Answer: For certification purposes, you should wait until all mandatory policies and procedures have been implemented, and at least a couple of mandatory records had been generated, so you can have enough evidences to verify if the ISMS is properly implemented and working. The precise time frame will depend on the duration of the cycles of the process included in the ISMS scope.
2. I have documented the policy. Am I eligible to perform internal audit? I am pursuing my mba in information security.
Answer: The main criteria to perform internal audit is compete, by means of knowledge (e.g., certificates), education (e.g., training) or experience (e.g., records of previous performed audits), and impartiality (an auditor cannot audit his own work). Considering that, if you can demonstrate that you have the necessary competence, and you do not audit your own work, you can perform internal audit.
3. Do I need to document Access control policy separately from ISMS policy(A.9.1.1) or do I just need to mention it in ISMS itself? What are the mandatory operating procedure apart from incident management, change management?
Answer: Although ISO 27001 allows merging documents, the ISMS Policy is a high level document (to be used for all organization), while the remaining policies, like Access Control Policy, are considered operational policies (to be used by specific areas or processes), so we do not recommend to merge them in a single document, because this document would become unnecessarily big and difficult to read and manage.
The same applies for procedures which have different purposes (if they will become to big they should be created as separated documents).