ISO 27001 Clear Desk Policy: Ultimate Guide

Home / ISO 27001 Templates / ISO 27001 Clear Desk Policy: Ultimate Guide

Introduction

In this ultimate guide I show you everything you need to know about the ISO 27001 Clear Desk Policy and exactly what you need to do to satisfy it to gain ISO 27001 certification.

We will get to grips with what clear desk is, understand why organisations need a Clear Desk and Clear Screen Policy, show you how to write one, and let you in on trade secret’s that’ll save you hours of time and effort, simply by using this template.

What is a Clear Desk Policy?

The ISO 27001 Clear Desk Policy sets out the guidelines and framework for how you protect physical information and high value tangible, real world assets.

A clear desk policy is one of the simplest ways to be compliant with basic information security. It is a simple way to protect your business, your customers, your employees and even yourself.

A clear desk policy is designed to make sure that confidential information is physically protected when not in use.

ISO 27001 Clear Desk Policy Template

The ISO 27001 Clear Desk Policy Template is pre written and ready to go. As part of the Ultimate ISO 27001 Toolkit but uniquely available to download standalone. The benefit of the template is that it will save you time and is proven best practice.

ISO 27001 Clear Desk and Clear Screen Policy Template
ISO 27001 Toolkit

What is the Purpose of the ISO 27001 Clear Desk Policy?

The purpose of the ISO 27001 Clear Desk Policy is reduce the risk of unauthorised access, loss of and damage to information during and outside normal working hours.

What it the ISO 27001 Clear Desk Policy Principle?

Physical information should be locked away and secured when not in use.

Clear desk and clear screen are ensuring that resources of value and confidential information are secured when not in use.

Clear Desk Policy Meaning

The meaning of the ISO 27001 Clear Desk Policy is to help your organisation reduce the risk of information theft, fraud, or a security breach caused by confidential information being left unattended and visible in plain view.

The ISO 27001 Clear Desk Policy is about securing physical information and locking your screen when you are not at your desk.

ISO 27001 Clear Desk Policy Overview Video Cover iPad

Why we need a clear desk for employees and customers

Think about the kinds of confidential information you can have about your colleagues and customers. You may well have bank statements, customer order details, employee contracts, employee data. All the kind of information that you use in your day to day job.

Then think to yourself, would I be happy if this was mine and someone took it.

Would I be happy if someone I did not know had my bank statements, or copies of my passport that I used as part of my company on boarding process. How happy would I be if a complete stranger had my medical records.

It isn’t just the potential for embarrassment, or that breach of trust, or knowing someone knows something deeply personal about you but it is also the risk posed to identity fraud.

These physical records, papers, contracts are important. They form the basis of our lives and they should be protected.

Why we need a clear desk policy for the organisation

Similar to personal data there is a lot of organisational data that you probably don’t want banded about willy nilly.

It could be company banks statements, company payroll information, company pension information. Perhaps you have growth targets, or are considering redundancies. Maybe you have company formation documents or, and yes they do still exist, customer cheques waiting to be paid in. Maybe you have a payment terminal to allow you take card payments over the phone.

There is a lot of organisation information that in the wrong hands could cause repetitional damage, embarrassment potentially, financial harm and even break the law if not protected.

The Top 5 Benefits of a Clear Desk Policy

There are many benefits to having a clear desk policy. Let’s explore the Top 5 Benefits of a Clear Desk Policy in this ultimate list:

  1. It protects your organisation by placing that confidential information out of sight and out of reach when unattended
  2. It encourages a tidy work space that can increase productivity
  3. It ensures compliance with standards such as ISO 27001 and SOC 2
  4. It is best practice in many organisations across the globe
  5. It is good for the environment as it encourages digital documents over physical print outs

What should ISO 27001 Clear Desk Policy Contain?

The ISO 27001 Clear Desk Policy is required to be presented in a certain way. What we mean by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. It will need version control, a version number, an owner, an information security classification. An example ISO 27001 Clear Desk Policy table of contents would look something like this:

  • Document Version Control
  • Document Contents Page
  • Clear Desk and Clear Screen Policy
  • Purpose
  • Scope
  • Principle
  • Internal, Confidential and Critical Information
  • Printers, Photocopiers and Reproduction Technology
  • Cash, Cheques, Bank Cards, Payment Devices
  • Media Disposal
  • Desk Cleaning
  • Pop-ups and Notifications
  • Policy Compliance
  • Compliance Measurement

  • Exceptions

  • Non-Compliance

  • Continual Improvement
  • Areas of the ISO 27001 Standard Addressed

How to write a clear desk policy

It can be straight forward to write an ISO 27001 Clear Desk Policy . These are the steps that you would take.

Time needed: 4 hours and 30 minutes

How to write the clear desk policy in a step by step guide.

  1. Create your version control and document mark-up

    ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.

  2. Write the document purpose

    Write the purpose of the document. The purpose of this policy is to reduces the risks of unauthorised access, loss of and damage to information during and outside normal working hours.

  3. Write the scope of the policy

    The scope of this policy is:
    All company employees and external party users.
    Confidential information in electronic and paper form.
    Monetary items and associated resources.

  4. Write the principle on which the policy is based

    Clear desk and clear screen are ensuring that resources of value and confidential information are secured from unauthorised access, loss, or damage when not in use.

  5. Write the policy content

    Set out the framework and what you do for clear desk under the following headings:
    Internal, Confidential and Critical Information
    Printers, Photocopiers and Reproduction Technology
    Cash, Cheques, Bank Cards, Payment Devices
    Media Disposal
    Desk Cleaning

  6. Communicate the clear desk policy to appropriate staff

    Consider as part of your required communication plan the different ways and timings that are appropriate to you to communicate the clear desk policy. Make sure it is stored somewhere that people can easily access it at any time and that they can, indeed, access it.

  7. Get evidence that the staff have accepted the clear desk policy

    Using your acceptance methodology get staff to accept that they have read and understand the policy and accept its terms. Maintain evidence of this for future audit and potential disciplinary process.

  8. Manage Exceptions

    There may be things that cannot be secured for business or technical reasons. These should be identified, recorded, agreed and managed via risk management with effective compensating controls in place.

ISO 27001 Clear Desk Policy Example

You can view the example ISO 27001 Clear Desk Policy PDF and see an example below:

How to implement a clear desk policy in 3 simple steps

Whether you are going for ISO 27001 certification or just wanting to implement good, best practice these 3 simple steps will show you how to implement the policy followed in the next section with how to write it.

Implementing a clear desk policy is straight forward, and on the whole, is common sense.

  1. Inform staff of where the policy is, encourage them to read it and test their understanding of what is required.
  2. Provide cross cut shredders and lockable storage in office’s, next to printers and to home workers that need to print confidential information
  3. Perform checks on a periodic basis by doing an office floor walk or remote video call check

Clear Desk Policy for Remote Workers

The clear desk policy template covers and applies to remote workers. If you are writing your own policy from scratch and not using the template then you should consider that the same rules apply to remote workers. You set out the rules for securing confidential information and assets when not in use. This includes home offices where locks on offices should be considered and the use of lockable storage. Also take into account if you allow printing that a cross cut shredder may need to be provided to allow secure destruction of data.

If computer devices or sensitive documents like contracts are to be stored at a home location due to no office or storage consider restricting this to just one person and putting in additional physical security controls that takes into account the nature of what is being stored.

Often when people leave they return devices which can be a problem with no central location. We would encourage a process that does a remote wipe before the device is transported and stored which will reduce the information security risk.

Clear Desk Policy Mapped to ISO 27001

The ISO 27001 Clear Desk Policy satisfies the following ISO27001 Clauses and ISO27001 Annex A Controls:

For a more detailed guide on remote working you can read the ISO 27001 Mobile And Remote Working Policy Beginner’s Guide.

Who is responsible for the ISO 27001 Clear Desk Policy?

The clear desk policy is the responsibility of the Chief Operating Officer (COO) or the person in charge of business operations.

What are examples of a violation of ISO 27001 Clear Desk Policy?

Examples of where the policy can fail or violations of the clear desk policy can include:

  1. Leaving computers logged in when you are not at your desk
  2. Leaving confidential information on a desk overnight
  3. Leave cheques or cash unattended on a desk or in an open unlocked office
  4. Having a payment machine left unattended
  5. Leaving confidential printouts on a printer or next to a printer
  6. Leaving old computers unattended or in an open unlocked space
  7. Having old hard drives or storage media left on a desk unattended
  8. Having confidential information in draws or cupboards but not locking them

What are the consequences of violating the ISO 27001 Clear Desk Policy?

The main consequence would be theft and loss of information or asset. This could lead to legal and regulatory fines, loss of data, loss of revenue, loss of reputation and loss of customers.

How do you monitor the effectiveness of the ISO 27001 Clear Desk Policy?

The approaches to monitoring the effectives of clear desk management include:

  1. Doing periodic checks of offices and spaces out of hours
  2. Doing periodic checks of offices and spaces during normal business hours
  3. Internal audit of the clear desk process
  4. External audit of the clear desk process

ISO 27001 Clear Desk Policy FAQ

Why do we have a clear desk policy?

A clear desk policy is in place to provide guidance on what people should do when it comes to their desks either at home or at the office. It is not about cleaning but it is about making sure that important information and devices are secured when not in use. We do not want to leave them on desks when unattended.

Do I have to clean my desk?

You don’t HAVE to but keeping a clean and tidy desk can reap productivity benefits.

What should I do with confidential data and devices when I am not at my desk?

Secure them, ideally in lockable storage. Keeping them in a room that can be locked is also advisable. In basic terms don’t leave them where people can easily take them.

Do I need a clear desk policy for ISO 27001 certification?

Yes. Physical security is a requirement of the ISO 27001 certification and ISO 27001 standard and you will need to implement a clear desk policy.

How long will it take to write a clear desk policy from scratch?

It would take just over 4 hours to research and write a clear desk policy from scratch.

Would does a clear desk policy include?

A clear desk policy includes guidance on what to do with physical assets and physical copies of data that need protecting. As a rule this is confidential information. It sets out what should be done.

Who does the clear desk policy apply to?

The clear desk policy would apply to all staff and third parties that work in and for your organisation.

How often do I review the clear desk policy?

The clear desk policy is reviewed at least annually and also when significant change occurs.

Who approves the clear desk policy?

The clear desk policy is approved and signed off by the management review team.

What is the clean desk policy for remote workers?

The clean desk policy applies to remote workers. It ensures that remote work spaces are kept clear of confidential information and that information is secured when not in use. This applies to home offices as well as remote working locations.

Do I need a clear desk policy PDF?

Your clear policy can be in whatever format works for your organisation. There are benefits to a clear desk policy PDF that are mainly about making sure that it cannot be altered and giving flexibility in who you distribute it to.

What other policy should I consider as well as the clear desk policy?

A companion policy to the clear desk policy is the physical and environmental security policy.