An information security policy is the top-level governance document that defines an organisation's strategic approach to protecting its information assets. It establishes the security objectives, scope, principles, roles and responsibilities, and provides the framework within which all other security policies, procedures and standards are developed. This document is typically approved by senior management and communicated to all employees and relevant external parties.
Having a well-defined information security policy is a mandatory requirement under ISO 27001 (Clause 5.2), SOC 2 and virtually every other compliance framework. It serves as the foundation of the entire information security management system (ISMS), guiding decision-making, setting expectations for employee behaviour and demonstrating to auditors, customers and regulators that the organisation takes a structured, top-down approach to security governance.