I like Sarah Clarke's thoughts on how policies need to be shared - getting away from documents and to a format that is accessible.
It’s not rocket science and I don’t know why more firms don’t do this already. Build policies in a database, link top level policy, to risks, control objectives, controls, operational guides and relevant legs and regs. It’s a many to many mapping, so why try and do it in a flat format? Build it with a useful structure, so folk can drill down to practical guidance or up to risks. It’s for your PM who needs security requirements for an ecommerce project, your in-house team planning a change to user management processes, your compliance team to plan activity, or your supplier management team who needs to put an RFI together.