A set of information security policies must be defined, approved by management, disseminated and communicated to employees and third parties concerned. ...

Policies must be reviewed at scheduled intervals or in the event of major changes to ensure their relevance, adequacy and effectiveness over time. ...