ISO 27001 Clear Desk Policy Beginner’s Guide

Home / ISO 27001 Templates / ISO 27001 Clear Desk Policy Beginner’s Guide

ISO 27001 Clear Desk Policy
ISO 27001 Clear Desk Policy Template
ISO 27001 Clear Desk Policy Example
How to write a clear desk policy
What should ISO 27001 Clear Desk Policy Contain?
How to implement a clear desk policy in 3 simple steps
Clear Desk Policy for employees and customers
Clear Desk Policy for the organisation
Clear Desk Policy for remote workers
ISO 27001 Clear Desk Policy FAQ
Further Reading

ISO 27001 Clear Desk Policy

The ISO 27001 Clear Desk Policy sets out the guidelines and framework for how you protect physical information and high value tangible, real world assets.

A clear desk policy is one of the simplest ways to be compliant with basic information security. It is a simple way to protect your business, your customers, your employees and even yourself.

A clear desk policy is designed to make sure that confidential information is physically protected when not in use.

ISO 27001 Clear Desk Policy Template

The ISO 27001 Clear Desk Policy Template is pre written and ready to go. As part of the Ultimate ISO 27001 Toolkit but uniquely available to download standalone. The benefit of the template is that it will save you time and is proven best practice.

ISO 27001 Clear Desk and Clear Screen Policy Template

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

The Ultimate ISO 27001 Toolkit

ISO 27001 Clear Desk Policy Example

The following is the ISO 27001 clear desk policy example.

How to write a clear desk policy

It can be straight forward to write an ISO 27001 Clear Desk Policy . These are the steps that you would take.

Time needed: 4 hours and 30 minutes

How to write the clear desk policy in a step by step guide.

Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
Write the document purpose
Write the purpose of the document. The purpose of this policy is to reduces the risks of unauthorised access, loss of and damage to information during and outside normal working hours.
Write the scope of the policy
The scope of this policy is:
All company employees and external party users.
Confidential information in electronic and paper form.
Monetary items and associated resources.
Write the principle on which the policy is based
Clear desk and clear screen are ensuring that resources of value and confidential information are secured from unauthorised access, loss, or damage when not in use.
Write the policy content
Set out the framework and what you do for clear desk under the following headings:
Internal, Confidential and Critical Information
Printers, Photocopiers and Reproduction Technology
Cash, Cheques, Bank Cards, Payment Devices
Media Disposal
Desk Cleaning
Communicate the clear desk policy to appropriate staff
Consider as part of your required communication plan the different ways and timings that are appropriate to you to communicate the clear desk policy. Make sure it is stored somewhere that people can easily access it at any time and that they can, indeed, access it.
Get evidence that the staff have accepted the clear desk policy
Using your acceptance methodology get staff to accept that they have read and understand the policy and accept its terms. Maintain evidence of this for future audit and potential disciplinary process.
Manage Exceptions
There may be things that cannot be secured for business or technical reasons. These should be identified, recorded, agreed and managed via risk management with effective compensating controls in place.

What should ISO 27001 Clear Desk Policy Contain?

The ISO 27001 Clear Desk Policy is required to be presented in a certain way. What we mean by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. It will need version control, a version number, an owner, an information security classification. An example ISO 27001 Clear Desk Policy table of contents would look something like this:

Document Version Control
Document Contents Page
Clear Desk and Clear Screen Policy
Purpose
Scope
Principle
Internal, Confidential and Critical Information
Printers, Photocopiers and Reproduction Technology
Cash, Cheques, Bank Cards, Payment Devices
Media Disposal
Desk Cleaning
Pop-ups and Notifications
Policy Compliance
Compliance Measurement 
Exceptions 
Non-Compliance 
Continual Improvement
Areas of the ISO 27001 Standard Addressed

How to implement a clear desk policy in 3 simple steps

Whether you are going for ISO 27001 certification or just wanting to implement good, best practice these 3 simple steps will show you how to implement the policy followed in the next section with how to write it.

Implementing a clear desk policy is straight forward, and on the whole, is common sense.

Inform staff of where the policy is, encourage them to read it and test their understanding of what is required.
Provide cross cut shredders and lockable storage in office’s, next to printers and to home workers that need to print confidential information
Perform checks on a periodic basis by doing an office floor walk or remote video call check

Clear Desk Policy for employees and customers

Think about the kinds of confidential information you can have about your colleagues and customers. You may well have bank statements, customer order details, employee contracts, employee data. All the kind of information that you use in your day to day job.

Then think to yourself, would I be happy if this was mine and someone took it.

Would I be happy if someone I did not know had my bank statements, or copies of my passport that I used as part of my company on boarding process. How happy would I be if a complete stranger had my medical records.

It isn’t just the potential for embarrassment, or that breach of trust, or knowing someone knows something deeply personal about you but it is also the risk posed to identity fraud.

These physical records, papers, contracts are important. They form the basis of our lives and they should be protected.

Clear Desk Policy for the organisation

Similar to personal data there is a lot of organisational data that you probably don’t want banded about willy nilly.

It could be company banks statements, company payroll information, company pension information. Perhaps you have growth targets, or are considering redundancies. Maybe you have company formation documents or, and yes they do still exist, customer cheques waiting to be paid in. Maybe you have a payment terminal to allow you take card payments over the phone.

There is a lot of organisation information that in the wrong hands could cause repetitional damage, embarrassment potentially, financial harm and even break the law if not protected.

Clear Desk Policy for remote workers

The clear desk policy template covers and applies to remote workers. If you are writing your own policy from scratch and not using the template then you should consider that the same rules apply to remote workers. You set out the rules for securing confidential information and assets when not in use. This includes home offices where locks on offices should be considered and the use of lockable storage. Also take into account if you allow printing that a cross cut shredder may need to be provided to allow secure destruction of data.

If computer devices or sensitive documents like contracts are to be stored at a home location due to no office or storage consider restricting this to just one person and putting in additional physical security controls that takes into account the nature of what is being stored.

Often when people leave they return devices which can be a problem with no central location. We would encourage a process that does a remote wipe before the device is transported and stored which will reduce the information security risk.

ISO 27001 Clear Desk Policy FAQ

Why do we have a clear desk policy?

A clear desk policy is in place to provide guidance on what people should do when it comes to their desks either at home or at the office. It is not about cleaning but it is about making sure that important information and devices are secured when not in use. We do not want to leave them on desks when unattended.

What it the ISO 27001 Clear Desk Policy Principle?

Physical information should be locked away and secured when not in use.
Clear desk and clear screen are ensuring that resources of value and confidential information are secured when not in use.

What is the Purpose of the ISO 27001 Clear Desk Policy?

The purpose of the ISO 27001 Clear Desk Policy is reduce the risk of unauthorised access, loss of and damage to information during and outside normal working hours.

Who is responsible for the ISO 27001 Clear Desk Policy?

The clear desk policy is the responsibility of the Chief Operating Officer (COO) or the person in charge of business operations.

What are the benefits of an ISO 27001 clear desk policy?

It protects your organisation by placing that confidential information out of sight and out of reach when unattended
It encourages a tidy work space that can increase productivity
It ensures compliance with standards such as ISO 27001 and SOC 2
It is best practice in many organisations across the globe
It is good for the environment as it encourages digital documents over physical print outs

Do I have to clean my desk?

You don’t HAVE to but keeping a clean and tidy desk can reap productivity benefits.

What should I do with confidential data and devices when I am not at my desk?

Secure them, ideally in lockable storage. Keeping them in a room that can be locked is also advisable. In basic terms don’t leave them where people can easily take them.

Do I need a clear desk policy for ISO 27001 certification?

Yes. Physical security is a requirement of the ISO 27001 certification and ISO 27001 standard and you will need to implement a clear desk policy.

How long will it take to write a clear desk policy from scratch?

It would take just over 4 hours to research and write a clear desk policy from scratch.

Would does a clear desk policy include?

A clear desk policy includes guidance on what to do with physical assets and physical copies of data that need protecting. As a rule this is confidential information. It sets out what should be done.

Who does the clear desk policy apply to?

The clear desk policy would apply to all staff and third parties that work in and for your organisation.

How often do I review the clear desk policy?

The clear desk policy is reviewed at least annually and also when significant change occurs.

Who approves the clear desk policy?

The clear desk policy is approved and signed off by the management review team.

What is the clean desk policy for remote workers?

The clean desk policy applies to remote workers. It ensures that remote work spaces are kept clear of confidential information and that information is secured when not in use. This applies to home offices as well as remote working locations.

Do I need a clear desk policy PDF?

Your clear policy can be in whatever format works for your organisation. There are benefits to a clear desk policy PDF that are mainly about making sure that it cannot be altered and giving flexibility in who you distribute it to.

What other policy should I consider as well as the clear desk policy?

A companion policy to the clear desk policy is the physical and environmental security policy.

What are examples of a violation of ISO 27001 Clear Desk Policy?

Examples of where the policy can fail or violations of the clear desk policy can include:
Leaving computers logged in when you are not at your desk
Leaving confidential information on a desk overnight
Leave cheques or cash unattended on a desk or in an open unlocked office
Having a payment machine left unattended
Leaving confidential printouts on a printer or next to a printer
Leaving old computers unattended or in an open unlocked space
Having old hard drives or storage media left on a desk unattended
Having confidential information in draws or cupboards but not locking them

What are the consequences of violating the ISO 27001 Clear Desk Policy?

The main consequence would be theft and loss of information or asset. This could lead to legal and regulatory fines, loss of data, loss of revenue, loss of reputation and loss of customers.

How do you monitor the effectiveness of the ISO 27001 Clear Desk Policy?

The approaches to monitoring the effectives of clear desk management include:
Doing periodic checks of offices and spaces out of hours
Doing periodic checks of offices and spaces during normal business hours
Internal audit of the clear desk process
External audit of the clear desk process

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.