Policies levels

Answer:

High level polices are documents intended to be used by all organization, while low level policies, most known as operational policies, are intended to be used by specific areas or processes.

So, an ISMS generally has one Information Security Policy, providing high level guidance on how to implement and manage information security as a whole, and several security policies for different aspects of operation, like the Access Control Policy, Backup Policy, Development Policy, etc. Legal requirements your organization must comply with and the results of risk assessment are the bases to identify which polices you need to implement.

These materials will provide you further explanation about policies implementation:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/