Table of contents
ISO 27001 Clear Desk And Clear Screen
ISO 27001 Annex A 7.7 Clear Desk and Clear Screen is an ISO 27001 control that requires an organisation to secure information on desks, screens and other accessible areas.
The focus for this ISO 27001 Control is information on desks, screens and areas outside normal working hours. As one of the ISO 27001 controls this is about locking confidential information away out of hours.
Purpose
ISO 27001 Annex A 7.7 Clear Desk And Clear Screen is a preventive control that ensures you address the risks of unauthorised access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours.
Definition
The ISO 27001 standard defines Clear Desk And Clear Screen as:
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced.
ISO 27001:2022 Annex A 7.7 Clear Desk and Clear Screen
Watch the Tutorial
In the video ISO 27001 Clear Desk and Clear Screen Explained – ISO27001:2022 Annex A 7.7 I show you how to implement it and how to pass the audit.
General Guidance
This is a straight forward control to implement. Be sure that IT have set it so that screens auto lock after a short period of time of no activity. Provide lockable storage to locations where confidential information will be stored. This could be paper or even devices and machines that are in storage whilst not allocated or in use. Consider home workers and for those home workers that do require this level of storage then provide it to them and provide them with shredders.
If you have a situation that you are permanently leaving a location having a process of someone doing a final sweep and check of the facility is good practice. It can be that papers fall behind cupboards or draws.
ISO 27001 Clear Desk and Clear Screen Policy
To communicate to people what you do and what is expected you are going to write, sign off, implement and communicate your topic specific ISO 27001 Clear Desk and Clear Screen Policy.
Implementation Guide
Provide Lockable Storage
To enable people to maintain a clear desk it is good practice to provide lockable storage. This will be based on business need and risk but examples of where lockable storage could be required:
- People who print, use and need to store confidential data
- People use and need to store confidential devices such as payment devices, card readers, devices that are not in use.
- People that work from home
- Directors
- Shareholders
The level of security that the device provides will be based on risk and business need but as a minimum it should be lockable. Other considerations include
- Fireproof
- The level of locks
- Backup keys or access
Enable Auto Screen Locking
To facilitate a clear screen it is now common practice to implement auto locking of screens after a set period of time. Whether managed centrally or per device, auto locking should be enabled with a recommendation of activating after 60 seconds or based on your risk assessment and business need.
Provide Guidelines and Training
Once you deploy the policy it is best practice to continue to train and educate people on clear desk and clear screen and what the requirements are.
Secure Printers
Printers represent a big risk to information security as they are often located away from users and in easy to access locations. It can be the case that printouts are left for long periods unattended and uncollected.
Consider printers with authentication functions so print outs can only be produced when the person is next to the printer.
Areas around printers should be checked on a regular basis and discarded print outs are destroyed securely in line with policy.
How to pass the audit
To pass the audit of ISO 27001 Annex A 7.7 you are going to
- Implement a topic specific clear desk policy
- Provide lockable storage to locations and people that need to store physical confidential and sensitive information
- Implement auto locking and/or auto log out for end users
- Put in place processes for printing that reduce the likelihood or printouts being left un collected.
For more guidance on the clear desk policy read the ISO 27001 Clear Desk Policy Beginner’s Guide
What the auditor will check
The audit is going to check a number of areas. Lets go through the main ones
1. That your devices auto lock
They will check for evidence that end user devices with auto log out or auto lock after a short period of time.
2. Lockable storage
The auditor is going to look for situations where confidential and sensitive information is required in physical form, that could be paper or devices, and they are going to check that you lock it away. This will be in offices but watch out as they will also check this for remote workers.
Top 3 Mistakes People Make
The top 3 mistakes people make for ISO 27001 Clear Desk And Clear Screen are
1. Your devices don’t auto lock
This is something that people sometimes turn off. Developers and technical people are the worst culprits for this. Make sure that if this is set and you expect it to be in place that you check this before the audit. As a minimum ensure you check on the devices of the people that are going to be audited.
2. You don’t have lockable storage
The number of times we see old laptops, archive boxes of information just lying around in meeting rooms, common areas and even kitchens. My advice would be to do some house keeping and stop storing things just in case but as a minimum get it locked away. Also to consider home and remote workers. If they receive company related post or store devices at these locations then provide them with lockable storage. Remote workers are always overlooked.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
ISO 27001 Annex A 7.7 FAQ
ISO 27001 Annex A 7.7 Clear Desk and Clear Screen is important because we are looking at physical media that can easily be compromised, taken, stolen or accessed. Paper and devices are easy to control but also easy to overlook. A breach of this kind of information can be hard to spot until it is way too late.
Paper based company or client reports
Company or confidential post
Devices that are not in use but being stored
Any confidential or sensitive print out
Yes. It is a common sense, practical control that is easy to implement with significant benefit to the reduction of information security risk.
This is a feature on all modern end point devices. Either set in manually or speak with your IT team to set it for all devices.
ISO 27001 templates that support Annex A 7.7 Clear Desk and Clear Screen are located in the ISO 27001 Toolkit.
It is not hard to implement it.
The technical controls are very easy to implement and will take less than an hour. You can write a clear desk policy in around 8 hours or download the ISO 27001 clear desk policy template. Providing storage will take as long as it takes you to purchase and for them to deliver it.
The cost of ISO 27001 Annex A 7.7 will depend how you go about it.
There are templates that support ISO 27001 Annex A 7.7 located in the ISO 27001 Toolkit.
Related ISO 27001 Controls
ISO 27001 Annex A 6.1: Screening
ISO 27001 Annex A 7.1: Physical Security Perimeters
ISO 27001 Annex A 7.10 Storage Media
ISO 27001 Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Physical security | Protection |
| Integrity | ||||
| Availability |
