Internal audit, CAPA and management review — closing the ISO loop

ISO clauses 9.2, 10.1 / 10.2 and 9.3 are one loop — internal audit finds nonconformities, corrective actions close them, management review confirms the system is working. Break any link and the whole loop fails at surveillance.

Michael McCarroll 15 min read Updated July 2026

Why the loop breaks

Most small and mid-sized ISO programmes fail the same way. The internal audit happens. Findings are captured in a Word doc. Someone opens a corrective action in a spreadsheet. Nine months later nobody has looked at the sheet, half the actions are past their due date, and the annual management review is a slide deck with "TBC" against most inputs.

The external auditor spots this in the first hour. Repeat findings on the same clause become "systemic". "Ineffective corrective action" becomes a major nonconformity. The management review isn't just late, it's undocumented — an automatic minor at minimum.

Step 1 — The audit programme (clause 9.2)

Step 1

Programme, not audit

Clause 9.2 asks for a programme, plural: a plan that covers all in-scope clauses across a defined cycle (typically 12 months). Each audit inside the programme has a scope, a set of criteria, a lead auditor and a planned date.
Step 2

Findings tagged by clause

Every finding — nonconformity (major/minor), observation, opportunity — must be tied to the clause it breaches. That's what makes results comparable across audits and years.
Step 3

Link to the control

Where the finding relates to a specific control (Annex A, ISO 27002, your bespoke register), link it. The next audit of that control starts with the last finding already loaded.

Step 2 — Corrective action that actually corrects (clauses 10.1 / 10.2)

Step 1

Correction first, then corrective action

ISO 10.1 distinguishes correction (fix the symptom now — take the server offline, revoke the access) from corrective action (stop it recurring — change the deprovisioning workflow). Both belong on the record.
Step 2

Root cause is a required field

"Human error" is not a root cause. Use 5-whys or fishbone at minimum. If you can't articulate why the failure was possible, the corrective action won't prevent recurrence.
Step 3

Effectiveness review is the closure gate

A CAPA is not closed when the action is done. It's closed when the effectiveness review confirms recurrence hasn't happened — typically 60–90 days later. Set that review date when you open the CAPA, not when you remember.
Step 4

Follow-up reminders

Overdue CAPAs are the single most common finding in surveillance audits. A weekly overdue-CAPA reminder in the tool your action owners already log into beats a monthly spreadsheet reconciliation every time.

Step 3 — The management review (clause 9.3)

Clause 9.3 lists the inputs and outputs the review must cover. The inputs include: the status of actions from previous reviews; changes in external and internal issues relevant to the ISMS/QMS; feedback on performance including audit results, nonconformities and corrective actions, KPI trends, and results of risk assessment; and opportunities for improvement. The outputs must include decisions related to continual improvement and any needed changes to the management system.

The failure mode isn't the meeting — it's the pack. If the audit results, CAPA status and risk trends are compiled by hand each year, they'll be stale, wrong, or missing. Assemble them from the live workspace. If the pack changes minute-to-minute up until the meeting, the pack is right.

Step 1

Structured inputs and outputs

Use the clause 9.3 list as your template. Every review, same structure. Deviations from the template are themselves an audit finding.
Step 2

Actions carry forward

"Status of actions from previous management reviews" is an explicit input. Actions created in one review must be linked to the next.
Step 3

Lock the record

Once the review is signed off, the record must not change. Timestamped attribution proves top management engaged — the piece surveillance audits inspect.

What good looks like — 90 days in

  • Audit programme published, next audit scheduled, lead auditor assigned.
  • Every open finding has a linked CAPA with a root cause and an effectiveness review date.
  • Zero overdue CAPAs on the dashboard; overdue count is a KPI in itself.
  • Management review pack assembles from live data in one click.
  • Actions from the last review are visible on the next review's agenda by default.

Run the whole loop in one workspace

ISO-STANDARD.app ships the audit programme, CAPA register and management review workspace pre-wired — with automatic follow-up reminders and governance reports. Start free.

ISO-STANDARD.app ships a ready-to-adopt ISO 27001 workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.

Free downloads for this topic

Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.

Trust & security
ISO 27001 aligned
Controls mapped to Annex A
Encryption in transit & at rest
TLS 1.3 · AES-256
MFA enforced
TOTP required for all admins
GDPR & UK GDPR
DPA on request · EU/UK data
SOC 2 ready posture
Audit-grade logging
RLS-isolated tenants
Row-level data separation
← All guidesHome →