We bought the Docu Kit and again I have a question about the ISMS.
The ISO 27001 standard requires that an information security policy be formulated and made known (5.2). The standard does not specify which scope (or area) of an organization the information security policy must cover. Is it possible that overall policies are valid for multiple areas (locations, sides) within an organization, whereas some policies are only valid within the specified scope of the ISMS?
Our company has several locations and the information security policy applies to all locations here in XXXX. However, the actual scope of the ISMS is only a subarea of a certain location. Therefore, can the information security policy be valid in its entirety while certain procedural instructions of the ISMS apply only for the ISMS scope? This would mean that there are documents in the ISMS with general validity and also documents that only apply to the ISMS.