Add to ORKGThe authors present a proprietary approach to the process of creating and maintaining an infor-mation security policy in the organization. The proposed method of creating the Security Policy is comprehensive and easy to apply in practice. It is based on a life cycle of a security policy whose start-up phase is preparatory work carried out quite rarely and on demand, while the regular stage is work performed cyclically – the PDCA model. Within each cycle, the following processes are performed: risk analysis, preparation of the Basic Information Security Policy (BPBI) project, project implementation, development of a security strategy, assessment of the effectiveness of the implemented strategy, improvement of the security policy