I listened carefully to your presentation at the webinar. I think I heard what I expected.
I really wanted to know about the number of policies and the number of procedures required by Annex A of the standard. Standard 27002 is available for purchase, but I do not want to give about 200 euros just to read the answers to the above two questions. After that, I no longer need this standard. I'll just buy the 27001 when it comes out in March.
The table with the description of the new and merged controls from Annex A is useful to me. Thank you for it.
With wishes for successful work
ISO 27001 does not prescribe the number of policies or procedures to be written, so you can choose the approach that best fits your needs.
From the new set of ISO 27001 Annex A controls, only controls A.5.10 (Acceptable use of information and other associated assets), A.5.26 (Response to information security incidents), and A.5.31 (Legal, statutory, regulatory and contractual requirements), requires documentation (but does not specify they need to be separated documents).
The main criteria to decide the number of documents to be written are their content (i.e., if each one covers similar purposes) and if by writing them this way they would not become documents too big to understand or read.
So, in this case, if a single document covering several controls becomes too big to use and manage, you should consider writing separate documents.
Regarding ISO 27002, please note that while it is not mandatory for the implementation of ISO 27001, it provides guidance and recommendation about how to implement controls from Annex A (ISO 27001 Annex A only provides the requirements of the controls, not how to implement them).