Implementing controls

I’m assuming you are referring to control A.12.2.1 (Controls against malware).

Regarding ISO 27002, the elements described are recommendations, not controls. 

In other words, what is written in ISO 27002 is not mandatory for the implementation.

ISO 27001 does not prescribe how to implement controls, and you only need to implement the recommendations from ISO 27002 for which you have identified relevant risks or applicable legal requirements, i.e., in case control A.12.2.1 is applicable for you, depending on the results of risk assessment and identified legal requirements, you may need to implement only one or all twelve recommendations defined for this control.

This article will provide you a further explanation about handling malware:
- How can ISO 27001 help protect your company against ransomware? https://advisera.com/27001academy/blog/2016/11/14/how-can-iso-27001-help-protect-your-company-against-ransomware/

Should all controls in ISO 27001 be made into policies? e.g. A7 Human Resource Security, are the controls A7.1.1 Screening, A7.1.2 Terms and Conditions of employment etc. Should policies be created out of all these controls?

First is important to note that only controls deemed applicable due to results of risk assessment and applicable legal requirements need to be implemented. So, depending on the organizational context, not all controls from ISO 27001 Annex A may need to be implemented.

For those controls deemed applicable, not all of them may need to be included in policies or procedures.

These articles will provide you a further explanation about documenting controls:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/