Now we are getting into the backbone of your Information Security Program the policy statements that define the left and right parameters in which the business is expected to operate.
These policies are commonly seen as "Will - Shall - Must" statements and set the standards to which the business will be governed.
It's important to remember that these policies are not meant to hinder the business and if operations require they may break a preset policy though this should be reviewed and approved by management and should not be common practice across the organization.