Exam ISO-IEC-27001-Lead-Auditor Topic 1 Question 190 Discussion

The purpose of information security policy is best described as providing direction and support to the management regarding information security. An information security policy is a high-level document that defines the organization's vision, objectives, principles and responsibilities for information security. It also sets the scope and context of the information security management system and aligns it with the organization's strategy and culture. An information security policy does not document the analysis of risks or the search for countermeasures, nor does it make the security plan concrete or provide insight into threats and consequences. These are tasks for other documents or processes within the information security management system. ISO/IEC 27001:2022 defines information security policy as "policy that provides direction and support for information security in accordance with business requirements and relevant laws and regulations" (see clause 3.29). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Information Security Policy?