This report outlines the reasons why each organization needs to adopt an information security policy and an information security programme, emphasising the competitive advantages based on improved adaptation capabilities. First, it examines the concept of information security. On that basis, the author represents possible formulation of organizational objectives. The examination of organizational activities in a competitive context allows to formulate specific ways in which information becomes of utmost significance. The report includes examples demonstrating the need to establish an information security policy and an information security programme, including description of threats and vulnerabilities that, unless adequately managed, could decrease the organizational capabilities to achieve their goals.