1. What exactly must be documented according to this control; What Procedures and Records?
To be compliant with this control, you have to document the rules for access to your systems, equipment, facilities, and information, based on business and security requirements for access (e.g., who can have access, who can authorize access, who can implement access, etc.). As for records, you need to keep evidence of access authorization and review).
In the Access Control Policy template included in your toolkit, located on folder 08 Annex A Security Controls >> A.9 Access Control you will find detailed comments on what you need to fill in.