Recertification activities

Answer: If you defined that control A.12.6.1 (Management of technical vulnerabilities) is applicable, then only a technical vulnerability assessment process is required by ISO 27001, but there is no requirement to have it documented.

Considering a general vulnerability assessment, this is a good practice to support the identification of risks, but not a ISO 27001 requirement.

2. The consultant recommends ISO 27001 compliant forms. Is there such a thing as an ISO 27001 form?

Answer: ISO 27001 defines information to be included in documentation, such as policies procedures and records, but it does not define forms, so the organization is free to define the documentation lay-out according its needs. The templates included in the toolkit you bough are already compliant with ISO 27001 and they describe which information can be changed or excluded, and those that must be kept.

These articles will provide you further explanation about vulnerability assessment and documentation:
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
- How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/