Management review minutes must include the following:

- Decisions about continual improvement opportunities
- Decisions about changes to the ISMS
- Date of the meeting
- Names of the participants

As a best practice, they should also include inputs that were presented at the management review, such as:

- Internal audit report
- Feedback from interested parties, as well as changes in their needs and expectations
- Suggestions for ISMS improvements
- Risk assessment and risk treatment report
- Risk treatment plan
- Status of nonconformities and corrective actions
- Report about monitoring
- Report about fulfillment of security objectives
- Status of follow-up actions that should have been taken after the last management review
- Description of changes in internal and external issues that could have affected the ISMS
- Required changes to the Information Security Policy and security objectives