It doesn't. The closest you will find is:
Institution management should create, document, maintain, and adhere to policies, standards, and procedures to manage and control the institution’s IT risk. The level of detail depends on the complexity of the IT environment but should enable management to monitor the identified risk posture. Review of adherence to documented policies, standards, and procedures may be performed internally, by a risk or compliance function in the institution, or through independent audit. This review often helps to identify problems early so they can be corrected before they become serious.
The true need for policies is generated from your risk assessments.