Top management should find examples of a “suitable” information security policy, including those from similar organizations, and tailor them to their organization and context. These examples can be used to set up the organization’s InfoSec objectives under clause Clause 6.2.