My questions relate to the ISO 27001 policy and the standards and guidelines for implementation. I need to know if the documentation toolkit is inclusive of written policies and standards for implementation.
The A.12 Protection against Malware policy for example has the control objective of ensuring that detection, preventive and recovery controls should be implemented.
In my new organisation, the standards for implementing the Controls against Malware covers detection and prevention but makes no mention of recovery. Do I include recovery controls in the standard?
Also some policies overlap into different clauses i.e. A16 Information Security Incident Management and A17 Information Security Aspects of Business Continuity, should there be a single policy that is used to reference a similar control or there should be different policies relating to the same subject?