Which document should be created FIRST when establishing an information security program?
Why this answer
The information security policy is the foundation document that sets the direction, principles, and responsibilities. All other standards, procedures, and guidelines are derived from it.
Exam trap
Some might answer 'risk assessment' because it's important, but the policy must be in place to guide the risk assessment process.
Why the other options are wrong
Risk assessment is informed by policy.
Incident response is a later operational plan.
BCP is related but separate and typically follows policy.