Category 4 - Security Policy

Category 4 defines the organization's security policy framework, requiring the creation, approval, dissemination and regular review of written policies, procedures and guidelines that govern the protection of information assets. It ensures that security objectives are aligned with legal, regulatory and contractual obligations, and that responsibilities, enforcement mechanisms and compliance monitoring are clearly articulated.