ISO 27001 does not require writing a document for each control from Annex A:
- You can perform security activities related to a particular control without having a written policy or a procedure for it - in that case, the certification auditor will be able to verify the compliance with such a control in the following way: (a) by checking various records that are created and/or (b) by performing interviews with people included in those activities.
- You can document several Annex A controls together so that you do not have too many separate documents. The key is to ensure that the necessary security measures are implemented and that evidence can be provided to demonstrate compliance. It is important to focus on the effectiveness of the controls rather than just the documentation.

Examples:
- A company has decided not to write a policy or a procedure for control A.8.13 Information backup - in the Statement of Applicability it has specified which technology will be used for performing backup, and no further documents were needed.
- A company has decided to write an Access Control Policy that would cover several controls, including A.5.15 Access control, A.5.18 Access rights, A.8.2 Privileged access rights, A.8.4 Access to source code, etc.