Answer: Our toolkits focus on small and mid-size companies, and that's the reason we do not write documents to cover each control – for those companies this large number of documents would result in an overkill for many of them. Instead of that a single template may cover multiple controls and requirements.
The controls from section A.5 Information security policies are covered in many policies provided in the toolkit (e.g., Information security policy, Access control policy, Acceptable use policy, Backup policy, etc.), and the control related to their review is implemented in the Management Review Minute template (one input is the review of items that can impact the ISMS, such as policies).
The controls from section A.18 Compliance are covered in the following documents: Procedure for Identification of Requirements, and List of Legal, Regulatory, Contractual and Other Requirements – you'll find them in folder 02 “Procedure for identification of requirements”
In the root folder of the toolkit you'll find a document called “List of Documents” which will explain which control is covered by which document.
But these are the only 2 groups missing ? That answer doesn't really make sense in that context - why are those 2 specific control groups missing? Would like a more detailed explanation of why out of 14 groups those 2 were deemed worth leaving out. This is labelled as expert advice! Thanks.
The documents from sections A.5 and A.18 are not missing from the toolkit - you can find them here:
- A.5 - all the documents from folder "08_Annex_A" cover the requirements about information security policies (A.5.1.1) and review of the policies (A.5.1.2)
- A.18 - these documents are covered in the toolkit in folder "02 Procedure for identification of requirements”
By the way, the ISO 27001 Documentation Toolkit is sold in more than 100 countries worldwide, we never received a complaint that some document was missing.