Within an organization’s information security framework, a policy serves as a high-level statement of intent and direction, formally endorsed by top management. Its primary purpose is to articulate the organization’s objectives, principles, and strategic direction for information security, rather than to describe operational detail or procedural steps. Therefore, Option A is the correct and verified answer.
ISO/IEC 27001:2022 clearly distinguishes between policies, procedures, and instructions. A policy establishes what the organization intends to achieve and why, while procedures and work instructions describe how tasks are performed. This distinction is essential for an effective Information Security Management System (ISMS).
ISO/IEC 27001:2022 Clause 5.2 – Policy explicitly states that top management shall establish an information security policy that:
“is appropriate to the purpose of the organization,”
“includes information security objectives or provides the framework for setting information security objectives,” and
“is communicated within the organization and available to interested parties, as appropriate.”
This confirms that a policy expresses management intent, direction, and alignment with business objectives, not detailed operational guidance.
Further reinforcement is provided by Annex A control A.5.1 – Policies for information security, which requires that:
“Information security policy and topic-specific policies shall be defined, approved by management, published, communicated, and acknowledged.”
Options B and C are incorrect because:
Option B refers to procedures or work instructions, which provide step-by-step task guidance.
Option C refers to documentation structuring, not the purpose of a policy.
