Table of contents
- ISO 27001 Clear Desk and Clear Screen
- What is ISO 27001 Annex A 7.7 Clear Desk And Clear Screen?
- ISO 27001 Annex A 7.7 Clear Desk And Clear Screen Implementation Guide
- ISO 27001 Templates
- How to comply with ISO 27001 Annex A 7.7
- How to pass an audit of ISO 27001 Annex A 7.7
- What will an audit check?
- Top 3 Mistakes People Make for ISO 27001 Annex A 7.7
- Why is ISO 27001 Annex A 7.7 Clear Desk And Clear Screen important?
- ISO 27001 Annex A 7.7 FAQ
- Get the Help of the ISO 27001 Ninja
- Controls and Attribute Values
ISO 27001 Clear Desk and Clear Screen
The focus for this ISO 27001 Control is information on desks, screens and areas outside normal working hours. As one of the ISO 27001 controls this is about locking confidential information away out of hours.
You will learn what the ISO 27001 control 7.7 is, how to simply and easily implement it for ISO 27001 certification and I will show you some common gotchas so you can avoid them.
What is ISO 27001 Annex A 7.7 Clear Desk And Clear Screen?
ISO 27001 Annex A 7.7 Clear Desk and Clear Screen is an ISO 27001 control that requires an organisation to secure information on desks, screens and other accessible areas.
ISO 27001 Annex A 7.7 Purpose
Annex A 7.7 is a preventive control that ensures you address the risks of unauthorised access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours.
ISO 27001 Annex A 7.7 Definition
The ISO 27001 standard defines Annex A 7.7 as:
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced.
ISO 27001:2022 Annex A 7.7 Clear Desk and Clear Screen
DO IT YOURSELF
ISO 27001
ISO 27001 Annex A 7.7 Clear Desk And Clear Screen Implementation Guide
General Guidance
You are going to have to ensure that
- you implement a topic specific Clear Desk Policy
- you provided lockable storage where required
- you implement auto screen locking after a set period of time
- guidelines and training are provided on what is expected
- ensure confidential and sensitive information is locked away when not being used and when the location in which is resides is not occupied
- for printers the process is to collect the printout immediately and to consider printers with authentication functions so print outs can only be produced when the person is next to the printer
- for areas around printers they are checked on a regular basis and discarded print outs are destroyed securly in line with policy
This is a straight forward control to implement. Be sure that IT have set it so that screens auto lock after a short period of time of no activity. Provide lockable storage to locations where confidential information will be stored. This could be paper or even devices and machines that are in storage whilst not allocated or in use. Consider home workers and for those home workers that do require this level of storage then provide it to them and provide them with shredders.
If you have a situation that you are permanently leaving a location having a process of someone doing a final sweep and check of the facility is good practice. It can be that papers fall behind cupboards or draws.
For more guidance on the clear desk policy read the ISO 27001 Clear Desk Policy Beginner’s Guide
ISO 27001 Templates
Everything you need to meet this control is provided in the ISO 27001 Toolkit which has been designed so you can DIY your ISO 27001 Certification.
How to comply with ISO 27001 Annex A 7.7
To comply with ISO 27001 Annex A 7.7 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Implement a topic specific clear desk policy
- Provide lockable storage to locations and people that need to store physical confidential and sensitive information
- Implement auto locking and/or auto log out for end users
- Put in place processes for printing that reduce the likelihood or printouts being left un collected.
How to pass an audit of ISO 27001 Annex A 7.7
To pass an audit of ISO 27001 Annex A 7.7 Clear Desk and Clear Screen you are going to make sure that you have followed the steps above in how to comply.
You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.
What will an audit check?
The audit is going to check a number of areas. Lets go through the main ones
1. That your devices auto lock
They will check for evidence that end user devices with auto log out or auto lock after a short period of time.
2. Lockable storage
The auditor is going to look for situations where confidential and sensitive information is required in physical form, that could be paper or devices, and they are going to check that you lock it away. This will be in offices but watch out as they will also check this for remote workers.
Top 3 Mistakes People Make for ISO 27001 Annex A 7.7
The top 3 mistakes people make for ISO 27001 Annex A 7.7 are
1. Your devices don’t auto lock
This is something that people sometimes turn off. Developers and technical people are the worst culprits for this. Make sure that if this is set and you expect it to be in place that you check this before the audit. As a minimum ensure you check on the devices of the people that are going to be audited.
2. You don’t have lockable storage
The number of times we see old laptops, archive boxes of information just lying around in meeting rooms, common areas and even kitchens. My advice would be to do some house keeping and stop storing things just in case but as a minimum get it locked away. Also to consider home and remote workers. If they receive company related post or store devices at these locations then provide them with lockable storage. Remote workers are always overlooked.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Why is ISO 27001 Annex A 7.7 Clear Desk And Clear Screen important?
ISO 27001 Annex A 7.7 Clear Desk and Clear Screen is important because we are looking at physical media that can easily be compromised, taken, stolen or accessed. Paper and devices are easy to control but also easy to overlook. A breach of this kind of information can be hard to spot until it is way too late.
ISO 27001 Annex A 7.7 FAQ
Paper based company or client reports
Company or confidential post
Devices that are not in use but being stored
Any confidential or sensitive print out
Yes. It is a common sense, practical control that is easy to implement with significant benefit to the reduction of information security risk.
This is a feature on all modern end point devices. Either set in manually or speak with your IT team to set it for all devices.
ISO 27001 templates for Annex A 7.7 Clear Desk and Clear Screen are located in the ISO 27001 Toolkit.
It is not hard to implement it.
The technical controls are very easy to implement and will take less than an hour. You can write a clear desk policy in around 8 hours or download the ISO 27001 clear desk policy template. Providing storage will take as long as it takes you to purchase and for them to deliver it.
The cost of ISO 27001 Annex A 7.7 will depend how you go about it.
There are templates for ISO 27001 Annex A 7.7 located in the ISO 27001 Toolkit.
Get the Help of the ISO 27001 Ninja
Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.
Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Physical security | Protection |
| Integrity | ||||
| Availability |