Chat with Experta

What to include in management review minutes?
The outputs from the management review are usually documented in the Management review minutes. Management review minutes must include the following:
- decisions about continual improvement opportunities
- decisions about changes to the ISMS
- date of the meeting
- names of the participants

As a best practice, Management review minutes should also include inputs that were presented at the management review:
- Internal audit report
- Feedback from interested parties, as well as changes in their needs and expectations
- Suggestions for ISMS improvements
- Risk assessment and risk treatment report
- Risk treatment plan
- Status of nonconformities and corrective actions
- Report about monitoring
- Report about fulfillment of security objectives
- Status of follow-up actions that should have been taken after the last management review
- Description of changes in internal and external issues that could have affected the ISMS
- Required changes to the Information Security Policy and security objectives

Decisions made at the management review (i.e., outputs) could include:
- Changes in security objectives.
- Changes in the ISMS budget.
- Changes in the risk assessment methodology.
- Changes in particular policies or procedures.
- Changes in how the effectiveness of the ISMS is measured
- Changes how the corrective actions are reported and resolved

List of interested parties to which the decisions made in the management review need to be communicated