A security policy is a reference document stating what it means to be secure for a system or an organization. The security policy must be designed based on a careful risk assessment of an organization's practices and systems in support of that organization’s overall risk tolerance. 

Requirements include: 

Create, maintain, and internally share a security policy or set of security policies (Req 12) that:

• Identifies key personnel, contact info, and responsibilities
• Contains data and data container classification, ownership, and inventory
• Enumerates how and when to conduct company-wide risk assessments
• Contains procedures and acceptable use guidelines for technology
• Enumerates monitoring and administrative controls and responsible personnel
• Requires annual Security Awareness training for relevant personnel