~3-page information security policy template on assurance.
Simply stated, assurance requirements relate to the information risks.
The policy advises appropriate assurance measures (e.g. reviews, tests and audits) to reduce the uncertainties associated with many information risks and indeed other security controls. Procedural controls, for instance, are only effective if properly specified and used. Management oversight and checks can both measure and improve conformity ('that which is monitored and measured gets done').
Supplied as an MS Word document, readily customised for your organisation's specific situation.