For certain job roles of cybersecurity practitioners, policy making is necessary as a foundation in running the business securely to a reasonably degree.
While doing so, we must fully understand the business objectives, operating environment and intended business outcomes taking text book knowledge as a reference rather than blindly applying. Where necessary, suitable qualifier or elaboration is required to enhance clarity.
Example is personal privacy. The data subject must be a living individual shall have differentiated the situation in real life. Without this, it is impossible and impractical to enforce by replacing all the tombstone around the globe.