Good question - to which the answer is actually no! We often get asked by organisations that we train for a format or 'off the shelf' security plans or policies. However, because the systems, requirements and ways of working for each organisation are inevitably very different, we we would recommend that the format for a security policy is developed as part of a workshop, bringing together key people form different parts of the organisation.
That said, there are various resources out there that could give a useful starting point - a particularly place to start is the 'GPR 8': https://odihpn.org/resources/operation.... This, has been for many years the 'textbook' of security management in the field, but also gives some insight into organisational level considerations.
The European Interagency Security Forum also have some useful resources, including on establishing 'thresholds of acceptable risk' (https://www.eisf.eu/wp-content/upload...) and on internally auditing your existing security structures (https://www.eisf.eu/wp-content/upload...).
Hope that helps, and don't hesitate to get in touch if there's anything else we can help with.
This thread is public, all members of KnowledgePoint can read this page.