1. Gather requirements based on your business operating model and objectives.
2. Propose relevant and applicable security policy types to the stakeholders based on the gathered requirements.
3. Develop policy documents based on stakeholder agreement and vetting the documents with various key stakeholders and organizational units that would have to adhere to implement the security policies.
4. Secure approval and buy-in from senior management and executive teams who are accountable for ensuring the successful implementation of the security policies and adherence.
5. Test the effectiveness of the training through a series of tests and retraining if required.
6. Publicize and training all stakeholders on the approved policies so that they are aware to ensure adherence to security policies.