UnixTime

Research Note

Information Security Policy

An information security policy is management's approved statement of what the organization expects for protecting information. It sets direction, assigns high-level expectations...

On this page

Plain-language meaning

An information security policy is management’s approved statement of what the organization expects for protecting information. It sets direction, assigns high-level expectations, and points to topic-specific policies and procedures.

For ISO/IEC 27001 study, link this concept back to A.5.1 Policies for Information Security. That control is the detailed Annex A note for defining, approving, publishing, communicating, and reviewing information security policies.

Practical use

Use this note when you need a short concept link for policy-related topics such as Information Security Management System, Statement of Applicability, Risk Assessment, Management Responsibilities, and Internal Audit.

Exam cue

Do not confuse a policy with a procedure. A policy states expectations and rules; a procedure explains how to perform a process.