I think this will be different depending on the size and complexity of your Bank. Here are a couple of things to keep in mind.
Within the Information Security Program (ISP), the Bank will designate an Information Security Officer(ISO).
The ISO should be most closely attached to the ISP as the ISO is responsible for enforcing the policies and procedures of the ISP, as well as reviewing changes, additions, deletions to the ISP (among many other things).
The ISO could be the lead person in creating the ISP, but the ISO will probably need help from other areas.
There may be technical issues involved in authoring the ISP where the IT folks need to get involved.
There may be legal issues involved in authoring the ISP where counsel needs to be involved.
The internal auditor should not author, but should have input to the creation of the ISP.
Hope that helps.