Operation and practices documented

If you want to evaluate risks, the more important thing is to identify threats/vulnerabilities related to each asset, and you can consider current security controls, but in this case it is not necessary (or not mandatory by the standard) to have documents for the operation of these current security controls. When you will need to document the operation or practices is with the implementation of the security controls (risk treatment). For more information about the risk assessment, please read this article “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities": https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finally,  in this article you will find a list of mandatory (and not mandatory) documents “List of m andatory documents required by ISO 27001 (2013 revision)": https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/