ISO 27001 Clear Desk And Clear Screen
I am going to show you what ISO 27001 Annex A 7.7 Clear Desk And Clear Screen is, what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it.
Table of contents
What is ISO 27001 Annex A 7.7?
ISO 27001:2022 Annex A 7.7 Clear Desk and Clear Screen is an ISO 27001 control that requires an organisation to secure information on desks, screens and other accessible areas.
This is about locking confidential information away out of hours.
Purpose
ISO 27001:2022 Annex A 7.7 is a preventive control that ensures you address the risks of unauthorised access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours.
Definition
The ISO 27001 standard defines Annex A 7.7 as:
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced.
ISO 27001:2022 Annex A 7.7 Clear Desk and Clear Screen
Implementation Guide
General Guidance
You are going to have to ensure that
- you implement a topic specific Clear Desk Policy
- you provided lockable storage where required
- you implement auto screen locking after a set period of time
- guidelines and training are provided on what is expected
- ensure confidential and sensitive information is locked away when not being used and when the location in which is resides is not occupied
- for printers the process is to collect the printout immediately and to consider printers with authentication functions so print outs can only be produced when the person is next to the printer
- for areas around printers they are checked on a regular basis and discarded print outs are destroyed securly in line with policy
This is a straight forward control to implement. Be sure that IT have set it so that screens auto lock after a short period of time of no activity. Provide lockable storage to locations where confidential information will be stored. This could be paper or even devices and machines that are in storage whilst not allocated or in use. Consider home workers and for those home workers that do require this level of storage then provide it to them and provide them with shredders.
If you have a situation that you are permanently leaving a location having a process of someone doing a final sweep and check of the facility is good practice. It can be that papers fall behind cupboards or draws.
ISO 27001 Templates
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
How to pass the audit
To pass the audit of ISO 27001 Annex A 7.7 you are going to
- Implement a topic specific clear desk policy
- Provide lockable storage to locations and people that need to store physical confidential and sensitive information
- Implement auto locking and/or auto log out for end users
- Put in place processes for printing that reduce the likelihood or printouts being left un collected.
For more guidance on the clear desk policy read the ISO 27001 Clear Desk Policy Beginner’s Guide
What the auditor will check
The audit is going to check a number of areas. Lets go through the main ones
1. That your devices auto lock
They will check for evidence that end user devices with auto log out or auto lock after a short period of time.
2. Lockable storage
The auditor is going to look for situations where confidential and sensitive information is required in physical form, that could be paper or devices, and they are going to check that you lock it away. This will be in offices but watch out as they will also check this for remote workers.
Top 3 Mistakes People Make
The top 3 mistakes people make for ISO 27001 Annex A 7.7 are
1. Your devices don’t auto lock
This is something that people sometimes turn off. Developers and technical people are the worst culprits for this. Make sure that if this is set and you expect it to be in place that you check this before the audit. As a minimum ensure you check on the devices of the people that are going to be audited.
2. You don’t have lockable storage
The number of times we see old laptops, archive boxes of information just lying around in meeting rooms, common areas and even kitchens. My advice would be to do some house keeping and stop storing things just in case but as a minimum get it locked away. Also to consider home and remote workers. If they receive company related post or store devices at these locations then provide them with lockable storage. Remote workers are always overlooked.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
FAQ
ISO 27001 Annex A 7.7 Clear Desk and Clear Screen is important because we are looking at physical media that can easily be compromised, taken, stolen or accessed. Paper and devices are easy to control but also easy to overlook. A breach of this kind of information can be hard to spot until it is way too late.
Paper based company or client reports
Company or confidential post
Devices that are not in use but being stored
Any confidential or sensitive print out
Yes. It is a common sense, practical control that is easy to implement with significant benefit to the reduction of information security risk.
This is a feature on all modern end point devices. Either set in manually or speak with your IT team to set it for all devices.
ISO 27001 templates for Annex A 7.7 Clear Desk and Clear Screen are located in the ISO 27001 Toolkit.
It is not hard to implement it.
The technical controls are very easy to implement and will take less than an hour. You can write a clear desk policy in around 8 hours or download the ISO 27001 clear desk policy template. Providing storage will take as long as it takes you to purchase and for them to deliver it.
The cost of ISO 27001 Annex A 7.7 will depend how you go about it.
There are templates for ISO 27001 Annex A 7.7 located in the ISO 27001 Toolkit.
Matrix of ISO 27001 controls and attribute values
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
---|---|---|---|---|
Preventive | Confidentiality | Protect | Physical security | Protection |
Integrity | ||||
Availability |