I'm having on how to rewrite our internal policies so that we can get ISO27001 certified. The main issue I'm having is deciding how detailed our policy needs to be. Basically, what are the minimum requirements to achieve compliance? For example, ISO27002, 11.2.8 unattended user equipment. We already automatically lock workstations after 5 minutes through group policy. Is that enough to comply with part a)? I'm worried that if I make the policies too detailed, we won't be able to have evidence for everything and we'll get struck with a non-conformity when we fail to present evidence. Going off the same example I gave you, is it simply showing the auditor that we've configured our group policy to do that enough evidence? Or will they ask for evidence in the form of logs? Something else that interests me is how to deal with remote employees when rewriting our policies? How do we enforce a clear desk policy if they're working from home?