Information security policies are the DOCUMENTED BUSINESS and technical rules for protecting an organization from information security risk faced by its business and technical infrastructure. These written policy documents provide a high-level description of the various controls, which the organization will use to manage its information security risks.
The information security policy documents are also considered to be a formal DECLARATION of management’s intent to protect its information ASSET from relevant risks. In SPECIFIC cases, the policies are supported by information security procedures that identify key activities required to implement relevant information security policies.

Information security policies are the documented business and technical rules for protecting an organization from information security risk faced by its business and technical infrastructure. These written policy documents provide a high-level description of the various controls, which the organization will use to manage its information security risks.
The information security policy documents are also considered to be a formal declaration of management’s intent to protect its information asset from relevant risks. In specific cases, the policies are supported by information security procedures that identify key activities required to implement relevant information security policies.