There are a plethora of resources available to assist you and your customer in creating security policies that meet their needs and requirements. The best way to approach the situation is to first assess the situation; do they have any policies in place today? If so, can they be leveraged to create a more well-rounded set of security policies? If they do not, then what policies are they looking to create, and is there a standard or set of policies they are specifically interested in? Two approaches at this point are possible. You can either begin with the common security policies, such as Internet Use, Password Management, Remote Access, etc., or you can start with a standard, such as ISO17799 and develop the policies based on this.
Once you have determined where to begin and have developed a preliminary set of policy topics, it is time to add the content. Determine what they have in place, for example, on password requirements, and create a policy based on what they are practicing today. Once you have the baseline policy, if they feel they can add more stringent requirements, they should then be added, but only if the customer is willing to increase the level of security practices. The security policies must be 'achievable' by your customer. Do not recommend security policies that they can never comply with.
The next part will be getting the policies approved and implemented. This can often times be the most difficult part. Make sure that a security policy committee is created, and use that committee for the creation of the security policies. Members should be comprised of all departments within the organization. The committee should be ultimately responsible for approving the policies, as they will ensure employees are complying with them after they are implemented.