It is no harm to have dual standard to fit specific use case. As long as the directive is clearly stated, it is fine.
For badly written policies, the policy requirements are subject to interpretation creating chaos. This happens especially due to incompetent cybersecurity practitioners.
Therefore, the outcome of any security assessment should not just look at how the system is designed, built and operate. Validating the policy statement if it is up to industry best practice and practically achievable in commercial world are also equally important.