Toolkit's content

Some of the questions may seem obvious, sorry about that. I´ll list them so I think it´ll be easier to address;
- Any document that is related to a control, marked with “*” in the LoD, is only mandatory only if such control applies, right?
- Access control policy; why is it mandatory in CoM but depends on if control is applicable in LoD?
- 8.A.8 Acceptable use of Assets (CoM) is Acceptable use p olicy (LoD)?
- A.12 Any difference between Operating procedure for IT management and Operating procedure for ICT?
- 8.A.14 Secure System Engineering principles (+ Appendix) in the Checklist, is this one the same as Secure Development Policy (+ appendix) template from the toolkit? I guess, but just to make sure
- 8.A.15 Supplier Security Policy; this one is not checked as mandatory in the LoD, but the Annex is (only if a control applies) and it is also in the CoM?
- 8.A.17 Disaster Recovery Plan (LoD) is Business Continuity Procedures (CoM), right?
- Definition of security roles and responsibilities (CoM); is this in Template 02 in the toolkit or somewhere else?...

Answer:

The general answer for your question is always to follow the content of your toolkit, in this case the list of documents file (LoD), because it is the most updated version considering the standard's requirements and templates content.

Regarding your specific questions:

- Any document that is related to a control, marked with “*” in the LoD, is only mandatory if such control applies, right?
Answer: Yes, your understanding is correct

- Access control policy; why is it mandatory in CoM but depends on if control is applicable in LoD?
Answer: If you read the article again, you will see in the first paragraph of section "Mandatory documents and records required by ISO 27001:2013" a note informing that "...documents from Annex A are mandatory only if there are risks which would require their implementation.)". So, in both documents the Access Control Policy depends on if control is applicable.

- 8.A.8 Acceptable use of Assets (CoM) is Acceptable use policy (LoD)?
Answer: These titles refer to the same template. Please consider the information in the list of documents file of your toolkit as the most updated.

- A.12 Any difference between Operating procedure for IT management and Operating procedure for ICT?
Answer: No differences.

- 8.A.14 Secure System Engineering principles (+ Appendix) in the Checklist, is this one the same as Secure Development Policy (+ appendix) template from the toolkit? I guess, but just to make sure
Answer: Secure System Engineering principles is one topic in the Secure Development Policy, which covers other controls, like Identification of security requirements.

- 8.A.15 Supplier Security Policy; this one is not checked as mandatory in the LoD, but the Annex is (only if a control applies) and it is also in the CoM?
Answer: Please consider it as not mandatory as listed in the list of documents file of your toolkit.

- 8.A.17 Disaster Recovery Plan (LoD) is Business Continuity Procedures (CoM), right?
Answer: The Disaster Recovery Plan template can be used to cover the controls related to Business Continuity Procedures on small and medium size organizations. On some organizations their requirements may define the development of additional documents.

- Definition of security roles and responsibilities (CoM); is this in Template 02 in the toolkit or somewhere else?
Answer: General roles and responsibilities can be defined in the Information Security Policy, while specific responsibilities and roles are described throughout all templates.