When you want something to happen, you can write a policy. Then what? Is it realistic or does the policy assume components which are not in place? Is it easy to adhere or will compliance be an uphill battle? Now that it's easy, have you anchored the policy, ensuring that stakeholders understand it? Also - are people motivated to adhere? Always remember: awareness is not motivation.
Implementing something is about solving a problem, finding a workable technical solution, showing that it can be done.
Establishing something is about making it happen in the real world. Communicating the implementation to stakeholders, gaining their acceptance, understanding and commitment to use it. Integrating it into their processes, making it part of their business-as-usual.
From firewalls to access control models - implementing is not establishing. Security folks should ponder the difference.