LOGBOOK

HELP

Quiz Entry - updated: 2026.06.04

What is an Enterprise Information Security Policy (EISP), who drafts it, and when does it change?

The EISP is the general security policy that sets direction, scope, and tone for all security efforts — drafted by the CEO and modified only when the organization's strategic direction changes.

Key characteristics:

  • Directly supports the mission, vision, and direction of the organization
  • Also called the general security policy
  • Acts as the guideline for development, implementation, and management of the security program
  • Is drafted by the chief executive officer — ownership at the very top, not delegated to IT
  • Is modified only on a change in strategic direction — deliberately stable, technology-free

Why CEO ownership matters: the EISP's authority is its signature. A policy issued by the IT department binds the IT department; a policy issued by the CEO binds everyone — including the IT department's boss.

Tip: Stability test: if a document mentions specific products, port numbers, or password lengths, it is not an EISP — that content belongs levels below.

From Quiz: ISM / Policies, Concepts & Guidelines | Updated: Jun 04, 2026