Introduction
The management review is a mandatory requirement under ISO 22000:2018 Clause 9.3. Top management must lead this formal evaluation of the Food Safety Management System (FSMS) at planned intervals. "Top management" means exactly that: not the quality manager, not the food safety team leader, but the people with actual decision-making authority.
Many organizations treat the review as a compliance checkbox: schedule the meeting, gather some data, sign the minutes, file them away. That approach fails. Poorly prepared reviews — missing required inputs, absent leadership, or action items that never get closed — are a consistent source of nonconformity findings during certification and surveillance audits.
This article covers what ISO 22000 requires, how to prepare and run the meeting, which agenda topics must appear, and the mistakes that trip up even experienced quality teams.
TL;DR
- ISO 22000 Clause 9.3 requires top management to evaluate the FSMS for suitability, adequacy, and effectiveness at planned intervals
- Required inputs are defined in Clause 9.3.2 — omitting any of them is a nonconformity
- Required outputs include documented decisions on improvement opportunities, FSMS changes, and resource needs
- Missing inputs, absent top management, and untracked action items are the most common audit failure points
- All management review records must be retained as documented information
What Is the ISO 22000 Management Review?
The management review is a formal, documented evaluation conducted by top management to assess whether the FSMS continues to be suitable, adequate, and effective — and aligned with the organization's strategic direction. That language comes directly from ISO 22000:2018 Clause 9.3.
This is a leadership-level strategic review, not an operational monitoring activity.
How It Differs From Other FSMS Processes
A common source of confusion: the management review is not an internal audit, a CCP monitoring activity, or a verification procedure. Those processes generate data that feeds into the management review as inputs. Each serves a different function:
| Process | Function | Feeds Into |
|---|---|---|
| CCP monitoring | Real-time critical limit verification | Management review input |
| Internal audit | System-wide FSMS assessment | Management review input |
| Verification activities | Confirming PRPs and hazard control plan effectiveness | Management review input |
| Management review | Leadership evaluation of total FSMS performance | Strategic decisions and outputs |
How Often Must You Conduct a Review?
ISO 22000:2018 uses the phrase "planned intervals" — it does not mandate a specific frequency. NQA's ISO 22000 Implementation Guide notes that most organizations conduct reviews annually, though many choose semi-annual or quarterly cycles to catch issues between scheduled intervals.
Schedule additional reviews outside the normal cycle when any of these occur:
- Significant changes to FSMS scope or processes
- A product recall or food safety incident
- Major audit findings that require leadership decisions before the next interval
Required Inputs: What to Prepare Before the Meeting
Input preparation is where most management reviews succeed or fail. ISO 22000:2018 Clause 9.3.2 defines a required list — omitting any category is a direct nonconformity finding during certification or surveillance audits.
The Complete Clause 9.3.2 Input List
Every management review must address all of the following:
- Status of actions from previous reviews — what was completed, what remains open, and why
- Changes in external and internal context — regulatory updates, new customer requirements, supply chain changes, facility modifications, organizational restructuring
- FSMS performance and effectiveness data, including:
- CCP and oPRP monitoring results
- Verification activity results for PRPs and the hazard control plan
- Nonconformity and corrective action trends
- Internal and external audit results
- Regulatory inspection outcomes
- External provider performance
- Status of identified risks and opportunities
- Degree to which food safety objectives were achieved
- Adequacy of resources — staffing levels, competence, infrastructure, and documented information
- Emergency situations, incidents, withdrawals, and recalls — including whether notification obligations were met
- Relevant communication from interested parties — customer complaints, regulatory communications, and other external feedback
- Opportunities for continual improvement
A Practical Note on Input Compilation
Organizations building an ISO 22000 system for the first time often spend far more time scrambling to compile inputs than they do analyzing them. The problem is usually structural: corrective actions live in one spreadsheet, audit results in another, and incident records in someone's inbox.
Synergistic Systems addresses this directly. Every ISO 22000 engagement includes collaborative documentation development alongside a cloud-based intranet that centralizes corrective actions, audit results, incident records, and management reviews in one place — so when review time arrives, the inputs are already organized. No hardware or software purchase is required; it's included in the fixed-price engagement.
How to Conduct the ISO 22000 Management Review: Step by Step
Step 1: Schedule the Meeting and Assign Preparation Roles
Allow a minimum of two to three weeks between scheduling and the review date. The food safety team leader or quality manager needs time to gather, compile, and analyze all required inputs — not just pull them together the night before.
Before confirming the date:
- Secure confirmed attendance from top management (CEO, plant manager, or equivalent decision-making authority)
- Identify functional representatives needed from quality, operations, maintenance, and procurement
- Issue a formal meeting invitation with a structured agenda mapped to Clause 9.3.2 inputs
When attendees arrive knowing what decisions will be required, discussions stay focused and outputs get documented more cleanly.
Step 2: Compile and Package the Input Data
Organize all required inputs into a structured pre-read package. Map each data set explicitly to its Clause 9.3.2 category — this makes completeness easy to verify internally, and easy for an auditor to follow.
Present data in trend format wherever possible. Single-point snapshots — one month of CCP data, one audit finding — tell top management almost nothing. Twelve months of nonconformity rates, corrective action closure times, and CCP exceedance frequency give leadership the context to judge whether the FSMS is improving, stable, or deteriorating.
For critical issues such as a significant recall, a major audit finding, or an unresolved supplier risk, prepare a brief executive summary in advance and flag it explicitly on the agenda. Presenting serious issues cold during the meeting slows decision-making and increases the chance they get deferred.
Step 3: Facilitate the Meeting Discussion
Open the meeting by reviewing the status of all action items from the previous review. This creates accountability and demonstrates — to attendees and to auditors — that the organization follows through on past commitments.
Work through each agenda topic using the pre-read package as the guide. Assign someone to take minutes in real time. Reconstructing discussions from memory afterward produces vague records that create problems during audits.
Drive toward specific decisions with named owners and due dates. The meeting should not end without explicit commitments on resource allocation, FSMS changes, or improvement actions. Vague discussion with no decisions does not satisfy Clause 9.3.3's output requirements.
Step 4: Document Outputs and Communicate Results
Finalize meeting minutes that explicitly capture the three Clause 9.3.3 required outputs:
- Improvement opportunities — record which actions were approved, who owns them, and the target completion date
- FSMS changes — document any revisions to the food safety policy, objectives, or system scope that top management authorized
- Resource requirements — capture specific commitments: budget approved, personnel assigned, or equipment authorized
Have top management sign or formally approve the record. Retain it as documented information — auditors request this during every certification and surveillance audit.
Communicate relevant outcomes to staff at appropriate levels. Management review decisions that never reach the people responsible for implementing them don't get implemented.
Synergistic Systems facilitates the management review meeting as Step 9 of its ISO 22000 implementation methodology — leading the session, working through each required input with your team, and producing output records structured to meet registrar expectations at the Stage 2 certification audit.
Key Agenda Topics Your Management Review Must Cover
Food Safety Performance Metrics
Present consolidated data across all active monitoring results. Trend charts over the review period show direction — which is what top management actually needs to act on. Key data points to include:
- CCP and oPRP monitoring results
- Critical limit exceedances
- Nonconformity trends and corrective action effectiveness
- Findings from internal audits, external audits, and regulatory inspections
Hazard Analysis and Prerequisite Program Review
Discuss whether any changes to products, processes, raw materials, or equipment have affected the hazard analysis. Assess whether existing PRPs are being implemented effectively and whether the hazard control plan remains valid.
Include food defense and product authenticity status here as well. Changes in the external environment — including intentional contamination risks — fall within the external context review required by Clause 9.3.2.
Incidents, Recalls, and Customer Communication
Review all food safety incidents and recalls during the period — both regulatory notification and voluntary. Evaluate whether customer and regulatory communication obligations were met. Customer complaint trends belong here too; a rising complaint rate on a specific product line is often an early FSMS performance signal.
Changes in External Factors and Risk Landscape
Cover regulatory updates, changes to applicable food safety standards, new food fraud risks, and supply chain changes affecting hazard control. Without this review, the FSMS can drift out of alignment with the actual risk environment your organization is operating in.
Objectives Review and Goal-Setting
Evaluate each food safety objective from the prior review period against supporting data. Then set measurable objectives for the coming period:
- Assign each objective to a specific department or process owner
- Define measurement criteria and target dates
- Link objectives to broader business goals
Objectives missing an owner or a measurement method won't survive the next audit cycle.
Common Mistakes When Conducting ISO 22000 Management Reviews
Three patterns account for most ISO 22000 management review findings during third-party audits:
- Treating the review as a checkbox exercise. Rushing through inputs without real discussion, or delegating the review to quality staff, fails the standard's intent. Clause 9.3.1 assigns the review to top management because resource allocation, FSMS changes, and policy updates require leadership authority to actually happen.
- Presenting raw data without analysis. Omitting any Clause 9.3.2 input category is a nonconformity. Presenting unanalyzed data is just as problematic — top management cannot assess whether the FSMS is functioning or deteriorating without context and trend direction.
- Carrying the same action items from review to review. Every action item needs an owner, a due date, and verifiable completion evidence. Unresolved items that recur across reviews signal to auditors that continual improvement is stated policy, not actual practice. Synergistic Systems' cloud-based intranet tracks corrective actions and review items with permission-based access, so ownership and status stay visible across the organization — not buried in a spreadsheet.
Frequently Asked Questions
What is the ISO 22000 management review?
It is a formal, periodic evaluation of the FSMS conducted by top management under ISO 22000:2018 Clause 9.3. Its purpose is to assess whether the system remains suitable, adequate, and effective, and to drive decisions on improvements and resources.
What should be included in a management review?
Clause 9.3.2 requires these inputs: status of prior actions, FSMS performance data, audit results, incidents and recalls, resource adequacy, context changes, and interested-party communications. Clause 9.3.3 requires documented outputs covering improvement decisions, FSMS change decisions, and resource decisions — all mandatory.
Who should attend an ISO 22000 management review meeting?
Top management must lead the review. Key functional representatives — quality, operations, procurement, maintenance — attend as needed to inform decisions. The food safety team leader typically organizes inputs and facilitates the pre-read package.
How often must an ISO 22000 management review be held?
ISO 22000 requires reviews at "planned intervals." Most certification bodies, including NQA, expect at least one formal review annually. Schedule additional reviews after significant FSMS changes, recalls, or major audit findings.
What are the required outputs of an ISO 22000 management review?
Clause 9.3.3 requires documented decisions on three things: opportunities for continual improvement, any changes needed to the FSMS (including policy or objectives), and resource requirements. All outputs must be retained as documented information.
