I have a question - must a team have documented processes to comply with ISO 27001? In other words, if during an audit you come across a team that has not documented their processes, is that a non conformity?
Please note that ISO 27001 does not require all processes included in the ISMS scope to be documented. Unless a process is specifically required by the standard (e.g. Risk assessment and risk treatment process in clause 6.1.2), or the organization states that it needs to be documented, then you do not need to document it.