4. Secure Document Disposal Mechanism Presence Confirmed

Verification Criteria: Secure disposal facilities, such as shredding bins or cross-cut shredders, are available and accessible in all areas where sensitive paper information is processed. Required Evidence: Physical sighting of secure shredding consoles and certificates of destruction from the third-party disposal provider.

5. Printer and Multifunction Device (MFD) Output Security Verified

Verification Criteria: Printing of sensitive information is controlled via "Follow-Me" printing or secure PIN-release mechanisms to prevent documents being left in output trays. Required Evidence: Printer server configuration showing authenticated print release or physical observation of empty printer trays during active office hours.

6. Storage of Sensitive Media in Locked Facilities Validated

Verification Criteria: When not in use, removable media and sensitive paper files are stored in locked cabinets or drawers as mandated by the classification level. Required Evidence: Physical inspection of lockable pedestals and cabinets; verification that keys are not left in the locks.

7. External Display and Projector Privacy Confirmed

Verification Criteria: Monitors and projectors in public or semi-public areas are positioned to prevent unauthorised viewing of sensitive data ("shoulder surfing"). Required Evidence: Visual verification of monitor positioning and use of privacy filters on screens in high-traffic or visitor-facing areas.

8. Personnel Awareness and Compliance Confirmation Verified

Verification Criteria: Staff demonstrate awareness of their clear desk/screen obligations and the specific methods for reporting non-compliance. Required Evidence: Training completion logs showing specific modules on physical security and records of employee policy acknowledgements.

9. Removal of Sensitive Information from Meeting Rooms Confirmed

Verification Criteria: Whiteboards are cleaned and all paper/media are removed from meeting rooms and shared spaces immediately following the conclusion of a session. Required Evidence: Observational checks of meeting rooms post-usage or documented room-clearing procedures for facilities staff.

10. Periodic Compliance Monitoring and Reporting Records Present

Verification Criteria: Regular, unannounced inspections are conducted to verify adherence to clear desk and clear screen rules across the organisation. Required Evidence: Documented "Desk Audit" reports or non-conformity logs showing identifying trends and subsequent corrective actions.

ISO 27001 Annex A 7.6 Audit Checklist [+ Templates]

Q: 1. Clear Desk and Clear Screen Policy Formalisation Verified

Verification Criteria: A documented policy exists that explicitly defines the requirements for clearing sensitive information from desks and screens in line with the organisation's risk appetite. Required Evidence: Approved "Clear Desk and Clear Screen Policy" with evidence of recent management review and distribution.

Q: 2. Automated Screen Lock Configuration Confirmed

Verification Criteria: Technical controls are active on all endpoints to automatically lock the screen after a defined period of inactivity (typically 5–15 minutes). Required Evidence: Group Policy Object (GPO) reports or Mobile Device Management (MDM) configuration profiles showing mandatory screen-lock timeouts.

Q: 3. Physical Information Protection in Unattended Areas Verified

Verification Criteria: Physical working areas are free from sensitive paper documents and removable storage media (USBs, external HDDs) when the workspace is unattended. Required Evidence: Results of "after-hours" physical security sweeps or observational logs from recent internal site inspections.

In this ultimate how to audit guide to ISO 27001 Annex A 7.7 Clear Desk and Clear Screen, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

ISO 27001 Annex A 7.7 Clear Desk and Clear Screen Audit Checklist

ISO 27001 Annex A 7.7 Clear Desk and Clear Screen Audit Checklist

Auditing ISO 27001 Annex A 7.6 Clear Desk and Clear Screen is a critical evaluation of physical and technical data protection hygiene in workspaces. The Primary Implementation Requirement mandates clearing sensitive media and locking active displays, ensuring the Business Benefit of preventing accidental data exposure and unauthorized visual access.

This technical verification tool is designed for lead auditors to establish the operational effectiveness of information protection in working areas. Use this checklist to validate compliance with ISO 27001 Annex A 7.6.

1. Clear Desk and Clear Screen Policy Formalisation Verified

Verification Criteria: A documented policy exists that explicitly defines the requirements for clearing sensitive information from desks and screens in line with the organisation’s risk appetite.

Required Evidence: Approved “Clear Desk and Clear Screen Policy” with evidence of recent management review and distribution.

Pass/Fail Test: If there is no formalised policy document specifically addressing clear desk and clear screen requirements, mark as Non-Compliant.

2. Automated Screen Lock Configuration Confirmed

Verification Criteria: Technical controls are active on all endpoints to automatically lock the screen after a defined period of inactivity (typically 5–15 minutes).

Required Evidence: Group Policy Object (GPO) reports or Mobile Device Management (MDM) configuration profiles showing mandatory screen-lock timeouts.

Pass/Fail Test: If a sampled workstation does not automatically lock within the policy-defined timeframe, mark as Non-Compliant.

3. Physical Information Protection in Unattended Areas Verified

Verification Criteria: Physical working areas are free from sensitive paper documents and removable storage media (USBs, external HDDs) when the workspace is unattended.

Required Evidence: Results of “after-hours” physical security sweeps or observational logs from recent internal site inspections.

Pass/Fail Test: If sensitive information (e.g. PII, passwords on sticky notes, or unencrypted media) is found on an unattended desk, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

ISO 27001 Annex A 7.7 Audit Checklist

Table of contents

ISO 27001 Annex A 7.7 Clear Desk and Clear Screen Audit Checklist

1. Clear Desk and Clear Screen Policy Formalisation Verified

2. Automated Screen Lock Configuration Confirmed

3. Physical Information Protection in Unattended Areas Verified