In general, every business should have some number of information security policies. For example, any business that collects personal information about customers (PII) will be required by law to protect that data. At least 43 states in the US have laws to protect customers against identity theft. Sometimes a certain facet of your business may require written policies. For example, any business that takes credit cards must comply with the requirements of the payment card security standard (PCI-DSS.) If your business provides credit to customers, you must comply with the Identity Theft Red-Flag rules of FACTA. For each of these laws, written information security policies are required for compliance. (For a more detailed list, see Regulatory Requirements for Written Security Policies.)
Before beginning any security policy development program, an organization should have a clear understand of what laws and regulations the organization must address with information security.