Plain-language meaning
An information security policy is management’s approved statement of what the organization expects for protecting information. It sets direction, assigns high-level expectations, and points to topic-specific policies and procedures.
For ISO/IEC 27001 study, link this concept back to A.5.1 Policies for Information Security. That control is the detailed Annex A note for defining, approving, publishing, communicating, and reviewing information security policies.
Practical use
Use this note when you need a short concept link for policy-related topics such as Information Security Management System, Statement of Applicability, Risk Assessment, Management Responsibilities, and Internal Audit.
Exam cue
Do not confuse a policy with a procedure. A policy states expectations and rules; a procedure explains how to perform a process.
Related notes
- Iso27001
- Isms
- Policy
- Fundamentals
Note Metadata
Aliases: InfoSec Policy
Source: 01 Fundamentals/Information Security Policy.md