The Information Security Policies document should guide the decision-making process as it outlines the organization's overarching rules, expectations, and practices related to maintaining information security. It provides a framework for ensuring that changes comply with the standards necessary to protect the company's information assets. The Acceptable Use Policy (AUP) mainly concerns how individuals are permitted to use company resources. The Software Development Lifecycle (SDLC) policy is generally specific to the creation of software rather than change management. Meanwhile, the Business Continuity Plan (BCP) is designed to guide operations post-disruption and is not primarily used for decision-making in change management.