID]: [Risk description] - Risk Score: [#] - Treatment Status: [Status]
[Risk ID]: [Risk description] - Risk Score: [#] - Treatment Status: [Status]
[Risk ID]: [Risk description] - Risk Score: [#] - Treatment Status: [Status]

5. CUSTOMER FEEDBACK SUMMARY

Customer Satisfaction Score: [X]% (target: ≥ 90%)
NPS: [Score] (target: ≥ 50)
Complaints: [Number] (resolution rate: [X]%)
Key Themes: [Summary of common feedback topics]

6. RESOURCE UTILIZATION

Staff Utilization: [X]% (consultant billable hours)
Training Budget Used: [X]% of annual budget
IMS Budget Used: [X]% of annual budget
Open Vacancies: [Number] positions

7. IMPROVEMENT INITIATIVES

Initiative	Owner	Status	Expected Completion
[Initiative 1]	[Name]	In Progress	[Date]
[Initiative 2]	[Name]	Completed	[Date]
[Initiative 3]	[Name]	Planning	[Date]

Prepared by: IMS Owner
Date: [Date]

Appendix B: Quick Reference - Management Review Process

┌─────────────────────────────────────────────────────┐
│  1. PLANNING (2 weeks before)                        │
│     - Schedule review (quarterly)                    │
│     - Gather inputs from all IMS areas               │
│     - Prepare agenda and materials                   │
│     - Distribute materials 3 days in advance         │
└─────────────────┬───────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────┐
│  2. CONDUCT REVIEW (2-3 hours)                       │
│     - Opening and context                            │
│     - Review inputs (performance, audits, risks)     │
│     - Discuss opportunities and changes              │
│     - Make decisions and assign actions              │
│     - Close and confirm next review date             │
└─────────────────┬───────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────┐
│  3. DOCUMENT (Within 5 days)                         │
│     - Prepare minutes (inputs, decisions, actions)   │
│     - Circulate draft for review                     │
│     - Finalize and approve                           │
└─────────────────┬───────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────┐
│  4. COMMUNICATE (Within 1 week)                      │
│     - Share outcomes with all staff                  │
│     - Distribute action items to owners              │
│     - Cascade decisions to departments               │
└─────────────────┬───────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────┐
│  5. IMPLEMENT & TRACK (Ongoing until next review)    │
│     - Monitor action item progress                   │
│     - Report monthly status updates                  │
│     - Escalate overdue or blocked actions            │
│     - Prepare for next review                        │
└─────────────────────────────────────────────────────┘

Document Control

Version	Date	Author	Changes
1.0	[TBD]	[Author]	Initial release

Approval

Role	Name	Signature	Date
CEO
IMS Owner