Please note that ISO 27001 requirements for the Information Security Policy (clause 5.2) do not prescribe that controls need to be implemented based on the Information Security Policy. The purpose of the Information Security Policy is to set the organization’s high-level expectations for information security (e.g., information security objectives, fulfillment of legal requirements, commitment, etc.).
The definition of controls to be implemented is prescribed by clause 6.1.3 “b” (information security risk treatment).
This article will provide you a further explanation about the selection of controls: