ISO 27001 requires the following input information to be considered during the management review:
- Internal audit report
- Feedback from interested parties, as well as changes in their needs and expectations
- Suggestions for ISMS improvements
- Risk assessment and risk treatment report
- Risk treatment plan
- Status of nonconformities and corrective actions
- Report about monitoring
- Report about the fulfillment of security objectives
- Status of follow-up actions that should have been taken after the last management review
- Description of changes in internal and external issues that could have affected the ISMS
- Required changes to the Information Security Policy and security objectives