Should the Information Security Policy provide a framework for setting information security objectives?

The Information Security Policy is a foundational document that outlines an organization’s commitment to protecting its information assets. By providing a framework for setting information security objectives, the policy ensures that all objectives align with the organization's strategic goals, risk appetite, and regulatory requirements.

When a policy guides the establishment of goals, it allows for consistency and coherence across the organization’s security efforts. This alignment helps in identifying priorities and directing resources effectively towards achieving measurable improvements in information security, ensuring a proactive rather than reactive stance.

The approach also fosters collaboration among different levels and units within the organization as it sets a clear direction that can be communicated throughout the workforce. This is crucial because it helps ensure that everyone understands the importance of their role in supporting the organization's information security objectives.

The other options do not align with the proactive nature of modern information security practices. Focusing solely on past compliance ignores the need for ongoing improvement, while restricting objectives only to senior management undermines the importance of a holistic security posture that involves every employee. Moreover, stating that objectives should not be addressed at all would completely omit a critical aspect of strategic planning in information security.