SoA and selection of control A.11.2.9 Clear desk and clear screen policy

1. How much there is room for modifying the procedure concerning the control, if there is only need for the clear screen policy but no need for a clear desk policy?

The templates are fully editable, so you can modify them freely to fulfill your needs.

2. Can one select the control as applicable on SoA and then write procedure concerning only the clear screen policy (or if required adapt the clear desk policy only concerning specific areas such as conference rooms, reception area, etc.?

In a situation where you do not have relevant risks or legal requirements (e.g., laws, regulations, or contracts) related to the clear desk, you can write a procedure only related to a clear screen.

You also can adapt the policy to have only a separate clear desk policy covering specific areas.

But please note that separating the clear desk and clear screen in different policies does not make much sense and may add unnecessary administrative work to maintain both policies (most probably the places where you have information on both electronic and physical media will have sensitive information on both media, which can be treated by a single policy).

This article will provide you a further explanation about the clear desk and clear screen:

• Clear desk and clear screen policy – What does ISO 27001 require? https://advisera.com/27001academy/blog/2016/03/14/clear-desk-and-clear-screen-policy-what-does-iso-27001-require/