One of the most important information security controls, is the information security policy. This vital direction-giving document is, however, not always easy to develop and the authors thereof battle with questions such as what constitutes a policy. This results in the policy authors turning to existing sources for guidance. One of these sources is the various international information security standards. These standards are a good starting Point for determining what the information security policy should consist of, but should not be relied upon exclusively for guidance. Firstly, they are not comprehensive in their coverage and furthermore, tending to rather address the processes needed for successfully implementing the information security policy. It is far more important the information security policy must fit in with the organisation's culture and must therefore be developed with this in mind.
