I am implementing ISO 27001:2013 standard for a client in ***.
My client has outsourced the ISO 27001:2013 policy development to an external consultant, and since the documentation is procured, all policy document has the external consultant name as the "Author". The policies are reviewed and approved by the client's CISO and Management representative.
Does this comply with
7.5.2 Creating and updating
When creating and updating documented information the organization shall ensure appropriate:
a) identification and description (e.g. a title, date, author, or reference number);
The external auditor has raised an objection for having an external consultant as the author of the policy.
Appreciate your inputs on the same.