ISG provides strategic direction for an information security program. Organizations must protect data in a way that supports their business goals. They use high-level policies to state their information security goals. These policies set forth employee responsibilities. An organization can address information security issues in many different policies.

Standards, guidelines, and procedures are used to support policies. They explain how employees meet policy goals. A training and awareness program is a key part of an information security program. It helps make sure that employees are aware of their duties.