Who is typically responsible for approving the information security policy in an organization?

Senior leadership and the board are responsible for approving the information security policy because it sets governance, defines risk appetite, and aligns security with business objectives. When top executives endorse the policy, it carries the authority and resources needed to enforce security requirements organization-wide and to hold units accountable. A governance or risk committee typically oversees the process, reviewing drafts and guiding them up to the board for final approval. After approval, the policy serves as the foundation for standards, procedures, and controls and is regularly reviewed to stay current with threats and regulations. The IT help desk handles day-to-day support, not policy approval; external auditors assess compliance but don’t approve policy; and individual department managers implement the policy within their areas, but they don’t authorize it.