diff --git a/ee/app/services/security/security_orchestration_policies/compliance_frameworks/sync_service.rb b/ee/app/services/security/security_orchestration_policies/compliance_frameworks/sync_service.rb
index c4a5912632ce291d315d45cf6e4fc87b9f2fd635..4894d39503bc33ee01a81490b13604d82e06718d 100644
--- a/ee/app/services/security/security_orchestration_policies/compliance_frameworks/sync_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/compliance_frameworks/sync_service.rb
@@ -9,23 +9,21 @@ def initialize(configuration)
         end
 
         def execute
-          return if configuration.project?
-
-          namespace = configuration.namespace
-
-          return unless Feature.enabled?(:security_policies_policy_scope, namespace)
+          container = configuration.source
+          return if configuration.namespace? && Feature.disabled?(:security_policies_policy_scope,
+            configuration.namespace)
 
           framework_ids_with_policy_index = configuration.compliance_framework_ids_with_policy_index
           framework_ids = framework_ids_with_policy_index.flat_map { |ids_with_idx| ids_with_idx[:framework_ids] }.uniq
 
-          root_namespace = namespace.root_ancestor
+          root_namespace = container.root_ancestor
           frameworks_count = root_namespace.compliance_management_frameworks.id_in(framework_ids).count
 
           if frameworks_count != framework_ids.count
             Gitlab::AppJsonLogger.info(
               message: 'inaccessible compliance_framework_ids found in policy',
               configuration_id: configuration.id,
-              configuration_source_id: namespace.id,
+              configuration_source_id: container.id,
               root_namespace_id: root_namespace.id,
               policy_framework_ids: framework_ids,
               inaccessible_framework_ids_count: (framework_ids.count - frameworks_count)
diff --git a/ee/app/services/security/security_orchestration_policies/validate_policy_service.rb b/ee/app/services/security/security_orchestration_policies/validate_policy_service.rb
index ec8f2d5a0f2ed0baa8aa31f1be251804cafaf7e5..a1f91a8de58a90f58344aece44279ce19d5aad10 100644
--- a/ee/app/services/security/security_orchestration_policies/validate_policy_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/validate_policy_service.rb
@@ -20,7 +20,6 @@ def execute
         return error_with_title(s_('SecurityOrchestration|Branch types don\'t match any existing branches.'), field: :branches) if invalid_branch_types?
         return error_with_title(s_('SecurityOrchestration|Timezone is invalid'), field: :timezone) if invalid_timezone?
         return error_with_title(s_('SecurityOrchestration|Vulnerability age requires previously existing vulnerability states (detected, confirmed, resolved, or dismissed)'), field: :vulnerability_age) if invalid_vulnerability_age?
-        return error_with_title(s_('SecurityOrchestration|Compliance Framework ID(s) can only be set for group policies'), field: :compliance_frameworks) if has_compliance_framework_for_project_policy?
         return error_with_title(s_('SecurityOrchestration|Invalid Compliance Framework ID(s)'), field: :compliance_frameworks) if invalid_compliance_framework_ids?
 
         return error_with_title(s_('SecurityOrchestration|Required approvals exceed eligible approvers.'), title: s_('SecurityOrchestration|Logic error'), field: :approvers_ids) if required_approvals_exceed_eligible_approvers?
@@ -68,10 +67,6 @@ def missing_branch_for_rule?
         missing_branch_names.present?
       end
 
-      def has_compliance_framework_for_project_policy?
-        project_container? && compliance_framework_ids.present?
-      end
-
       def invalid_compliance_framework_ids?
         return false if project_container?
         return false unless Feature.enabled?(:security_policies_policy_scope, container)
diff --git a/ee/app/workers/security/refresh_compliance_framework_security_policies_worker.rb b/ee/app/workers/security/refresh_compliance_framework_security_policies_worker.rb
index 3a6200317381cad513e6ad8c98c11e535db931d6..cb1beb51441c3264d4bf7d3ff1f407e9ec86dd58 100644
--- a/ee/app/workers/security/refresh_compliance_framework_security_policies_worker.rb
+++ b/ee/app/workers/security/refresh_compliance_framework_security_policies_worker.rb
@@ -19,8 +19,7 @@ def handle_event(event)
       return unless policy_configuration_ids.any?
 
       framework.security_orchestration_policy_configurations.id_in(policy_configuration_ids).find_each do |config|
-        next unless config.namespace? &&
-          Feature.enabled?(:security_policies_policy_scope, config.namespace)
+        next if config.namespace? && Feature.disabled?(:security_policies_policy_scope, config.namespace)
 
         Security::ProcessScanResultPolicyWorker.perform_async(project.id, config.id)
       end
diff --git a/ee/spec/services/security/security_orchestration_policies/compliance_frameworks/sync_service_spec.rb b/ee/spec/services/security/security_orchestration_policies/compliance_frameworks/sync_service_spec.rb
index 61353c664ebaddd92bb8e43a434a5749a7322e59..d01a1d8ecb6108bef83f8907bd7ecde720e8c65d 100644
--- a/ee/spec/services/security/security_orchestration_policies/compliance_frameworks/sync_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/compliance_frameworks/sync_service_spec.rb
@@ -43,7 +43,21 @@
       create(:security_orchestration_policy_configuration, project: project)
     end
 
-    it_behaves_like 'does not create ComplianceFramework::SecurityPolicy'
+    let(:framework_ids_and_idx) do
+      [
+        { framework_ids: [framework1.id, framework2.id], policy_index: 0 }
+      ]
+    end
+
+    it 'creates ComplianceFramework::SecurityPolicy' do
+      execute
+
+      expect(all_records.count).to eq(2)
+      expect(all_records.map(&:policy_index)).to contain_exactly(0, 0)
+      expect(all_records.map(&:policy_configuration_id)).to contain_exactly(policy_configuration.id,
+        policy_configuration.id)
+      expect(all_records.map(&:framework_id)).to contain_exactly(framework1.id, framework2.id)
+    end
   end
 
   context 'when inaccessible compliance framework is linked to policy' do
diff --git a/ee/spec/services/security/security_orchestration_policies/validate_policy_service_spec.rb b/ee/spec/services/security/security_orchestration_policies/validate_policy_service_spec.rb
index e128f7cfb3738555b47b8c17a4e234c4801968de..376b07eda848cd286077447f8e340e7d612510d4 100644
--- a/ee/spec/services/security/security_orchestration_policies/validate_policy_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/validate_policy_service_spec.rb
@@ -575,25 +575,6 @@ def setup_repository(project, branches)
         end
       end
 
-      context 'when policy_scope is present' do
-        let_it_be(:container) { create(:project, :repository) }
-        let_it_be(:invaild_framework) { create(:compliance_framework) }
-
-        let(:policy) do
-          {
-            type: policy_type,
-            name: name,
-            policy_scope: policy_scope,
-            enabled: enabled,
-            rules: rules
-          }
-        end
-
-        let(:policy_scope) { { compliance_frameworks: [{ id: invaild_framework.id }] } }
-
-        it_behaves_like 'sets validation errors', field: :compliance_frameworks, message: 'Compliance Framework ID(s) can only be set for group policies'
-      end
-
       context 'when project has a default protected branch' do
         let_it_be(:container) { create(:project, :repository) }
 
diff --git a/ee/spec/workers/security/refresh_compliance_framework_security_policies_worker_spec.rb b/ee/spec/workers/security/refresh_compliance_framework_security_policies_worker_spec.rb
index 16273aba855cea224387291b6f4c7e132813662b..16805b4181c1cd1dd49adc1335c61f04a6099860 100644
--- a/ee/spec/workers/security/refresh_compliance_framework_security_policies_worker_spec.rb
+++ b/ee/spec/workers/security/refresh_compliance_framework_security_policies_worker_spec.rb
@@ -59,7 +59,7 @@
     it 'invokes Security::ProcessScanResultPolicyWorker with the project_id and configuration_id' do
       expect(Security::ProcessScanResultPolicyWorker).to receive(:perform_async).once.with(project.id,
         policy_configuration.id)
-      expect(Security::ProcessScanResultPolicyWorker).not_to receive(:perform_async).with(project.id,
+      expect(Security::ProcessScanResultPolicyWorker).to receive(:perform_async).with(project.id,
         project_policy_configuration.id)
       expect(Security::ProcessScanResultPolicyWorker).not_to receive(:perform_async).with(project.id,
         other_policy_configuration.id)
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 9bf5b0bc24137550cf79352508e5b616748849ee..fbdc1ba334c9b1fab2c1cdc29cf6161d3be60b38 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -44541,9 +44541,6 @@ msgstr ""
 msgid "SecurityOrchestration|Clear all"
 msgstr ""
 
-msgid "SecurityOrchestration|Compliance Framework ID(s) can only be set for group policies"
-msgstr ""
-
 msgid "SecurityOrchestration|Compliance framework has no projects"
 msgstr ""