The creation of an information security policy is a crucial step towards the effective management of information across all levels of an organisation.

It is critical that any information security policy created by an organsiation is approved by management, and that this is subsequently published and communicated to all employees.

This document should be maintained and reviewed regularly, or in response to a change in circumstances that may affect the risks to an organisation's information. An example here may be the introduction of a web site, or the use of e-commerce.