Every security policy should have:
- policy statement
- standards
- guidelines
- procedures
To write security policy, first of all you need a base for it.
For instance, you may use PCI DSS requirements: 2.1, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3, 5, 8.4, 8.5.9-8.5.15, 10.2, 10.3, 10.5, 10.7, 10.4, 11.5.
Another good practice is using standards and best practices from vendors and security organizations, such as:
http://iase.disa.mil/stigs/checklist/
