5.2 Security management policy

ISO 28000:2022 clause 5.2 requires an organization to define, document, and maintain a security management policy that reflects its commitment to protecting assets, people, and information against security threats. The policy must be aligned with the organization's strategic objectives, communicated to all relevant parties, and periodically reviewed for effectiveness.