ISMS system

1. We have put in place an isms system. We are yet to perform a gap assessment to evaluate how far we have progressed in the journey. To me, this is the time ( prior to gap assessment and then certification) to assess how much of what we have written is applicable i.e of relevance in context to changing business requirements, to organization appetite for investment, and then amend the isms to appear more practical.
Does the above mentioned is relevant?

Considering your stated status, I think you are referring to internal audit instead of gap assessment (these are different things):

• gap analysis is not mandatory in the ISO 27001, while the internal audit is.
• gap analysis is performed at the beginning of the project, while the internal audit is performed at the end
• gap analysis helps you understand what you already have implemented regarding the standard, while internal audit provides evidence that requirements are implemented and working, and that the ISMS is relevant to the organization and is achieving intended outcomes

For further information, see:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• When there is any question about internal audit Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

2. What isms documents do the auditors look at?  Or to say which document is critical to iso certification

The certification auditor will look for all documents and records stated as mandatory by the standard, and those considered applicable by the organization (e.g., policies and procedures related to applied controls).

In the ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non-mandatory requirements/documents are related to the words “may” or “should”. Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:

• Scope of the ISMS (clause 4.3)
• Information security policy and objectives (clauses 5.2 and 6.2)
• Risk assessment and risk treatment methodology (clause 6.1.2)
• Statement of Applicability (clause 6.1.3 d)
• Risk treatment plan (clauses 6.1.3 e and 6.2)
• Risk assessment report (clause 8.2)
• Records of training, skills, experience, and qualifications (clause 7.2)
• Monitoring and measurement results (clause 9.1)
• Internal audit program (clause 9.2)
• Results of internal audits (clause 9.2)
• Results of the management review (clause 9.3)
• Results of corrective actions (clause 10.1)

These articles will provide you a further explanation about documents required for certification and the certification audit:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

These materials will also help you regarding the certification process:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
• ISO 27001/ISO 22301: The certification process [free webinar] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/