In this guide, I will show you exactly how to implement ISO 27001 Annex A 7.7 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 7.7 Clear Desk and Clear Screen
ISO 27001 Annex A 7.7 requires organizations to define and enforce clear desk and clear screen rules to protect information from unauthorized access, loss, or damage. This control applies both during and outside of normal working hours and is a fundamental physical security measure. The goal is simple: ensure that confidential data (on paper or on screen) is never left exposed when a workstation is unattended.
Core requirements for compliance include:
- Auto-Locking Screens: You must configure all user devices to automatically lock after a short period of inactivity (typically 1 to 5 minutes).
- Lockable Storage: You should provide lockable drawers or cabinets for employees who handle sensitive physical documents or removable media (like USBs and external hard drives).
- Secure Printing: Printers are a high-risk area. Use “Follow-Me” printing or PIN-based release to ensure documents aren’t left sitting in the output tray for anyone to see.
- Meeting Room Hygiene: Whiteboards must be wiped clean after every meeting, and sensitive documents must not be left behind in common areas or kitchens.
- Remote Work Responsibility: The clear desk policy also applies to home and remote workers. If employees handle company mail or physical devices at home, they must have a way to secure them.
Audit Focus: Auditors will look for “The Unattended Workstation”:
- The Floor Walk: They will walk through your office (or ask for a video walk-through) to look for post-it notes with passwords, unlocked screens, or sensitive files sitting on desks.
- Configuration Check: They will ask to see the “Auto-Lock” settings on a random employee’s laptop to verify it matches your policy.
- Physical Evidence: They will check if your “Locked Shredding Bins” are actually locked and if the keys to storage cabinets are not just left in the locks.
Clear Desk Checklist (Audit Cheat Sheet):
| Item | Allowed on Desk? | Required Compliance Action | ISO 27001:2022 Control |
|---|---|---|---|
| Family Photos | ✓ Yes | None; permitted personal item. | 7.7 (Clear Desk & Screen) |
| Post-it Notes | ❌ No | Shred or hide; strictly prohibited for password storage. | 7.7 (Clear Desk & Screen) |
| Notebooks | ❌ No | Must be secured in a lockable drawer when unattended. | 7.7 (Clear Desk & Screen) |
| USB Drives | ❌ No | Must be locked in a drawer or hardware encrypted. | 7.10 (Storage Media) |
| Whiteboards | ❌ No | Wipe clean immediately following the conclusion of meetings. | 7.7 (Clear Desk & Screen) |
| Monitors | ✓ Yes | Must be configured for auto-lock or manual ‘Win+L’ lock. | 7.7 (Clear Desk & Screen) |
Table of contents
- What is ISO 27001 Annex A 7.7?
- ISO 27001 Annex A 7.7 Free Training Video
- ISO 27001 Annex A 7.7 Explainer Video
- ISO 27001 Annex A 7.7 Podcast
- ISO 27001 Annex A 7.7 Implementation Guidance
- How to implement ISO 27001 Annex A 7.7
- Clear Desk Checklist
- ISO 27001 Clear Desk and Clear Screen Policy
- How to pass the audit
- What the auditor will check
- Top 3 ISO 27001 Annex A 7.7 mistakes and how to avoid them
- Applicability of ISO 27001 Annex A 7.7 across different business models.
- Fast Track ISO 27001 Annex A 7.7 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 7.7 FAQ
- Related ISO 27001 Controls
- ISO 27001 Controls and Attribute Values
What is ISO 27001 Annex A 7.7?
The focus for this ISO 27001 Control is information on desks, screens and areas outside normal working hours. As one of the ISO 27001 controls this is about locking confidential information away out of hours.
ISO 27001 Annex A 7.7 Clear Desk and Clear Screen is an ISO 27001 control that requires an organisation to secure information on desks, screens and other accessible areas.
ISO 27001 Annex A 7.7 Purpose
ISO 27001 Annex A 7.7 Clear Desk And Clear Screen is a preventive control that ensures you address the risks of unauthorised access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours.
ISO 27001 Annex A 7.7 Definition
The ISO 27001 standard defines Clear Desk And Clear Screen as:
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced.
ISO 27001:2022 Annex A 7.7 Clear Desk and Clear Screen
ISO 27001 Annex A 7.7 Free Training Video
In the video ISO 27001 Clear Desk and Clear Screen Explained – ISO27001:2022 Annex A 7.7 I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 7.7 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 7.7 Clear Desk And Clear Screen, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 7.7 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 7.7 Clear Desk And Clear Screen. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 7.7 Implementation Guidance
General Guidance
This is a straight forward control to implement. Be sure that IT have set it so that screens auto lock after a short period of time of no activity. Provide lockable storage to locations where confidential information will be stored. This could be paper or even devices and machines that are in storage whilst not allocated or in use. Consider home workers and for those home workers that do require this level of storage then provide it to them and provide them with shredders.
If you have a situation that you are permanently leaving a location having a process of someone doing a final sweep and check of the facility is good practice. It can be that papers fall behind cupboards or draws.
Provide Lockable Storage
To enable people to maintain a clear desk it is good practice to provide lockable storage. This will be based on business need and risk but examples of where lockable storage could be required:
- People who print, use and need to store confidential data
- People use and need to store confidential devices such as payment devices, card readers, devices that are not in use.
- People that work from home
- Directors
- Shareholders
The level of security that the device provides will be based on risk and business need but as a minimum it should be lockable. Other considerations include
- Fireproof
- The level of locks
- Backup keys or access
Enable Auto Screen Locking
To facilitate a clear screen it is now common practice to implement auto locking of screens after a set period of time. Whether managed centrally or per device, auto locking should be enabled with a recommendation of activating after 60 seconds or based on your risk assessment and business need.
Provide Guidelines and Training
Once you deploy the policy it is best practice to continue to train and educate people on clear desk and clear screen and what the requirements are.
Secure Printers
Printers represent a big risk to information security as they are often located away from users and in easy to access locations. It can be the case that printouts are left for long periods unattended and uncollected.
Consider printers with authentication functions so print outs can only be produced when the person is next to the printer.
Areas around printers should be checked on a regular basis and discarded print outs are destroyed securely in line with policy.
How to implement ISO 27001 Annex A 7.7
Implementing ISO 27001 Annex A 7.17 (formerly 7.7) ensures that sensitive information is protected from unauthorised access by maintaining tidy physical and digital environments. This technical workflow minimises the risk of data breaches caused by visual interception or opportunistic theft in office, remote, and public settings.
1. Formalise the Clear Desk and Clear Screen Policy
Establish a documented policy that defines mandatory standards for all employees and contractors to ensure a consistent approach to information confidentiality.
- Define the scope to include all physical desks, meeting rooms, and digital workstations.
- Detail the specific requirements for securing hard copy documents and removable media when workstations are unattended.
- Ensure the policy is signed off by leadership and integrated into the Information Security Management System (ISMS).
2. Provision Technical Screen Lock Controls
Deploy automated technical safeguards to ensure that digital sessions are terminated or secured when a user is not present.
- Configure Group Policy Objects (GPO) or Mobile Device Management (MDM) profiles to enforce an automatic screen lock after a maximum of five minutes of inactivity.
- Mandate Multi-Factor Authentication (MFA) or secure biometric prompts for unlocking active user sessions.
- Enable session timeout limits for sensitive applications and web-based portals to reduce the window of vulnerability.
3. Procure and Distribute Lockable Physical Storage
Equip the workforce with the necessary physical infrastructure to protect sensitive assets and paper records when not in use.
- Provision lockable pedestals, cabinets, or lockers for every member of staff to secure classified documents and hardware.
- Implement a master key management process or digital locker access log to maintain a secure chain of custody.
- Encourage the use of cross-cut shredders or secure waste consoles for the disposal of sensitive paper records.
4. Secure Shared Output Devices and Visual Aids
Control the physical output of sensitive information to prevent unauthorised viewing by visitors or unauthorised personnel.
- Enable “Follow-Me” printing or PIN-authenticated release on all printers to ensure documents are only printed when the user is present.
- Position computer monitors and whiteboards away from ground-floor windows or high-traffic corridors to mitigate visual eavesdropping.
- Formalise the immediate clearing of meeting room whiteboards and the removal of abandoned printouts.
5. Execute Compliance Audits and Record Results
Perform regular inspections to verify adherence to the policy and gather evidence for internal and external ISO 27001 audits.
- Conduct unannounced “floor walks” after hours to identify and log instances of left-out documents or unlocked screens.
- Review MDM and GPO reports to verify that technical lock settings are active on all endpoint devices.
- Document corrective actions taken for non-compliance within the ISMS to demonstrate continuous improvement.
6. Formalise Security Awareness Training
Ensure that all personnel understand their responsibilities regarding physical security and the technical shortcuts used to protect data.
- Execute training sessions that highlight the risks of “shoulder surfing” and the legal implications of a data breach.
- Integrate Clear Desk and Clear Screen requirements into the mandatory onboarding induction for new starters.
- Utilise internal communications to remind staff of the “Windows + L” or “Cmd + Ctrl + Q” lock shortcuts.
Clear Desk Checklist
| Item | Allowed on Desk? | Action Required |
| Family Photos | ✅ Yes | None. |
| Post-it Notes | ❌ NO | Shred or lock in drawer. |
| Notebooks | ❌ NO | Lock in drawer when away. |
| USB Drives | ❌ NO | Lock in drawer. |
| Keys | ❌ NO | Keep on person. |
| Whiteboard | ❌ NO | Wipe clean after every meeting. |
ISO 27001 Clear Desk and Clear Screen Policy
To communicate to people what you do and what is expected you are going to write, sign off, implement and communicate your topic specific ISO 27001 Clear Desk and Clear Screen Policy.
How to pass the audit
To pass the audit of ISO 27001 Annex A 7.7 you are going to
- Implement a topic specific clear desk policy
- Provide lockable storage to locations and people that need to store physical confidential and sensitive information
- Implement auto locking and/or auto log out for end users
- Put in place processes for printing that reduce the likelihood or printouts being left un collected.
For more guidance on the clear desk policy read the ISO 27001 Clear Desk Policy Beginner’s Guide
What the auditor will check
The audit is going to check a number of areas. Lets go through the main ones
1. That your devices auto lock
They will check for evidence that end user devices with auto log out or auto lock after a short period of time.
2. Lockable storage
The auditor is going to look for situations where confidential and sensitive information is required in physical form, that could be paper or devices, and they are going to check that you lock it away. This will be in offices but watch out as they will also check this for remote workers.
Top 3 ISO 27001 Annex A 7.7 mistakes and how to avoid them
The top 3 mistakes people make for ISO 27001 Clear Desk And Clear Screen are
1. Your devices don’t auto lock
This is something that people sometimes turn off. Developers and technical people are the worst culprits for this. Make sure that if this is set and you expect it to be in place that you check this before the audit. As a minimum ensure you check on the devices of the people that are going to be audited.
2. You don’t have lockable storage
The number of times we see old laptops, archive boxes of information just lying around in meeting rooms, common areas and even kitchens. My advice would be to do some house keeping and stop storing things just in case but as a minimum get it locked away. Also to consider home and remote workers. If they receive company related post or store devices at these locations then provide them with lockable storage. Remote workers are always overlooked.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 7.7 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Applies to daily office hygiene and ensuring that simple physical mistakes don’t lead to data exposure. The goal is to build a culture where information is locked away before staff leave for the day. |
|
| Tech Startups | Critical for managing remote and hybrid teams. Compliance involves extending physical security rules to home offices and ensuring that digital “desks” (desktops) are managed via technical automation. |
|
| AI Companies | Vital for protecting proprietary model IP and sensitive training metadata. Focus is on preventing visual eavesdropping in high-performance research environments. |
|
Fast Track ISO 27001 Annex A 7.7 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 7.7 (Clear desk and clear screen), the requirement is to define and enforce rules for clear desks (papers and removable media) and clear screens (information processing facilities). This is a physical and procedural control designed to prevent unauthorised access or loss of information.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Policy Ownership | Rents access to your desk rules; if you cancel the subscription, your documented walkthrough history and standards vanish. | Permanent Assets: Fully editable Word/Excel Clear Desk and Clear Screen Policies that you own forever. | A localized “Clear Desk Policy” defining “no post-it note” rules and whiteboard clearing procedures. |
| Behavioral Governance | Attempts to “automate” physical security via dashboards that cannot physically clear a desk or wipe a whiteboard. | Governance-First: Formalizes office behavior and manager walkthroughs into an auditor-ready framework. | A completed “Clear Desk Checklist” from a monthly office sweep or home-office self-assessment. |
| Cost Efficiency | Charges a “Physical Facility Tax” based on the number of locations or total users tracked. | One-Off Fee: A single payment covers your governance documentation for 10 employees or 1,000. | Allocating budget to physical security (e.g., lockable pedestals or privacy filters) rather than monthly software fees. |
| Hybrid Freedom | Mandates rigid reporting structures that often fail to account for flexible hybrid or remote work models. | 100% Agnostic: Procedures adapt to any environment—traditional offices, co-working spaces, or home offices. | The ability to evolve your “Clean Workspace” strategy without reconfiguring a rigid SaaS compliance module. |
Summary: For Annex A 7.7, the auditor wants to see that you have a formal policy for clear desks and screens and proof that you follow it (e.g., auto-lock settings and site walkthrough logs). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 7.7 FAQ
What is ISO 27001 Annex A 7.7?
ISO 27001 Annex A 7.7 is a physical and organisational security control that mandates the implementation of clear desk and clear screen rules to prevent unauthorised access to sensitive information.
- It applies to all physical workspaces, including desks, printers, and meeting rooms.
- It covers digital workspaces, requiring screens to be locked or cleared when unattended.
- It aims to reduce the risk of “visual eavesdropping” or opportunistic data theft.
- It is a key requirement for achieving the ‘Confidentiality’ pillar of the CIA triad.
Is a Clear Desk Policy mandatory for ISO 27001?
Yes, Annex A 7.7 is a required control in the 2022 standard, meaning organisations must define and enforce rules for clearing sensitive information from workspaces.
- Hard-copy information and removable storage media must be locked away when not in use.
- Sensitive documents must be cleared from desks at the end of the working day.
- Printers and whiteboards must be cleared of sensitive data immediately after use.
- The policy should be applied to office-based, remote, and home-working environments.
How do you implement a Clear Screen Policy?
Implementing a Clear Screen policy involves combining technical automated controls with employee awareness to ensure digital information is never left exposed.
- Auto-Lock: Configure a mandatory screen-saver lock after a maximum of 5–10 minutes of inactivity.
- Manual Lock: Train employees to use the ‘Windows Key + L’ or ‘Command + Control + Q’ shortcut every time they leave their desk.
- Privacy Filters: Use physical screen filters in high-traffic areas or public spaces.
- Termination: Ensure active sessions are terminated when the user finishes their task or leaves the facility.
Does Annex A 7.7 apply to home offices and remote work?
Yes, the scope of ISO 27001 Annex A 7.7 extends to any location where organisational information is processed, including home offices and public spaces.
- Remote workers should ensure screens are not visible to family members or visitors.
- Physical documents used at home must be stored in a lockable cabinet or drawer.
- Sensitive information should be shredded rather than placed in general domestic waste.
- VPN and session timeouts should be strictly enforced on remote hardware.
How can organisations audit Clear Desk and Clear Screen compliance?
Auditing compliance requires regular, documented physical “walk-throughs” and technical configuration checks to verify that policies are being followed.
- Conduct unannounced “after-hours” desk checks to identify left-out documents or media.
- Review Active Directory or MDM policies to confirm auto-lock timers are correctly configured.
- Use employee awareness quizzes to test understanding of the policy.
- Document findings in an internal audit report to serve as evidence for certification auditors.
What are the consequences of non-compliance with Annex A 7.7?
Non-compliance with Annex A 7.7 poses significant risks, including data breaches, regulatory fines, and the potential failure of an ISO 27001 certification audit.
- Unauthorized individuals (including cleaners or visitors) may view sensitive client data.
- The organisation may be in breach of GDPR or other data protection laws.
- It can result in a “Minor Non-Conformity” during an external audit.
- Loss of reputation if a data leak occurs due to a visible screen or left-out document.
Related ISO 27001 Controls
ISO 27001 Annex A 6.1 Screening
ISO 27001 Annex A 7.1 Physical Security Perimeters
ISO 27001 Annex A 7.10 Storage Media
ISO 27001 Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Physical security | Protection |
| Integrity | ||||
| Availability |
