Evidences for policies and controls

Answer: There is no generic answer for this question, because depending upon the policy or control objective, the requirements regarding which should be kept as compliance evidence will vary.

For example, for a backup policy, a record identifying the date, content and ID of the backup media is required, while for access control policy an user account creation record would be needed, and they basically do not share any kind of information field.

So, what I can say to you for identifying required logs, forms and records needed is to evaluate ISO 27001 requirements and which results you expect from an implemented policy or control and which information you need to present, or evaluate, to prove to someone you are actually achieving those results.

This article will provide you further explanation about mandatory records for ISO 27001:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-ma ndatory-documents-required-by-iso-27001-2013-revision/

These materials will also help you regarding mandatory records for ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/