Setting up a written directive (policy statement) is easy. But the actual value of a policy statement is to achieve certain purpose in arriving at the desirable consequence.
If something cannot be practically accomplished, that is a bad policy. Some cybersecurity practitioners establish policies very strictly hoping to secure the organization business operations. The pitfall is a large gap will be resulted with reality or the current setup. Flexibility must be built to avoid so many non-compliance cases. Non-compliance also affects the corporate governance in the entire organization.
The proper approach is to make it incremental strengthening, listen and adopt feedbacks from field users who will tell what works and what absolutely not works. Even if that works, other elements to consider are maximize the investment for best protection and the urgency to do so. Never establish policies based on media, sales pitch nor textbook knowledge.