One of an audit finding on my department (XXXX) was "Information security policies and procedures need to be aligned with the industry standards such as ISO 27001." We are not ISO 27000 certified organisation but our main policies are set up according to ISO 27000:2005.
Could you please let me know what type of document I should deliver to auditors? whether it is checklist which compare ISO27001 control with our policy or any other type of document?
Answer: I will assume that even though your organization is not ISO 27001 certified it considers relevant to follow its practices. Considering this, since ISO 27001 was updated on 2013, and organizational practices are based on 2005 version, your organization should present:
1) a management decision considering if it is still relevant to be aligned to ISO 27001 practices after the standard's update (this can be part of management review content)
2) if management has decided to maintain alignment, you also should provide a gap analysis between the organization's practices and the 2013 version o f ISO 27001, the management decision about how to proceed considering the gap analysis findings (e.g., what practices to update, what to keep and what to discontinue), and the action plans regarding the changes deemed relevant.