For example, a CBI guide says the document should not be more than two pages long, but does not say what should be in it. In some companies, the policy document is just something you have to sign to get the job - then you forget it.
A policy is fundamentally a statement of an information security objective: the definition of a way to protect against an identified threat. A business should develop policies which cover all the threats which emerge as significant in a risk assessment. Ready-made policy documents are not effective - they have derived from someone else's risk assessment, not your own.
People often overlook the fact that how information is presented is at least as important as the information itself, and that all policies must be implementable and demonstrably work.
A policy should express an intent, provide a justification, declare mechanisms both for enforcement and for compliance verification, and specify what to do in the event of a breach. Without all these factors it is worthless.
So, create such a suite of policies based on your risk assessment, and distribute it to all your staff. And to make sure everyone understands what they have to do, train everyone, not just the technical people, then monitor and test your policies, and keep them up to date. Policies that don't work are worse than useless, because you are relying on them.