In this ultimate how to implement guide to ISO 27001 Annex A 7.7 Clear Desk and Clear Screen, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A Clear Desk and Clear Screen Implementation Checklist
- 1. Formalise the Physical Clear Desk Mandate
- 2. Enforce Automated Screen Locking via Group Policy (GPO)
- 3. Procure and Install Physical Privacy Filters
- 4. Standardise ‘Secure Print’ Workflows
- 5. Provide Lockable Storage for All Staff
- 6. Conduct unannounced ‘After-Hours’ Inspections
- 7. Secure Removable Media in High-Trust Zones
- 8. Implement ‘Whiteboard Hygiene’ Protocols
- 9. Enable Remote Wipe for Mobile Devices
- 10. Deliver Practical Behavioral Training
- ISO 27001 Annex A 7.7 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 7.7 Clear Desk and Clear Screen is a foundational security protocol requiring the physical and digital shielding of sensitive information to prevent data leakage. This implementation provides the Business Benefit of reducing unauthorised exposure risks by enforcing automated screen locks and secure physical storage.
ISO 27001 Annex A Clear Desk and Clear Screen Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.7. This control mandates the physical and digital protection of information assets by ensuring sensitive data is not left exposed on physical surfaces or unattended digital displays.
1. Formalise the Physical Clear Desk Mandate
Control Requirement: High-classification physical information and storage media must be secured when not in use. Required Implementation Step: Open your Information Classification Policy and add a specific section for “Physical Environment”. Stipulate that all papers, notebooks, and removable media classified as ‘Confidential’ or higher must be stored in a locked drawer or cabinet whenever a staff member leaves their desk for more than 15 minutes.
Minimum Requirement: A signed policy document explicitly banning the overnight storage of sensitive documents on desks.
2. Enforce Automated Screen Locking via Group Policy (GPO)
Control Requirement: Information processing facilities must be protected when left unattended. Required Implementation Step: Open your Group Policy Management Console or MDM (e.g., Intune). Configure a global policy to force a screen lock after a maximum of 5 minutes of inactivity (1 minute for high-security zones) and ensure users cannot override these settings in their local OS preferences.
Minimum Requirement: A technical configuration report from AD or MDM showing the enforced inactivity timeout across all endpoints.
3. Procure and Install Physical Privacy Filters
Control Requirement: Protect information from unauthorised viewing (shoulder surfing). Required Implementation Step: Identify all workstations located in high-traffic areas, near windows, or in public-facing lobbies. Purchase and physically install privacy screens that limit the viewing angle to +/- 30 degrees, ensuring that only the person directly in front of the monitor can read the data.
Minimum Requirement: Visual verification and asset logs of privacy filters deployed to 100% of high-risk workstations.
