ISO 27001 Clear Desk and Clear Screen

The focus for this ISO 27001 Control is information on desks, screens and areas outside normal working hours. As one of the ISO 27001 controls this is about locking confidential information away out of hours.

You will learn what the ISO 27001 control 7.7 is, how to simply and easily implement it for ISO 27001 certification and I will show you some common gotchas so you can avoid them.

What is ISO 27001 Annex A 7.7 Clear Desk And Clear Screen?

ISO 27001 Annex A 7.7 Clear Desk and Clear Screen is an ISO 27001 control that requires an organisation to secure information on desks, screens and other accessible areas.

ISO 27001 Annex A 7.7 Purpose

Annex A 7.7 is a preventive control that ensures you address the risks of unauthorised access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours.

ISO 27001 Annex A 7.7 Definition

The ISO 27001 standard defines Annex A 7.7 as:

Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced.

ISO 27001:2022 Annex A 7.7 Clear Desk and Clear Screen

DO IT YOURSELF ISO27001

STOP SPANKING £10,000s

ISO 27001 Annex A 7.7 Clear Desk And Clear Screen Implementation Guide

General Guidance

You are going to have to ensure that

  • you implement a topic specific Clear Desk Policy
  • you provided lockable storage where required
  • you implement auto screen locking after a set period of time
  • guidelines and training are provided on what is expected
  • ensure confidential and sensitive information is locked away when not being used and when the location in which is resides is not occupied
  • for printers the process is to collect the printout immediately and to consider printers with authentication functions so print outs can only be produced when the person is next to the printer
  • for areas around printers they are checked on a regular basis and discarded print outs are destroyed securly in line with policy

This is a straight forward control to implement. Be sure that IT have set it so that screens auto lock after a short period of time of no activity. Provide lockable storage to locations where confidential information will be stored. This could be paper or even devices and machines that are in storage whilst not allocated or in use. Consider home workers and for those home workers that do require this level of storage then provide it to them and provide them with shredders.

If you have a situation that you are permanently leaving a location having a process of someone doing a final sweep and check of the facility is good practice. It can be that papers fall behind cupboards or draws.

For more guidance on the clear desk policy read the ISO 27001 Clear Desk Policy Beginner’s Guide

ISO 27001 Templates

ISO 27001 Clear Desk and Clear Screen Policy-Black

Everything you need to meet this control is provided in the ISO 27001 Toolkit which has been designed so you can DIY your ISO 27001 Certification.

How to comply with ISO 27001 Annex A 7.7

To comply with ISO 27001 Annex A 7.7 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  • Implement a topic specific clear desk policy
  • Provide lockable storage to locations and people that need to store physical confidential and sensitive information
  • Implement auto locking and/or auto log out for end users
  • Put in place processes for printing that reduce the likelihood or printouts being left un collected.

How to pass an audit of ISO 27001 Annex A 7.7

To pass an audit of ISO 27001 Annex A 7.7 Clear Desk and Clear Screen you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What will an audit check?

The audit is going to check a number of areas. Lets go through the main ones

1. That your devices auto lock

They will check for evidence that end user devices with auto log out or auto lock after a short period of time.

2. Lockable storage

The auditor is going to look for situations where confidential and sensitive information is required in physical form, that could be paper or devices, and they are going to check that you lock it away. This will be in offices but watch out as they will also check this for remote workers.

Top 3 Mistakes People Make for ISO 27001 Annex A 7.7

The top 3 mistakes people make for ISO 27001 Annex A 7.7 are

1. Your devices don’t auto lock

This is something that people sometimes turn off. Developers and technical people are the worst culprits for this. Make sure that if this is set and you expect it to be in place that you check this before the audit. As a minimum ensure you check on the devices of the people that are going to be audited.

2. You don’t have lockable storage

The number of times we see old laptops, archive boxes of information just lying around in meeting rooms, common areas and even kitchens. My advice would be to do some house keeping and stop storing things just in case but as a minimum get it locked away. Also to consider home and remote workers. If they receive company related post or store devices at these locations then provide them with lockable storage. Remote workers are always overlooked.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Why is ISO 27001 Annex A 7.7 Clear Desk And Clear Screen important?

ISO 27001 Annex A 7.7 Clear Desk and Clear Screen is important because we are looking at physical media that can easily be compromised, taken, stolen or accessed. Paper and devices are easy to control but also easy to overlook. A breach of this kind of information can be hard to spot until it is way too late.

ISO 27001 Annex A 7.7 FAQ

What are examples for ISO 27001 Annex A 7.7 clear desk items?

Paper based company or client reports
Company or confidential post
Devices that are not in use but being stored
Any confidential or sensitive print out

Do I have to satisfy ISO 27001 Annex A 7.7 Clear Desk and Clear Screen for ISO 27001 Certification?

Yes. It is a common sense, practical control that is easy to implement with significant benefit to the reduction of information security risk.

How do you auto lock end point devices?

This is a feature on all modern end point devices. Either set in manually or speak with your IT team to set it for all devices.

Where can I get an ISO 27001 Annex A 7.7 free sample ISO 27001 Clear Desk Policy PDF?

The ISO 27001 Annex A 7.7 Clear Desk Policy Sample PDF

Where can I get templates for ISO 27001 Annex A 7.7 Clear Desk and Clear Screen?

ISO 27001 templates for Annex A 7.7 Clear Desk and Clear Screen are located in the ISO 27001 Toolkit.

How hard is ISO 27001 Annex A 7.7 Clear Desk and Clear Screen?

It is not hard to implement it.

How long will ISO 27001 Annex A 7.7 Clear Desk and Clear Screen take me?

The technical controls are very easy to implement and will take less than an hour. You can write a clear desk policy in around 8 hours or download the ISO 27001 clear desk policy template. Providing storage will take as long as it takes you to purchase and for them to deliver it.

How much will ISO 27001 Annex A 7.7 cost me?

The cost of ISO 27001 Annex A 7.7 will depend how you go about it.

Are there free templates for ISO 27001 Annex A 7.7?

There are templates for ISO 27001 Annex A 7.7 located in the ISO 27001 Toolkit.

Get the Help of the ISO 27001 Ninja

Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.

Controls and Attribute Values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityProtectPhysical securityProtection
Integrity
Availability