According to ISO/IEC 27001:2022, Clause 5.2 "Policy," top management must establish an information security policy that includes specific elements. Among these, sub-clause 5.2 c) explicitly requires the policy to include "a commitment to satisfy applicable requirements related to information security." These requirements can stem from legal, statutory, regulatory, or contractual obligations, as well as from the needs and expectations of interested parties. This commitment is a foundational element of the Information Security Management System (ISMS), demonstrating management's intent and direction.

B. The policy requires a commitment to continual improvement (Clause 5.2 d), not the detailed plan itself.

C. This is not a mandated component of the policy document as specified in Clause 5.2 of the standard.

D. The Statement of Applicability (SoA) is a separate, mandatory document required by Clause 6.1.3 d), not a part of the information security policy.

1. ISO/IEC 27001:2022, "Information security, cybersecurity and privacy protection — Information security management systems — Requirements":

Clause 5.2 Policy: This clause outlines the mandatory contents of the information security policy. Specifically, Clause 5.2 c) states the policy shall "include a commitment to satisfy applicable requirements related to information security".

Clause 6.1.3 d) defines the Statement of Applicability as a separate output of the risk treatment process.

2. Calder, A., & Watkins, S. (2019). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (7th ed.). Kogan Page Publishers.

Chapter 11, Section: '5.2 Policy': This section explains that the information security policy must contain "a commitment to satisfy applicable requirements related to information security." It reinforces that the SoA is a different artifact.

3. University of Fairfax. (n.d.). Course IAT 631: Information Security Management. Course Syllabus.

The curriculum covering ISO/IEC 27001 implementation details the requirements of Clause 5.2, emphasizing that the policy must document top management's commitment to satisfying all relevant information security requirements as a core principle of the ISMS.