In this article we lay bare the ISO 27001 Clear Desk Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification. We show you exactly what changed in the ISO 27001:2022 update. I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 Clear Desk Policy.

What is a Clear Desk Policy?

A clear desk policy is one of the simplest ways to be compliant with basic information security. It is a simple way to protect your business, your customers, your employees and even yourself.

A clear desk policy is designed to make sure that confidential information is physically protected when not in use.

Clear Desk Policy Meaning

The meaning of the clear desk policy is to help your organization reduce the risk of information theft, fraud, or a security breach caused by confidential information being left unattended and visible in plain view.

The clear desk policy is about securing physical information and locking your screen when you are not at your desk.

ISO 27001 Clear Desk Policy Overview Video Cover iPad

Why we need a clear desk for employees and customers

Think about the kinds of confidential information you can have about your colleagues and customers. You may well have bank statements, customer order details, employee contracts, employee data. All the kind of information that you use in your day to day job.

Then think to yourself, would I be happy if this was mine and someone took it.

Would I be happy if someone I did not know had my bank statements, or copies of my passport that I used as part of my company on boarding process. How happy would I be if a complete stranger had my medical records.

It isn’t just the potential for embarrassment, or that breach of trust, or knowing someone knows something deeply personal about you but it is also the risk posed to identity fraud.

These physical records, papers, contracts are important. They form the basis of our lives and they should be protected.

Why we need a clear desk policy for the organisation

Similar to personal data there is a lot of organisational data that you probably don’t want banded about willy nilly.

It could be company banks statements, company payroll information, company pension information. Perhaps you have growth targets, or are considering redundancies. Maybe you have company formation documents or, and yes they do still exist, customer cheques waiting to be paid in. Maybe you have a payment terminal to allow you take card payments over the phone.

There is a lot of organisation information that in the wrong hands could cause repetitional damage, embarrassment potentially, financial harm and even break the law if not protected.

Stop Spanking £10,000s on consultants and ISMS online-tools.

ISO 27001 Toolkit Business Edition

Clear Desk Policy Template

You can save over 4 hours of work with the pre written, pre-populated Clear Desk Policy Template. The ultimate ISO 27001 clear desk policy guaranteed.

ISO 27001 Clear Desk and Clear Screen Policy Template

The Top 5 Benefits of a Clear Desk Policy

There are many benefits to having a clear desk policy. Let’s explore the Top 5 Benefits of a Clear Desk Policy in this ultimate list:

  1. It protects your organisation by placing that confidential information out of sight and out of reach when unattended
  2. It encourages a tidy work space that can increase productivity
  3. It ensures compliance with standards such as ISO 27001 and SOC 2
  4. It is best practice in many organisations across the globe
  5. It is good for the environment as it encourages digital documents over physical print outs

How to implement a clear desk policy in 3 simple steps

Whether you are going for ISO 27001 certification or just wanting to implement good, best practice these 3 simple steps will show you how to implement the policy followed in the next section with how to write it.

Implementing a clear desk policy is straight forward, and on the whole, is common sense.

  1. Inform staff of where the policy is, encourage them to read it and test their understanding of what is required.
  2. Provide cross cut shredders and lockable storage in office’s, next to printers and to home workers that need to print confidential information
  3. Perform checks on a periodic basis by doing an office floor walk or remote video call check

How to write a clear desk policy

Assuming you do not want to save over 4 hours by downloading the clear desk policy template then this is the step by step approach to writing your own clear desk policy.

Time needed: 4 hours and 30 minutes

How to write the clear desk policy in a step by step guide.

  1. Create your version control and document mark-up

    ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.

  2. Write the document purpose

    Write the purpose of the document. The purpose of this policy is to reduces the risks of unauthorized access, loss of and damage to information during and outside normal working hours.

  3. Write the scope of the policy

    All company employees and external party users.
    Confidential information in electronic and paper form.
    Monetary items and associated resources.

  4. Write the principle on which the policy is based

    Clear desk and clear screen are ensuring that resources of value and confidential information are secured from unauthorised access, loss, or damage when not in use.

  5. Write the content for the required sections

    Internal, Confidential and Critical Information
    Printers, Photocopiers and Reproduction Technology
    Cash, Cheques, Bank Cards, Payment Devices
    Media Disposal
    Desk Cleaning
    Policy Compliance
    Compliance Measurement
    Continual Improvement

Clear Desk Policy for Remote Workers

The clear desk policy template covers and applies to remote workers. If you are writing your own policy from scratch and not using the template then you should consider that the same rules apply to remote workers. You set out the rules for securing confidential information and assets when not in use. This includes home offices where locks on offices should be considered and the use of lockable storage. Also take into account if you allow printing that a cross cut shredder may need to be provided to allow secure destruction of data.

If computer devices or sensitive documents like contracts are to be stored at a home location due to no office or storage consider restricting this to just one person and putting in additional physical security controls that takes into account the nature of what is being stored.

Often when people leave they return devices which can be a problem with no central location. We would encourage a process that does a remote wipe before the device is transported and stored which will reduce the information security risk.

Clear Desk Policy Mapped to ISO 27001

The requirement for clear desk and clear screen in ISO 27001 is covered in ISO 27001:2022 Annex A Control 7.7 Clear Desk and Clear Screen. You can also consider it in the context of ISO 27001:2022 Annex A Control 6.7 Remote Working. For a more detailed guide on remote working you can read the ISO 27001 Mobile And Remote Working Policy Beginner’s Guide.

Clear Desk Policy FAQ

Why do we have a clear desk policy?

A clear desk policy is in place to provide guidance on what people should do when it comes to their desks either at home or at the office. It is not about cleaning but it is about making sure that important information and devices are secured when not in use. We do not want to leave them on desks when unattended.

Do I have to clean my desk?

You don’t HAVE to but keeping a clean and tidy desk can reap productivity benefits.

What should I do with confidential data and devices when I am not at my desk?

Secure them, ideally in lockable storage. Keeping them in a room that can be locked is also advisable. In basic terms don’t leave them where people can easily take them.

Do I need a clear desk policy for ISO 27001 certification?

Yes. Physical security is a requirement of the ISO 27001 certification and ISO 27001 standard and you will need to implement a clear desk policy.

How long will it take to write a clear desk policy from scratch?

It would take just over 4 hours to research and write a clear desk policy from scratch.

Would does a clear desk policy include?

A clear desk policy includes guidance on what to do with physical assets and physical copies of data that need protecting. As a rule this is confidential information. It sets out what should be done.

Who does the clear desk policy apply to?

The clear desk policy would apply to all staff and third parties that work in and for your organisation.

How often do I review the clear desk policy?

The clear desk policy is reviewed at least annually and also when significant change occurs.

Who approves the clear desk policy?

The clear desk policy is approved and signed off by the management review team.

What is the clean desk policy for remote workers?

The clean desk policy applies to remote workers. It ensures that remote work spaces are kept clear of confidential information and that information is secured when not in use. This applies to home offices as well as remote working locations.

Do I need a clear desk policy PDF?

Your clear policy can be in whatever format works for your organisation. There are benefits to a clear desk policy PDF that are mainly about making sure that it cannot be altered and giving flexibility in who you distribute it to.

What other policy should I consider as well as the clear desk policy?

A companion policy to the clear desk policy is the physical and environmental security policy.