Documents missing in toolkit

There is no template covering specifically vulnerability management because the standard does not require this control to be documented.

Please note that Advisera's ISO 27001 Documentation Toolkit does not have a document for each and every control from ISO 27001 because of the following reasons:

1. ISO 27001 does not require each and every control to be documented

2. If the toolkit had a document for each control, there would be too many documents, and this would be an overkill for smaller and mid-size companies.

Since our target are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:

• All the mandatory documents - e.g., Information Security Policy, Statement of Applicability, Risk Assessment Methodology, Access Control Policy, etc.
• Documents that are not mandatory, but are commonly used - e.g. BYOD Policy, Classification Policy, Password Policy, Backup Policy, etc.

In case you identify you really need to apply control A.8.8 (Management of technical vulnerabilities), you can contact our support by email, or on scheduled online meeting (https://advisera.com/27001academy/consultation/), so one of our experts can help you on how to better evidence this control implementation.

For further information, see:

• How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

I understand that but exception management and vulnerability management are the basic controls which we need to have a policy created.
Please help me with this.