The organization’s InfoSec policy should be defined, approved by top management, and take into account business requirements, regulations, and risks. It should contain specific statements and be supported by topic-specific policies. Relevant personnel should develop and approve topic-specific policies, and policies should be reviewed regularly. Organizations should communicate these policies to pertinent employees and interested individuals, and any changes should be approved by top management. Care should be taken when distributing policies outside the organization. See Clause 5.2: Policy