Creating an Information Security Policy can be a daunting task. There are many pitfalls that might prevent a policy from being an effective tool that's being used and instead lead to becoming shelfware that only meets the needs for checkbox compliance. It is important to understand the difference between a policy, a standard and a guideline to make sure the right information is in the policy. Below are some good starting points including templates for writing information security policies.
- https://www.sans.org/security-resources/policies Information and policy templates for twenty-seven important security requirements
- https://www.healthit.gov/node/289 information security policy template with 98 pages