Top management shall establish an information security policy that:
高层管理者应建立信息安全方针,以:
a) is appropriate to the purpose of the organization;
b) includes information security objectives (see 6.2) or provides the framework for setting information security objectives;
c) includes a commitment to satisfy applicable requirements related to information security;
d) includes a commitment to continual improvement of the information security management system. The information security policy shall:
e) be available as documented information;
f) be communicated within the organization; and
g) be available to interested parties, as appropriate. a) 适于组织的目标;
b) 包含信息安全目标(见6.2)或设置信息安全目标提供框架;
c) 包含满足适用的信息安全相关要求的承诺; d) 包含信息安全管理体系持续改进的承诺。 信息安全方针应:
e) 文件化并保持可用性;
f) 在组织内部进行传达;
g) 适当时,对相关方可用。