The organization has an information security policy developed and approved by top management. The policy shall include at least the following:
- the basis for setting the organization’s security objectives
- commitment to meeting information security requirements
- commitment to continuous improvement of the information security management system
In addition, the task owner shall ensure that:
- the is appropriate for the organization's business idea
- the policy is communicated to the entire organization
- the policy is available to stakeholders as appropriate