I know that information security objectives are not the same exact thing as information security policies. However, I find that the essential elements that I wish to capture in a simple policy statement can be crafted from the objectives in Annex A.
My question for you is, can I modify the security control objectives from Annex A (ISO/IEC 27001) and rewrite them so that they represent my company's security policy?
For example, take information security objective A.7.1.2, which states: "To ensure that employees and contractors are aware of and fulfill their information security responsibilities." Can I reword this to say (something like): "It is our company's policy to ensure that employees and contractors are aware of and fulfill their information security responsibilities."?
First it is important to note that a policy sets general directions, while an objective is specific about what must be achieved. Considering that, you can use elements from security control objectives from Annex A to fulfill your needs regarding wr iting policy statements, but you must consider the different purposes they have to build the text.
Your example is too specific to be used as a policy statement (e.g., what a about customers or suppliers which access your information? How do you handle them?). A proper example would be: "It is our company's policy that personnel which handles information must be prepared to protect them properly." In this example you do not limit to whom this statement applies to (it is valid also for customers, suppliers, and other entities), and how you are going to accomplish that (e.g., by means not only of awareness, but also by education, training, etc.).