Answer: In general, the information you have to gather to evidence a control implementation that is compliant with ISO 27001 is:
1. Risk treatment plan (clauses 6.1.3 e and 6.2), to evidence what was planned for the control implementation (e.g., policies, procedures, trainings, etc.). If the control being implemented is part of ISO 27001 Annex A, you have to be sure the mandatory documents defined there are included as deliverable of the plan
2. Records of training, skills, experience and qualifications (clause 7.2), to evidence that people performing the control are competent to do so
3. Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3), to provide information to be evaluated and trigger other related controls (e.g., incident response)
4. Monitoring and measurement results (clause 9.1), to evidence the control is actually working
5. Results of internal audits (clause 9.2), to evidence independent evaluati on of the implemented control
6. Results of the management review (clause 9.3), to evidence management follow-up of the risk treatment plan and the control results
7. Results of corrective actions (clause 10.1), to evidence improvement
Additionally, you should need to have all the records prescribed by your own documentation as well.
2 - For the training and awareness program, can people outside the organization or the unit for which ISMS is being undertaken attend?
Answer: Yes, they can - as long the awareness or training activities do not include confidential information or any other information the organization considers that cannot be shared with external people.