A planning policy in this context has to do with developing the information security program. This policy sets the foundation for an organization's information security program and is one of the initial activities that should be undertaken when an organization is beginning to mature its information security capability. Additionally, this policy establishes rules around the development, documentation, periodic update, and implementation of security plans for organizational information systems.

A planning policy should address:

• The establishment of organizational roles—CIO, CISO, system owner, data owner, data custodian, and so on
• What should be included and what should the update frequency be for the information security program plan?
• What artifacts should be developed to ensure repeatable processes around information security control selection, development, and implementation?