IoT policy is the first of the basic security controls shown on the 'risk-control spectrum' diagram above, and is Control-01 in the new standard ...
Do you have a security policy on IoT? If not, does that mean IoT is out of control in your organisation? Even if you do, what does it say? Is it valid, appropriate, worthwhile, sufficient?
The spectrum diagram shows quite a variety of risks and controls, but it is merely a summary, selected highlights. Attempting to cover them all in a policy document would be counterproductive - in fact, general employees can barely cope with a much-simplified one-page 'acceptable use policy'.
The new ISO/IEC 27400 standard takes a broad perspective with copious advice on information security and privacy for the designers, manufacturers, purchasers, users and administrators of IoT things.