10.1 It is important that the organisation establishes an IT security policy which
clearly states the organisation’s position. The lower level, detailed controls should be
based on the IT security policy. For example, detailed password controls would be
based on the logical access section of the IT security policy.
Control Objective
10.2 By way of enunciating an IT security policy, the organisation:
• demonstrates its ability to reasonably protect all business critical information
and related information processing assets from loss, damage or abuse;
• aims to enhance the trust and confidence between organisations, trading
partners and external agencies as well as within the organisation;
• assure conformity to applicable contractual and regulatory requirements.