For that, you also  need  alignment with  business  priorities and
            senior management support (among other things like awareness
            training, excellent staff…), but the framework can help.





            Policy
            One of the priorities and deliverables of an information security
            program  should  be  the  creation  and  approval  of  information
            security policy. The plan is the core document that outlines the
            boundaries, objectives, and authority of the information security
            program. Without a plan signed by senior management, a security
            department lacks the credibility and authority to investigate or
            enforce security practices and principles.

            It is common for the security manager to have to write the policy
            and then send it out for review, adjustment, and finally, approval.
            The plan is approved by a senior manager (often the Managing
            Director or Chief Executive Officer) and then distributed to all
            areas  of  the  organization  that  it  applies  to.  A  policy  reflects
            management's intent and direction and mandates compliance with
            laws or standards.

            A policy document should be short, clear, and easily understood.
            It should be written in a way that is not technically constrained
            and would, therefore, be quickly outdated as technology changes.
            The Information Security policy must be legally enforceable and
            aligned  with  the  culture  of  the  organization  and  other
            organizational systems such as Human Resources and Health and
            Safety policies. The plan should have an owner that is responsible
            for annually reviewing  and updating the project when needed.
            Every  policy  should  allow  for  enforcement  and  disciplinary