As you contemplate a policy development or update project, you need to avoid the "policy compliance gap". This gap occurs when your security practices and capability is non-compliant with the published policie. So, you not only create an immediate compliance issue, you may also create a legal exposure. If policy is catching up with practice and capability, move forward quickly. If you are using policy to drive the uplift of security practices and capability, then be careful. Forward looking policies should clearly indicate that they are a draft for future implementation. You may also want to protect them with an "Attorney-Client Privilege" label, or other equivalent phrase as preferred by your Legal Counsel. A better strategy for policy development is to do so hand-in-hand with your security uplift projets. Accordingly, your strategic and tactical plans will include tasks for the development or update of the corresponding policies.