A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?

A. Industry standards
B. The business impact analysis (BIA)
C. The business objectives
D. Previous audit recommendations