If you tell IT managers they need to create a formal, written security policy for their company (many small- and mid-sized companies don’t have one) what’s the first thing they’ll say in response?
“Can you show me a template I can use to create one?”
That’s wrong thinking. You don’t want to create your security policy based on some general set of principles abstracted from companies in various business sectors. Instead, you want to base your security policy on your own company’s needs and nothing else. What information assets does your company have that need protecting? What risks do these assets realistically face? Prioritize your assets according to value and risks according to likelihood. Then create a policy that addresses each risk appropriately.