Cryptographic Policy

Please note that not all ISO 27001 Annex A controls require policies or procedures to be documented as part of their implementation, and cryptographic controls are one of those controls that do not need to be documented.  Considering that, first you should verify if there are any legal requirements (e.g., law, regulation, or contract) your organization must comply to, requiring this policy to be documented. In case there are no such legal requirements, then you should politely ask the auditor for clarification about why he considers documenting this policy to be mandatory, explaining that you did not find reasons to document the policy (i.e., legal requirements demanding its documentation).

These articles will provide you a further explanation about documentation and auditors:

• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
• Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/ 

This material will also help you regarding auditing:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/