there is also another way to make these type of policies more readable and les error prone, that would be by using layers, you say you are running this box in an ISP environment. When you can start with grouping specific networks' access to other networks, you could create a layerbeneath that contraolling what they are allowed to do to each other in more detail.
This way you can create multiple main rules and multiple inline layers controlling the details per specific access group.
In these type of policies that is mostly the best way to improve the readability and prevent errors.
An example could be: main rule allow internet access to a DMZ network on a group of services, in the inline layer you can the allow any to smtp server with service SMTP, allow any to the webserver with http and https.