Policy author

ISO 27001 does not prescribe that documents' author must be part of the organization, so by the standard the fact that the author is an external consultant is not a problem.

The auditor's concern may be related to the fact that an external consultant generally does not have deep knowledge of an organization to properly develop the documents.

In this case, you need to ensure that documents are evaluated and approved by personnel with the proper competencies to do that, so they can validate that the documents fulfill the needs of the organization. For example, the Information security policy must be evaluated and approved by the CISO and Top manager of the ISMS scope (e.g., the CEO if the scope is all the organization or the department head if the scope is limited to a single department), and IT-related policies (e.g., backup policy; IT procedures, etc.) need to involve the IT manager.

Provided that personnel from the organization with proper competencies are involved in the review and approval of documents, it should not be a problem who is writing them.

This article will provide you a further explanation about creating documents:

• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
• How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/

This material will also help you regarding creating documents:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/