In this article we lay bare the ISO 27001 Clear Desk Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification. We show you exactly what changed in the ISO 27001:2022 update. I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 Clear Desk Policy.
Table of contents
- What is a Clear Desk Policy?
- Clear Desk Policy Meaning
- Why we need a clear desk for employees and customers
- Why we need a clear desk policy for the organisation
- Clear Desk Policy Template
- The Top 5 Benefits of a Clear Desk Policy
- How to implement a clear desk policy in 3 simple steps
- How to write a clear desk policy
- Clear Desk Policy for Remote Workers
- Clear Desk Policy Mapped to ISO 27001
- Clear Desk Policy FAQ
What is a Clear Desk Policy?
A clear desk policy is one of the simplest ways to be compliant with basic information security. It is a simple way to protect your business, your customers, your employees and even yourself.
A clear desk policy is designed to make sure that confidential information is physically protected when not in use.
Clear Desk Policy Meaning
The meaning of the clear desk policy is to help your organization reduce the risk of information theft, fraud, or a security breach caused by confidential information being left unattended and visible in plain view.
The clear desk policy is about securing physical information and locking your screen when you are not at your desk.
Why we need a clear desk for employees and customers
Think about the kinds of confidential information you can have about your colleagues and customers. You may well have bank statements, customer order details, employee contracts, employee data. All the kind of information that you use in your day to day job.
Then think to yourself, would I be happy if this was mine and someone took it.
Would I be happy if someone I did not know had my bank statements, or copies of my passport that I used as part of my company on boarding process. How happy would I be if a complete stranger had my medical records.
It isn’t just the potential for embarrassment, or that breach of trust, or knowing someone knows something deeply personal about you but it is also the risk posed to identity fraud.
These physical records, papers, contracts are important. They form the basis of our lives and they should be protected.
Why we need a clear desk policy for the organisation
Similar to personal data there is a lot of organisational data that you probably don’t want banded about willy nilly.
It could be company banks statements, company payroll information, company pension information. Perhaps you have growth targets, or are considering redundancies. Maybe you have company formation documents or, and yes they do still exist, customer cheques waiting to be paid in. Maybe you have a payment terminal to allow you take card payments over the phone.
There is a lot of organisation information that in the wrong hands could cause repetitional damage, embarrassment potentially, financial harm and even break the law if not protected.
Stop Spanking £10,000s on consultants and ISMS online-tools.
Clear Desk Policy Template
You can save over 4 hours of work with the pre written, pre-populated Clear Desk Policy Template. The ultimate ISO 27001 clear desk policy guaranteed.
The Top 5 Benefits of a Clear Desk Policy
There are many benefits to having a clear desk policy. Let’s explore the Top 5 Benefits of a Clear Desk Policy in this ultimate list:
- It protects your organisation by placing that confidential information out of sight and out of reach when unattended
- It encourages a tidy work space that can increase productivity
- It ensures compliance with standards such as ISO 27001 and SOC 2
- It is best practice in many organisations across the globe
- It is good for the environment as it encourages digital documents over physical print outs
How to implement a clear desk policy in 3 simple steps
Whether you are going for ISO 27001 certification or just wanting to implement good, best practice these 3 simple steps will show you how to implement the policy followed in the next section with how to write it.
Implementing a clear desk policy is straight forward, and on the whole, is common sense.
- Inform staff of where the policy is, encourage them to read it and test their understanding of what is required.
- Provide cross cut shredders and lockable storage in office’s, next to printers and to home workers that need to print confidential information
- Perform checks on a periodic basis by doing an office floor walk or remote video call check
How to write a clear desk policy
Assuming you do not want to save over 4 hours by downloading the clear desk policy template then this is the step by step approach to writing your own clear desk policy.
Time needed: 4 hours and 30 minutes
How to write the clear desk policy in a step by step guide.
- Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
- Write the document purpose
Write the purpose of the document. The purpose of this policy is to reduces the risks of unauthorized access, loss of and damage to information during and outside normal working hours.
- Write the scope of the policy
All company employees and external party users.
Confidential information in electronic and paper form.
Monetary items and associated resources.
- Write the principle on which the policy is based
Clear desk and clear screen are ensuring that resources of value and confidential information are secured from unauthorised access, loss, or damage when not in use.
- Write the content for the required sections
Internal, Confidential and Critical Information
Printers, Photocopiers and Reproduction Technology
Cash, Cheques, Bank Cards, Payment Devices
Clear Desk Policy for Remote Workers
The clear desk policy template covers and applies to remote workers. If you are writing your own policy from scratch and not using the template then you should consider that the same rules apply to remote workers. You set out the rules for securing confidential information and assets when not in use. This includes home offices where locks on offices should be considered and the use of lockable storage. Also take into account if you allow printing that a cross cut shredder may need to be provided to allow secure destruction of data.
If computer devices or sensitive documents like contracts are to be stored at a home location due to no office or storage consider restricting this to just one person and putting in additional physical security controls that takes into account the nature of what is being stored.
Often when people leave they return devices which can be a problem with no central location. We would encourage a process that does a remote wipe before the device is transported and stored which will reduce the information security risk.
Clear Desk Policy Mapped to ISO 27001
The requirement for clear desk and clear screen in ISO 27001 is covered in ISO 27001:2022 Annex A Control 7.7 Clear Desk and Clear Screen. You can also consider it in the context of ISO 27001:2022 Annex A Control 6.7 Remote Working. For a more detailed guide on remote working you can read the ISO 27001 Mobile And Remote Working Policy Beginner’s Guide.
Clear Desk Policy FAQ
A clear desk policy is in place to provide guidance on what people should do when it comes to their desks either at home or at the office. It is not about cleaning but it is about making sure that important information and devices are secured when not in use. We do not want to leave them on desks when unattended.
You don’t HAVE to but keeping a clean and tidy desk can reap productivity benefits.
Secure them, ideally in lockable storage. Keeping them in a room that can be locked is also advisable. In basic terms don’t leave them where people can easily take them.
It would take just over 4 hours to research and write a clear desk policy from scratch.
A clear desk policy includes guidance on what to do with physical assets and physical copies of data that need protecting. As a rule this is confidential information. It sets out what should be done.
The clear desk policy would apply to all staff and third parties that work in and for your organisation.
The clear desk policy is reviewed at least annually and also when significant change occurs.
The clear desk policy is approved and signed off by the management review team.
The clean desk policy applies to remote workers. It ensures that remote work spaces are kept clear of confidential information and that information is secured when not in use. This applies to home offices as well as remote working locations.
Your clear policy can be in whatever format works for your organisation. There are benefits to a clear desk policy PDF that are mainly about making sure that it cannot be altered and giving flexibility in who you distribute it to.
A companion policy to the clear desk policy is the physical and environmental security policy.