ISO 27001 does not require writing a document for each control from Annex A - you can perform certain security activities without having a written policy or a procedure for it.

Further, you can document several Annex A controls together so that you do not have too many separate documents.

Examples:
- A company has decided not to write a policy or a procedure for control A.8.13 Information backup - in the Statement of Applicability it has specified which technology will be used for performing backup, and no further documents were needed.
- A company has decided to write an Access Control Policy that would cover several controls, including A.5.15 Access control, A.5.18 Access rights, A.8.2 Privileged access rights, A.8.4 Access to source code, etc.