Auditing ISO 27001 Annex A 7.6 Clear Desk and Clear Screen is a critical evaluation of physical and technical data protection hygiene in workspaces. The Primary Implementation Requirement mandates clearing sensitive media and locking active displays, ensuring the Business Benefit of preventing accidental data exposure and unauthorized visual access.
ISO 27001 Annex A 7.6 Clear Desk and Clear Screen Audit Checklist
This technical verification tool is designed for lead auditors to establish the operational effectiveness of information protection in working areas. Use this checklist to validate compliance with ISO 27001 Annex A 7.6.
1. Clear Desk and Clear Screen Policy Formalisation Verified
Verification Criteria: A documented policy exists that explicitly defines the requirements for clearing sensitive information from desks and screens in line with the organisation’s risk appetite.
Required Evidence: Approved “Clear Desk and Clear Screen Policy” with evidence of recent management review and distribution.
Pass/Fail Test: If there is no formalised policy document specifically addressing clear desk and clear screen requirements, mark as Non-Compliant.
2. Automated Screen Lock Configuration Confirmed
Verification Criteria: Technical controls are active on all endpoints to automatically lock the screen after a defined period of inactivity (typically 5–15 minutes).
Required Evidence: Group Policy Object (GPO) reports or Mobile Device Management (MDM) configuration profiles showing mandatory screen-lock timeouts.
Pass/Fail Test: If a sampled workstation does not automatically lock within the policy-defined timeframe, mark as Non-Compliant.
3. Physical Information Protection in Unattended Areas Verified
Verification Criteria: Physical working areas are free from sensitive paper documents and removable storage media (USBs, external HDDs) when the workspace is unattended.
Required Evidence: Results of “after-hours” physical security sweeps or observational logs from recent internal site inspections.
Pass/Fail Test: If sensitive information (e.g. PII, passwords on sticky notes, or unencrypted media) is found on an unattended desk, mark as Non-Compliant.
4. Secure Document Disposal Mechanism Presence Confirmed
Verification Criteria: Secure disposal facilities, such as shredding bins or cross-cut shredders, are available and accessible in all areas where sensitive paper information is processed.
Required Evidence: Physical sighting of secure shredding consoles and certificates of destruction from the third-party disposal provider.
Pass/Fail Test: If sensitive paper waste is found in standard, unsecure recycling bins or general waste, mark as Non-Compliant.
5. Printer and Multifunction Device (MFD) Output Security Verified
Verification Criteria: Printing of sensitive information is controlled via “Follow-Me” printing or secure PIN-release mechanisms to prevent documents being left in output trays.
Required Evidence: Printer server configuration showing authenticated print release or physical observation of empty printer trays during active office hours.
Pass/Fail Test: If an auditor can retrieve uncollected sensitive documents from a printer tray without authentication, mark as Non-Compliant.
6. Storage of Sensitive Media in Locked Facilities Validated
Verification Criteria: When not in use, removable media and sensitive paper files are stored in locked cabinets or drawers as mandated by the classification level.
Required Evidence: Physical inspection of lockable pedestals and cabinets; verification that keys are not left in the locks.
Pass/Fail Test: If sensitive media is found stored in unlocked desk drawers or open shelving in public-access areas, mark as Non-Compliant.
7. External Display and Projector Privacy Confirmed
Verification Criteria: Monitors and projectors in public or semi-public areas are positioned to prevent unauthorised viewing of sensitive data (“shoulder surfing”).
Required Evidence: Visual verification of monitor positioning and use of privacy filters on screens in high-traffic or visitor-facing areas.
Pass/Fail Test: If a screen displaying confidential data (e.g. HR or Finance systems) is visible from a reception area or external window, mark as Non-Compliant.
8. Personnel Awareness and Compliance Confirmation Verified
Verification Criteria: Staff demonstrate awareness of their clear desk/screen obligations and the specific methods for reporting non-compliance.
Required Evidence: Training completion logs showing specific modules on physical security and records of employee policy acknowledgements.
Pass/Fail Test: If a sampled staff member cannot explain the requirement to lock their screen when leaving their desk, mark as Non-Compliant.
9. Removal of Sensitive Information from Meeting Rooms Confirmed
Verification Criteria: Whiteboards are cleaned and all paper/media are removed from meeting rooms and shared spaces immediately following the conclusion of a session.
Required Evidence: Observational checks of meeting rooms post-usage or documented room-clearing procedures for facilities staff.
Pass/Fail Test: If confidential meeting notes remain on a whiteboard or a communal table after a meeting has ended, mark as Non-Compliant.
10. Periodic Compliance Monitoring and Reporting Records Present
Verification Criteria: Regular, unannounced inspections are conducted to verify adherence to clear desk and clear screen rules across the organisation.
Required Evidence: Documented “Desk Audit” reports or non-conformity logs showing identifying trends and subsequent corrective actions.
Pass/Fail Test: If the organisation has no record of verifying clear desk/screen compliance in the current audit cycle, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Policy Implementation | Tool confirms a “Policy” file was uploaded and tagged “Compliant”. | Auditor must verify that the physical reality matches the document. GRC tools cannot see a desk. |
| Screen Lock Timing | Platform shows a “Pass” because a GPO name exists in the database. | Verify the Time Value. Many GRC integrations don’t flag if the timeout is set to “Never” or 4 hours. |
| Secure Disposal | Tool marks “Compliant” because a contract with a shredding firm is active. | Verify Bin Usage. A contract exists, but if the bins are overflowing or staff use open bins, the control fails. |
| Print Security | GRC tool identifies “Printer” as an asset. | Test the PIN Release. The tool cannot confirm if the “Follow-Me” feature is actually enforced on the device hardware. |
| Physical Storage | Platform identifies “Lockers” as a facilities control. | Physical check of keys. Often, “locked” pedestals are left open with keys in the lock—GRC tools miss this entirely. |
| Meeting Room Hygiene | Tool records “Meeting Rooms” in the location list. | Look at the Whiteboards. Data leakage in communal areas is an observational audit step that cannot be automated via API. |
| Awareness | SaaS tool reports 100% training completion. | Audit the Culture. If staff “click through” training but still leave sensitive PII on desks, the GRC metric is a false positive. |
About the author
