A required policy document for multiple compliance certifications (such as SOC 2 and ISO 27001) that defines, at a high level, the who, what, where, why, and how an organization approaches its information security. Other policies are required to document specifics.