The ISO 27001 Clear Desk Policy sets out the guidelines and framework for how you protect physical information and high value tangible, real world assets. A clear desk policy is designed to make sure that confidential information is physically protected when not in use.
Table of contents
- What is it
- Applicability to Small Businesses, Tech Startups, and AI Companies
- ISO 27001 Clear Desk and Clear Screen Policy Template
- Why You Need It
- Where You Need It
- When You Need It
- Who Needs It?
- How to Write It
- How to Implement It
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How the ISO 27001 Toolkit Can Help
- Information Security Standards That Need It
- List of Relevant ISO 27001:2022 Controls
- ISO 27001 Clear Desk and Clear Screen Policy Example
- Clear Desk Policy for employees and customers
- Clear Desk Policy for the organisation
- Clear Desk Policy for remote workers
- ISO 27001 Clear Desk and Clear Screen Policy FAQ
What is it
A Clear Desk Policy is a simple but super important rule you should follow in your office. Think of it like a tidying-up ritual for your workspace at the end of each workday. It’s all about making sure that no one can easily get to your private information if you’re not there. This means putting away all your confidential papers and devices so they’re safe.
It’s a key part of ISO 27001, a global standard for keeping information safe. Following this rule helps you protect sensitive data, like customer lists or your company’s secret plans, from being seen by people who shouldn’t see it. This policy is really just common sense dressed up in a fancy name!
Applicability to Small Businesses, Tech Startups, and AI Companies
This policy is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.
- Small Businesses: You can show your clients that you’re trustworthy and professional. It’s a simple way to build a strong reputation for security.
- Tech Startups: In a fast-paced environment, this policy helps you prevent accidental data leaks of your new and innovative ideas.
- AI Companies: You often work with huge amounts of data. This policy helps you protect that data and comply with regulations like GDPR.
ISO 27001 Clear Desk and Clear Screen Policy Template
The ISO 27001:2022 Clear Desk and Clear Screen Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
Why You Need It
You need a Clear Desk Policy to keep your sensitive information safe and sound. Imagine a visitor walking through your office and seeing a client list on your desk. That’s a big no-no! This policy helps prevent that from happening. It also helps you meet the requirements of ISO 27001, which shows your clients and partners that you take security seriously.
Where You Need It
You need to follow this policy wherever you work with sensitive information. This includes your office desk, meeting rooms, and even at home if you’re working remotely. If you’re using a laptop or tablet, you should also be mindful of your surroundings. The policy applies to both physical papers and digital devices.
When You Need It
You should apply your Clear Desk Policy at the end of every workday or whenever you leave your desk for an extended period. It’s also a great practice to follow before a meeting if you’re leaving confidential materials behind. Making it a daily habit is the best way to keep your information safe.
Who Needs It?
Basically, anyone who works with private or sensitive info needs a Clear Desk Policy. This includes you, your coworkers, and even visitors to your office. It’s for everyone, from the CEO to the newest intern. The idea is that everyone has a part to play in keeping information secure.
How to Write It
Writing a Clear Desk Policy is simpler than you might think. Just make sure to include:
- What it is: Explain the purpose in simple language.
- What to do: List the steps everyone should take. For example, “Lock your computer screen” and “Put away all papers.”
- What to expect: Explain what happens if you don’t follow the rules. This helps everyone understand how important it is.
- Who to contact: Give a name or department for questions.
Time needed: 4 hours and 30 minutes
How to write an ISO 27001 clear desk policy
- Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
- Write the ISO 27001 Clear Desk Policy purpose
Write the purpose of the document. The purpose of this policy is to reduces the risks of unauthorised access, loss of and damage to information during and outside normal working hours.
- Write the ISO 27001 Clear Desk Policy scope
The scope of this policy is:
All company employees and external party users.
Confidential information in electronic and paper form.
Monetary items and associated resources. - Write the principle on which the ISO 27001 Clear Desk Policy is based
Clear desk and clear screen are ensuring that resources of value and confidential information are secured from unauthorised access, loss, or damage when not in use.
- Describe how you handle internal, confidential and critical information
Internal, confidential, or critical business information, e.g., on paper or on electronic storage media, should be locked away (ideally in a safe or cabinet or desk or other forms of security furniture) when not required, especially when the office is vacated.
Computers and terminals should be left logged off or protected with a screen and keyboard locking mechanism controlled by a password, token, or similar user authentication mechanism when unattended and should be protected by key locks, passwords, or other controls when not in use.
Whiteboards and other types of display are cleared or cleaned of confidential or critical information when no longer required. - Set out your approach to printers and photocopiers
Unauthorised use of photocopiers and other reproduction technology (e.g., scanners, digital cameras) should be prevented.
Media containing confidential, internal or is deemed in other ways sensitive information should be removed from printers and photocopiers immediately. - Explain how you hand cash, cheques, bank cards and payment devices
All items that are payments or able to take or make payments are to be physically locked away securely when not in use.
- Describe media disposal
Media should be destroyed in line with the Information Classification and Handling Policy but as summary internal and confidential should be placed in the confidential waste bins or company provide shredders where available and never in general waste.
- Write the approach to desk cleaning
All desks and other workspaces should be sufficiently tidy at the end of each working day to permit the cleaning staff to perform their duties.
- Document the configuration of pop-ups and notifications
Screen pop-ups and notifications, such as messaging and new email alerts, should be disabled during presentations, screen sharing or in public areas.
- Communicate the clear desk policy to appropriate staff
Consider as part of your required communication plan the different ways and timings that are appropriate to you to communicate the clear desk policy. Make sure it is stored somewhere that people can easily access it at any time and that they can, indeed, access it.
- Get evidence that the staff have accepted the clear desk policy
Using your acceptance methodology get staff to accept that they have read and understand the policy and accept its terms. Maintain evidence of this for future audit and potential disciplinary process.
- Manage Exceptions
There may be things that cannot be secured for business or technical reasons. These should be identified, recorded, agreed and managed via risk management with effective compensating controls in place.
How to Implement It
To make sure your policy works, you need to:
- Tell everyone about it: Use emails, team meetings, and posters to let everyone know.
- Train your team: Show them exactly how to follow the policy.
- Lead by example: Make sure you and the leadership team are following the rules.
- Do check-ins: Once in a while, check to make sure everyone is following the policy.
Examples of using it for small businesses
Imagine you run a small design studio. At the end of the day, you make sure all client sketches and contracts are locked in a filing cabinet. Your computer is also locked or shut down, preventing anyone from snooping.
Examples of using it for tech startups
You’re a tech startup creating a new app. Before you leave for the day, you lock your computer screen and put away any notes on your new code. This prevents competitors or visitors from seeing your secret source code.
Examples of using it for AI companies
You are an AI company working with sensitive data. You ensure that all data samples are stored on secure, encrypted drives and that no paper documents with personal information are left on your desk.
How the ISO 27001 Toolkit Can Help
An ISO 27001 toolkit is a great shortcut. It often includes pre-written policies like the Clear Desk Policy, procedures, and forms that you can use right away. It saves you the hassle of writing everything from scratch and helps you make sure you don’t miss any important details.
Information Security Standards That Need It
This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
List of Relevant ISO 27001:2022 Controls
The ISO 27001:2022 standard has specific controls that relate to clear desk and clear screen. Some of the most important ones include:
ISO 27001 Clear Desk and Clear Screen Policy Example
The following is the ISO 27001 clear desk policy example.
Clear Desk Policy for employees and customers
Think about the kinds of confidential information you can have about your colleagues and customers. You may well have bank statements, customer order details, employee contracts, employee data. All the kind of information that you use in your day to day job.
Then think to yourself, would I be happy if this was mine and someone took it.
Would I be happy if someone I did not know had my bank statements, or copies of my passport that I used as part of my company on boarding process. How happy would I be if a complete stranger had my medical records.
It isn’t just the potential for embarrassment, or that breach of trust, or knowing someone knows something deeply personal about you but it is also the risk posed to identity fraud.
These physical records, papers, contracts are important. They form the basis of our lives and they should be protected.
Clear Desk Policy for the organisation
Similar to personal data there is a lot of organisational data that you probably don’t want banded about willy nilly.
It could be company banks statements, company payroll information, company pension information. Perhaps you have growth targets, or are considering redundancies. Maybe you have company formation documents or, and yes they do still exist, customer cheques waiting to be paid in. Maybe you have a payment terminal to allow you take card payments over the phone.
There is a lot of organisation information that in the wrong hands could cause repetitional damage, embarrassment potentially, financial harm and even break the law if not protected.
Clear Desk Policy for remote workers
The clear desk policy template covers and applies to remote workers. If you are writing your own policy from scratch and not using the template then you should consider that the same rules apply to remote workers. You set out the rules for securing confidential information and assets when not in use. This includes home offices where locks on offices should be considered and the use of lockable storage. Also take into account if you allow printing that a cross cut shredder may need to be provided to allow secure destruction of data.
If computer devices or sensitive documents like contracts are to be stored at a home location due to no office or storage consider restricting this to just one person and putting in additional physical security controls that takes into account the nature of what is being stored.
Often when people leave they return devices which can be a problem with no central location. We would encourage a process that does a remote wipe before the device is transported and stored which will reduce the information security risk.
ISO 27001 Clear Desk and Clear Screen Policy FAQ
A clear desk policy is in place to provide guidance on what people should do when it comes to their desks either at home or at the office. It is not about cleaning but it is about making sure that important information and devices are secured when not in use. We do not want to leave them on desks when unattended.
Physical information should be locked away and secured when not in use.
Clear desk and clear screen are ensuring that resources of value and confidential information are secured when not in use.
The purpose of the ISO 27001 Clear Desk Policy is reduce the risk of unauthorised access, loss of and damage to information during and outside normal working hours.
The clear desk policy is the responsibility of the Chief Operating Officer (COO) or the person in charge of business operations.
It protects your organisation by placing that confidential information out of sight and out of reach when unattended
It encourages a tidy work space that can increase productivity
It ensures compliance with standards such as ISO 27001 and SOC 2
It is best practice in many organisations across the globe
It is good for the environment as it encourages digital documents over physical print outs
You don’t HAVE to but keeping a clean and tidy desk can reap productivity benefits.
Secure them, ideally in lockable storage. Keeping them in a room that can be locked is also advisable. In basic terms don’t leave them where people can easily take them.
Yes. Physical security is a requirement of the ISO 27001 certification and ISO 27001 standard and you will need to implement a clear desk policy.
It would take just over 4 hours to research and write a clear desk policy from scratch.
A clear desk policy includes guidance on what to do with physical assets and physical copies of data that need protecting. As a rule this is confidential information. It sets out what should be done.
The clear desk policy would apply to all staff and third parties that work in and for your organisation.
The clear desk policy is reviewed at least annually and also when significant change occurs.
The clear desk policy is approved and signed off by the management review team.
The clean desk policy applies to remote workers. It ensures that remote work spaces are kept clear of confidential information and that information is secured when not in use. This applies to home offices as well as remote working locations.
Your clear policy can be in whatever format works for your organisation. There are benefits to a clear desk policy PDF that are mainly about making sure that it cannot be altered and giving flexibility in who you distribute it to.
A companion policy to the clear desk policy is the physical and environmental security policy.
Examples of where the policy can fail or violations of the clear desk policy can include:
Leaving computers logged in when you are not at your desk
Leaving confidential information on a desk overnight
Leave cheques or cash unattended on a desk or in an open unlocked office
Having a payment machine left unattended
Leaving confidential printouts on a printer or next to a printer
Leaving old computers unattended or in an open unlocked space
Having old hard drives or storage media left on a desk unattended
Having confidential information in draws or cupboards but not locking them
The main consequence would be theft and loss of information or asset. This could lead to legal and regulatory fines, loss of data, loss of revenue, loss of reputation and loss of customers.
The approaches to monitoring the effectives of clear desk management include:
Doing periodic checks of offices and spaces out of hours
Doing periodic checks of offices and spaces during normal business hours
Internal audit of the clear desk process
External audit of the clear desk process
You should be extra careful to clear your desk and lock your computer.
No, but you should lock your screen. The full “clear desk” part is for when you’re leaving for a longer time, like at the end of the day.
It’s best to take your phone with you or lock it in a drawer.
You should remove sticky notes with sensitive information and put them away.
It helps with physical security, but you also need other measures to protect against cyber attacks.
You should still follow the policy by making sure your computer is locked and sensitive papers are put away when you’re not using them.
