After a lot of trial and error, I found a pretty good solution.
It may not be perfect, since I use an ARM template with Terraform, but it works.
In the following example an ISO 27001 policy is added directly to the current Azure subscription.
resource "azurerm_subscription_template_deployment" "terraform-iso" {
name = "terraform-iso-1"
location = "West Europe"
template_content = <<TEMPLATE
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"name": "MyIso27001",
"apiVersion": "2021-06-01",
"properties": {
"scope": "[subscription().id]",
"policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2",
"parameters": {}
},
"location": "westeurope",
"identity": {
"type": "SystemAssigned"
}
}
]
}
TEMPLATE
}