Implementing ISO 27001 Annex A 7.7 Clear Desk and Clear Screen is a foundational security protocol requiring the physical and digital shielding of sensitive information to prevent data leakage. This implementation provides the Business Benefit of reducing unauthorized exposure risks by enforcing automated screen locks and secure physical storage.
ISO 27001 Annex A Clear Desk and Clear Screen Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.7. This control mandates the physical and digital protection of information assets by ensuring sensitive data is not left exposed on physical surfaces or unattended digital displays.
1. Formalise the Physical Clear Desk Mandate
Control Requirement: High-classification physical information and storage media must be secured when not in use. Required Implementation Step: Open your Information Classification Policy and add a specific section for “Physical Environment”. Stipulate that all papers, notebooks, and removable media classified as ‘Confidential’ or higher must be stored in a locked drawer or cabinet whenever a staff member leaves their desk for more than 15 minutes.
Minimum Requirement: A signed policy document explicitly banning the overnight storage of sensitive documents on desks.
2. Enforce Automated Screen Locking via Group Policy (GPO)
Control Requirement: Information processing facilities must be protected when left unattended. Required Implementation Step: Open your Group Policy Management Console or MDM (e.g., Intune). Configure a global policy to force a screen lock after a maximum of 5 minutes of inactivity (1 minute for high-security zones) and ensure users cannot override these settings in their local OS preferences.
Minimum Requirement: A technical configuration report from AD or MDM showing the enforced inactivity timeout across all endpoints.
3. Procure and Install Physical Privacy Filters
Control Requirement: Protect information from unauthorised viewing (shoulder surfing). Required Implementation Step: Identify all workstations located in high-traffic areas, near windows, or in public-facing lobbies. Purchase and physically install privacy screens that limit the viewing angle to +/- 30 degrees, ensuring that only the person directly in front of the monitor can read the data.
Minimum Requirement: Visual verification and asset logs of privacy filters deployed to 100% of high-risk workstations.
4. Standardise ‘Secure Print’ Workflows
Control Requirement: Sensitive information on printers and multi-function devices must be protected. Required Implementation Step: Log into your print server or printer management software (e.g., PaperCut). Enable “Pull Printing” or “Follow Me Printing,” requiring every user to physically scan their ID badge or enter a PIN at the device before the document is actually printed, preventing sensitive papers from sitting in the output tray.
Minimum Requirement: Configuration evidence showing that local ‘Direct Print’ is disabled in favour of authenticated release.
5. Provide Lockable Storage for All Staff
Control Requirement: Adequate facilities must be provided to secure information assets. Required Implementation Step: Walk the office floor and verify that every desk is equipped with a lockable pedestal or that a central locker bank is provided. If the keys are missing, replace the barrels immediately; you cannot enforce a clear desk policy if staff have nowhere to physically secure their work.
Minimum Requirement: Physical inspection confirming that every employee has access to a functional, lockable storage unit.
6. Conduct unannounced ‘After-Hours’ Inspections
Control Requirement: Regularly review compliance with the clear desk and screen policy. Required Implementation Step: The Security Officer must walk the floor after 18:00 at least once a month. Document every instance of a “fail” (e.g., a post-it note with a password, a client file left out, or an unlocked screen) and issue a formal non-conformance report to the individual’s manager.
Minimum Requirement: A dated log of monthly sweeps including the number of desks inspected and specific violations found.
7. Secure Removable Media in High-Trust Zones
Control Requirement: Storage media must be protected when not in use. Required Implementation Step: Install USB port blockers on shared kiosks or terminals. For personal workstations, enforce a policy where USB sticks or external hard drives are stored in a fire-rated safe overnight rather than in standard desk drawers.
Minimum Requirement: Proof of use of hardware port locks or evidence of media safes in server rooms/HR offices.
8. Implement ‘Whiteboard Hygiene’ Protocols
Control Requirement: Secure information on shared surfaces. Required Implementation Step: Assign a ‘Meeting Room Owner’ or instruct the cleaning crew to wipe all whiteboards at the end of every day. In high-security areas, replace standard whiteboards with electronic ones that require a password to save/print, or install “Please Wipe After Use” signage.
Minimum Requirement: Evidence of cleaning schedules or meeting room checklists that include board clearing.
9. Enable Remote Wipe for Mobile Devices
Control Requirement: Protect information on devices used outside the secure office environment. Required Implementation Step: Ensure that your MDM (Mobile Device Management) is configured to automatically wipe a device after 10 failed passcode attempts. This extends the “clear screen” concept to the physical loss of the device, ensuring the data is cleared if the physical perimeter is breached.
Minimum Requirement: MDM policy configuration showing ‘Automatic Wipe’ thresholds are active for all mobile assets.
10. Deliver Practical Behavioral Training
Control Requirement: Staff must be aware of their clear desk/screen obligations. Required Implementation Step: Move beyond the annual GRC video. Conduct a “Clean Desk Challenge” or use desk-drops (e.g., “I could have stolen your data” cards) left on non-compliant desks. Awareness is achieved through the fear of a physical audit, not a digital certificate.
Minimum Requirement: Photos or records of physical awareness collateral used during internal security month.
ISO 27001 Annex A 7.7 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Physical Compliance | Ticking “Compliant” because a policy was uploaded to the dashboard. | A dashboard can’t see the password on a sticky note. Only a physical walk-through identifies reality. |
| Screen Locking | Accepting a “self-attestation” from employees that their screens lock. | Users often use “caffeine” apps or mouse jigglers to bypass GPO. You must verify the GPO is actually applied at the OS level. |
| Print Security | Setting a task for IT to “Review printer security”. | Unless Pull-Printing is hard-configured, sensitive payroll docs will eventually sit in a public tray. GRC tools don’t check printer firmware. |
| Shoulder Surfing | Marking “Implemented” because privacy screens were mentioned in a video. | If the filters aren’t physically on the monitors, the risk remains 100%. GRC platforms don’t conduct hardware audits. |
| Whiteboard Risks | Ignoring whiteboards as they aren’t “IT Assets”. | Meeting rooms are the #1 source of internal data leaks. GRC asset registers rarely include the “Marketing Strategy” on a whiteboard. |
| Storage Verification | Recording that lockers exist in the “Office Facilities” list. | Are the keys in the locks? Are the locks broken? GRC tools don’t test the mechanical integrity of a physical drawer. |
| After-Hours Audit | Assigning a recurring “Audit Task” to a manager. | Managers often “pencil-whip” these tasks to hit 100% completion without ever leaving their own chairs. |
About the author
