What is the purpose of an Information Security policy?

What is the purpose of an Information Security policy?
A . An information security policy makes the security plan concrete by providing the necessary details
B . An information security policy provides insight into threats and the possible consequences
C . An information security policy provides direction and support to the management regarding information security
D . An information security policy documents the analysis of risks and the search for countermeasures

View Answer

Answer: C

Explanation:

The purpose of an information security policy is to provide direction and support to the management regarding information security. An information security policy is a statement of intent or direction that provides guidance for decision making and actions within an organization. It defines the scope, objectives, principles, and roles for information security management. It also establishes the general approach to information security and the expectations for compliance. An information security policy is the foundation of an information security management system (ISMS) based on ISO/IEC 27001:2022, which requires the organization to establish, implement, maintain, and continually improve an ISMS1. Therefore, the correct answer is C.

Reference: ISO/IEC 27000:2022, clause 3.47; ISO/IEC 27001:2022, clause 5.2.