This sounds like the potential to create an extra policy where you might not need it.
You probably already have an Internet and E-mail Acceptable Usage Policy, and you probably have an incident contingency and recovery policy for the enterprise -- and which outlines emergency preparedness for all computing platforms, including the Internet. The primary concern you'll have is describing the connectivity process to connect back to your ISP in the event something happens at your location. If you outsource all of the network front-end to a managed security service provider -- or if the ISP does this as part of a bundled package -- then the provision of firewall, IDS, virus eradication and patch management is made that much easier to document. I could PM something to you, but you can see I just registered and I'm trying to figure out how to do it on the thread.