Whether there exists an Information security policy, which is approved by the management, published and communicated as appropriate to all employees.
Whether the policy states management commitment and sets out the organizational approach to managing information security.