5.2 Policy

Clause 5.2 of ISO/IEC 27001:2022 mandates that the organization establish, document and maintain an information-security policy that defines its overall approach, objectives and responsibilities for protecting information assets. The policy must be approved by top management, communicated to all relevant parties and serve as the foundation for the ISMS.