The outputs from the management review are usually documented in the Management review minutes. Management review minutes must include the following:
- decisions about continual improvement opportunities
- decisions about changes to the ISMS
- date of the meeting
- names of the participants

As a best practice, Management review minutes should also include inputs that were presented at the management review:
- Internal audit report
- Feedback from interested parties, as well as changes in their needs and expectations
- Suggestions for ISMS improvements
- Risk assessment and risk treatment report
- Risk treatment plan
- Status of nonconformities and corrective actions
- Report about monitoring
- Report about fulfillment of security objectives
- Status of follow-up actions that should have been taken after the last management review
- Description of changes in internal and external issues that could have affected the ISMS
- Required changes to the Information Security Policy and security objectives


Examples:
Decisions made at the management review (i.e., outputs) could include:
- Changes in security objectives.
- Changes in the ISMS budget.
- Changes in the risk assessment methodology.
- Changes in particular policies or procedures.
- Changes in how the effectiveness of the ISMS is measured
- Changes how the corrective actions are reported and resolved
- List of interested parties to which the decisions made in the management review need to be communicated