Management Review Meeting Template & Guide (ISO 9001:9.3)¶
Document ID: BD-QMS-REVIEW-TEMPLATE-001 Version: 1.0 Effective Date: 2026-03-17
1. Purpose & Frequency¶
Purpose: Evaluate QMS effectiveness, assess progress toward quality objectives, identify improvement opportunities, and ensure organizational alignment with quality policy.
Frequency: Quarterly (end of Q1, Q2, Q3, Q4) Duration: 2-3 hours Attendees: Quality Manager, CISO, Engagement Manager, Lead Pentester, HR/Training Lead, CEO (optional) Location: Hybrid / In-person meeting room Documentation: Minutes recorded, action items tracked, decisions approved
2. Pre-Review Preparation (1 week before)¶
2.1 Data Collection & Analysis¶
Quality Manager Prepares: - [ ] QMS effectiveness dashboard (current metrics vs. targets) - [ ] Quality objectives status (progress toward annual targets) - [ ] CSAT trending (monthly average, trend chart, outliers) - [ ] Nonconformity summary (open items, trends, closed items) - [ ] Audit findings (internal audit results, compliance gaps) - [ ] Process performance metrics (on-time delivery, finding accuracy, coverage, etc.) - [ ] Client feedback themes (positive patterns, improvement requests) - [ ] Corrective action status (implementations in progress, effectiveness verified) - [ ] Resource utilization (team capacity, tool adequacy, training completeness) - [ ] Risk assessment updates (new risks identified, mitigation status) - [ ] Competitive & regulatory changes (new standards, market shifts)
Inputs Collected From: - CSAT survey results (Client Success Manager) - Audit logs & KPI dashboards (System Admin) - Nonconformity register (QA Lead) - Internal audit reports (Quality Manager) - Project tracking (Engagement Manager) - Expense & budget reports (Finance)
2.2 Pre-Review Briefing Memo¶
Distribute 48 hours before meeting:
Management Review Briefing — Q1 2026
Key Highlights:
✅ CSAT: 4.45/5 (target 4.5, trending up from 4.3)
⚠️ On-Time Delivery: 96% (target 100%, 1 delay due to scope creep)
✅ Finding Accuracy: 99.1% (target 99%, exceeds goal)
⚠️ Certification Compliance: 95% (2 staff awaiting renewal, due Q2)
✅ Nonconformities Closed: 3 major, all verified effective
Critical Items Needing Discussion:
1. Scope creep on 2 engagements — recommend intake procedure update
2. Cert renewal timing — 2 staff certifications expiring Q2, plan training
3. Tool capacity — testing throughput hitting limits, need additional instance?
Agenda Items (see full agenda below)
3. Management Review Agenda & Execution¶
3.1 Opening (5 minutes)¶
Quality Manager: - [ ] Welcome, confirm attendees - [ ] Review agenda (2 hours planned) - [ ] Confirm meeting minutes will be documented - [ ] Housekeeping (phones off, focus time)
3.2 Section 1: Quality Objectives Status (30 minutes)¶
Review Each of 8 Quality Objectives:
| Objective | Target | Q1 Actual | Trend | On Track? | Discussion |
|---|---|---|---|---|---|
| QO-1: Finding Accuracy | ≥99% | 99.1% | ↑ Up | ✅ Yes | Peer review rigor paying off |
| QO-2: On-Time Delivery | 100% | 96% | ↔ Flat | ⚠️ At Risk | 1 delay: scope creep on Project X |
| QO-3: CSAT Overall | ≥4.5/5 | 4.45/5 | ↑ Up | ~ Close | +0.15 from Q4 2025; 1 survey <4.0 |
| QO-4: Compliance Mapping | 100% | 100% | ✅ Good | ✅ Yes | All frameworks mapped correctly |
| QO-5: Peer Review Pass | ≥95% | 93% | ↓ Down | ⚠️ At Risk | 2 reports required rework |
| QO-6: Certifications | 100% | 95% | ↔ Flat | ⚠️ At Risk | 2 CEH expiring May 2026 |
| QO-7: Non-Destructive | 100% | 100% | ✅ Good | ✅ Yes | Perfect compliance, zero incidents |
| QO-8: Coverage | ≥85% | 84% | ↓ Down | ~ Close | API parameter discovery gaps |
Discussion Points: - For objectives at risk: Root cause analysis, corrective action plan, owner assignment - For objectives on track: Best practices (what's working?), sustainability plan - For objectives ahead: Can we raise the bar next quarter? - Overall trend: Is the portfolio improving?
Decisions Needed: - [ ] Accept current objectives or adjust targets? - [ ] Assign owners for at-risk objectives? - [ ] Allocate resources to support improvements?
3.3 Section 2: CSAT Trending & Client Feedback (15 minutes)¶
CSAT Data:
Q1 2026 CSAT Summary
├─ Overall: 4.45/5 (up from 4.3 in Q4 2025)
├─ Accuracy: 4.6/5 (highest-rated aspect)
├─ Actionability: 4.4/5 (slightly below average)
├─ Communication: 4.3/5 (opportunity)
├─ Timeline: 4.2/5 (lowest; tied to on-time delivery risk)
└─ Would Recommend: 92% (up from 88%)
Surveys Received: 9/10 engagements (90% response rate)
Below 4.0 Scores: 1 client (3.8/5) — ["recommendations were too technical"]
Positive Feedback Themes:
✅ "Findings were accurate and detailed"
✅ "Professional, thorough report"
✅ "Great communication throughout"
Improvement Requests:
⚠️ "Recommendations could be simpler for non-technical team"
⚠️ "Report could include remediation timelines per CVSS severity"
⚠️ "Want executive summary upfront (1-page)"
Action Items: - [ ] Add 1-page executive summary to report template (Q2) - [ ] Include remediation timelines by severity in recommendations (Q2) - [ ] Create "non-technical" version of recommendations (optional field)
3.4 Section 3: Nonconformity & Corrective Action Review (20 minutes)¶
Nonconformity Summary:
Q1 2026 Nonconformities Closed: 5
├─ Critical: 1 (Finding unverified before delivery → PoC verification CA)
├─ Major: 2 (Late delivery, CSAT <4.0)
├─ Minor: 2 (Typos in reports)
Current Nonconformities (Open): 2
├─ NC-2026-006 (Major, 18 days old): Report formatting inconsistency
│ Root Cause: Template not updated after process change
│ CA: Enforce template version in report generation (due Q2)
│ Owner: Report Generator
│
└─ NC-2026-007 (Minor, 5 days old): Missing evidence screenshot
Root Cause: Pentester error (too rapid testing)
CA: Add screenshot checklist to phase 4 work instruction
Owner: Training Lead
Trend: Nonconformities trending DOWN (5 in Q1 vs. 8 in Q4 2025)
Effectiveness Verification: - [ ] NC-2026-001 (Finding verification): ✅ No recurrence in 30 days; 100% of next 10 reports verified - [ ] NC-2026-002 (Scope creep): ⚠️ Still seeing similar issue on Project X; CA needs strengthening - [ ] NC-2026-003 (Peer review): ✅ New checklist in place; 93% pass rate (up from 87%)
Discussion: - Celebrate downward trend in nonconformities - Address systemic issues (scope creep recurring) - Confirm CAs are addressing root causes
3.5 Section 4: Audit & Compliance Status (10 minutes)¶
Internal Audit Results:
Q1 Internal Audit (ISO 9001 Compliance)
├─ Audit Scope: Phase 2-4 of 10 engagements (random sample)
├─ Audit Date: 2026-03-10
├─ Duration: 8 hours
├─ Findings:
│ ✅ 9/10 engagements followed methodology perfectly
│ ⚠️ 1 engagement: Scope boundary unclear (client expanded mid-test)
│ ⚠️ 2 engagements: Evidence storage incomplete (missing 1-2 screenshots each)
│ ✅ 10/10: Non-destructive testing rules followed
│
└─ Overall: Compliant (minor documentation gaps)
Compliance Status:
├─ GDPR: ✅ On track (no privacy breaches, DPA templates ready)
├─ HIPAA: ✅ In readiness (no healthcare clients yet; BAA template complete)
├─ ISO 27001 ISMS: ⚠️ 91.7% controls implemented (27 in POA&M)
├─ NIST 800-53 (FedRAMP): ⚠️ 91.7% moderate baseline (SSP in draft)
└─ SOC 2 Type II: ⚠️ In preparation (audit readiness 75%)
External Audit Schedule:
├─ 3rd-Party Pentesting: Planned Q2 2026
├─ ISO 27001 Pre-Audit: Planned Q3 2026
└─ SOC 2 Type II: Planned Q4 2026
Actions: - [ ] Strengthen scope documentation (update intake procedure) - [ ] Ensure evidence storage checklist enforced - [ ] Accelerate FedRAMP SSP completion (Q2 completion target)
3.6 Section 5: Process Performance & KPIs (15 minutes)¶
Core Process Metrics:
Testing Phase Metrics (Per Engagement):
├─ Average time: 25 hours (baseline: 24h, acceptable)
├─ Endpoints tested: 84% of discovered (target: ≥85%)
├─ Finding density: 8.2 findings per 20 hours (stable)
├─ Report turnaround: 4.8 days post-testing (target: <5 days, on track)
└─ PoC reproducibility: 99% (target: ≥99%, met)
Supporting Process Metrics:
├─ Peer review pass rate: 93% (target: ≥95%, 2% below)
├─ CSAT response rate: 90% (target: ≥70%, exceeding)
├─ Tool availability: 99.2% (target: ≥99%, on track)
└─ Team capacity utilization: 92% (healthy; room for new engagements)
Bottleneck Analysis:
├─ Phase 4 (manual testing): 60% of total time (expected, complex phase)
├─ Report generation: 15% of total time (includes peer review delays)
└─ Verification: 10% of total time (finding PoC recreation)
Opportunity: If we reduce report generation time by 2 days,
we can accept 1-2 additional engagements per quarter.
Discussion: - Are endpoints being tested thoroughly? - Is report turnaround acceptable? - Where are efficiency opportunities?
3.7 Section 6: Resource & Competence Management (10 minutes)¶
Team Status:
Competence Summary:
├─ Certification Status: 95% current (2 CEH expiring Q2)
├─ Security Training: 100% annual refresher completed
├─ Role-Specific Training:
│ └─ 8/10 staff completed 2026 training (2 pending)
└─ Knowledge Sharing Sessions: 1 session Q1 (planned: 4/year minimum)
Staffing:
├─ Capacity: 95% utilized (headcount adequate)
├─ Turnover: 0 in Q1 (stable team)
├─ Hiring Needs: None for rest of 2026 (current team sufficient)
└─ Burnout Risk: Moderate (watch overtime, encourage time off)
Tools & Environment:
├─ Testing Lab: Fully functional, available for training
├─ Tool Updates: Dependabot managing automation, 2 security updates deployed
├─ Infrastructure: AWS instances stable, no downtime
└─ New Tools Needed?: None identified yet
Actions: - [ ] Schedule Q2 CEH renewal for 2 staff (by May 1) - [ ] Assign 2 pending training sessions (by April 15) - [ ] Plan Q2 knowledge sharing session (recommend new frameworks/tools)
3.8 Section 7: Risk Assessment Update (10 minutes)¶
Risk Register Summary:
Current Risks (from Risk Assessment):
├─ RISK-001 (Unauthorized Data Access): Score 16 (Critical)
│ Mitigation: Rate limiting on export endpoint (planned Q2)
│ Status: ⏳ In Planning
│
├─ RISK-002 (Supply Chain Compromise): Score 12 (High)
│ Mitigation: Review Dependabot PRs before merge (planned Q2)
│ Status: ⏳ In Planning
│
├─ RISK-006 (GDPR Non-Compliance): Score 16 (Critical)
│ Mitigation: DPA tracking system (planned Q2), mandatory consent
│ Status: ⏳ Critical Path
│
└─ Other Risks: Scores 8-11 (Medium-High), all in mitigation planning
New Risks Identified: - ⚠️ Scope creep on engagements (leading to late delivery) — add to risk register - ⚠️ Dependency on 1-2 key staff (cert expirations) — cross-training plan
Mitigation Actions: - [ ] Implement rate limiting (Q2) - [ ] Make DPA signatures mandatory (Q2) - [ ] Strengthen scope intake procedure (Q2)
3.9 Section 8: Continuous Improvement Program (10 minutes)¶
Improvements Completed in Q1: 1. ✅ Added evidence verification checklist to peer review (closed NC-2026-001) 2. ✅ Updated password policy to 12 characters + complexity (security hardening) 3. ✅ Automated dependency scanning in CI/CD (Dependabot, Trivy, CodeQL)
Improvements in Progress (Q2-Q3): 1. ⏳ Strengthen scope intake procedure (prevent scope creep) 2. ⏳ Implement rate limiting on API (security enhancement) 3. ⏳ Create 1-page executive summary template (customer feedback) 4. ⏳ Build DPA tracking system (GDPR compliance, critical) 5. ⏳ Automate remediation timeline by CVSS severity (feature request)
Proposed Improvements for Q2 (Vote): - [ ] Implement incident response drill (monthly simulation) - [ ] Create "beginner-friendly" version of recommendations (client feedback) - [ ] Build dashboard for real-time CSAT trending (management visibility) - [ ] Establish mentorship program for junior pentester (knowledge sharing)
3.10 Closing (5 minutes)¶
Summarize Decisions: - [ ] All quality objectives reviewed and status confirmed - [ ] At-risk objectives assigned owners and corrective actions - [ ] Improvements prioritized and scheduled - [ ] Risk mitigations assigned owners and timelines - [ ] Next review scheduled (e.g., Q2 2026 — June 30)
Action Items Summary: Document all decisions and action items (see Action Items section below).
Approval: Quality Manager confirms: "Management Review Q1 2026 complete. QMS is effective and improving. No significant nonconformities. Approved for publication."
4. Post-Review: Documentation & Follow-Up¶
4.1 Management Review Report¶
Publish within 5 days of meeting:
Sections: 1. Review date, attendees, duration 2. Quality objectives status (table) 3. CSAT summary (trends, feedback) 4. Nonconformity status (closed, open, trends) 5. Audit findings & compliance status 6. KPI performance summary 7. Resource & competence status 8. Risk assessment updates 9. Improvements completed & in progress 10. Action items (owner, due date) 11. Approval signatures
4.2 Action Item Tracking¶
All action items tracked in spreadsheet:
| Item | Owner | Due Date | Status | Notes |
|---|---|---|---|---|
| Schedule Q2 CEH renewal | HR Lead | 2026-04-15 | Not Started | Confirm with 2 staff |
| Implement rate limiting API | Dev Lead | 2026-06-30 | Planning | Design by 2026-05-15 |
| Create DPA tracking system | Compliance | 2026-06-30 | Planning | Critical for GDPR |
| Update scope intake form | Engagement Mgr | 2026-05-31 | In Progress | Draft ready, review Q2 |
4.3 Follow-Up Monitoring¶
- Monthly: Status update on in-progress action items (brief email)
- Next Review: Confirm all action items from previous review either completed or rescheduled
5. Approval & Distribution¶
Document Distribution: - All management review participants - Quality Manager (owner, maintains archive) - CISO (executive oversight) - All staff (for awareness of improvements)
Approval: | Role | Signature | Date | |------|-----------|------| | Quality Manager | _ | [Review Date] | | CISO | ___ | [Review Date] |
Document Control - Owner: Quality Manager - Review Frequency: Quarterly (Q1, Q2, Q3, Q4) - Last Updated: 2026-03-17 - Status: Template (Use for each quarterly review)