Information security is crucial for businesses to manage risks and support operations. The enterprise information security policy guides security activities and sets goals and requirements. It must align with other business policies to meet evolving objectives. Current approaches have limitations, so a new framework is proposed to improve alignment and management of security policies with business strategies.