Which of the following processes if the FIRST step in establishing an information security policy?

A. Security controls evaluation
B. Information security audit
C. Review of current global standards
D. Business risk assessment