ISO 27001 Annex A 7.7 Clear Desk And Clear Screen

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 7.7 Clear Desk And Clear Screen

ISO 27001 Clear Desk And Clear Screen

To protect information in digital and printed forms for ISO 27001, desks are kept clear of confidential data and devices and screens are set to auto lock when not used for a set time.

In this ultimate guide to ISO 27001 Clear Desk And Clear Screen you will learn

  • What is meant by ISO 27001 Clear Screen and Clear Desk
  • How to implement controls for clear screens and desks for ISO 27001

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Clear Desk And Clear Screen?

ISO 27001 Annex A 7.7 Clear Desk and Clear Screen is an ISO 27001 control that requires an organisation to secure information on desks, screens and other accessible areas.

This is about locking confidential information away out of hours.

ISO 27001 Clear Desk And Clear Screen Purpose

ISO 27001 Annex A 7.7 Clear Desk And Clear Screen is a preventive control that ensures you address the risks of unauthorised access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours.

ISO 27001 Clear Desk And Clear Screen Definition

The ISO 27001 standard defines Clear Desk And Clear Screen as:

Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced.

ISO 27001:2022 Annex A 7.7 Clear Desk and Clear Screen
ISO 27001 Toolkit

Implementation Guide

Topic specific clear desk and clear screen policy

To communicate to people what you do and what is expected you are going to write, sign off, implement and communicate your topic specific ISO 27001 Clear Desk and Clear Screen Policy.

ISO 27001 Clear Desk and Clear Screen Policy Template

Provide Lockable Storage

To enable people to maintain a clear desk it is good practice to provide lockable storage. This will be based on business need and risk but examples of where lockable storage could be required:

  • People who print, use and need to store confidential data
  • People use and need to store confidential devices such as payment devices, card readers, devices that are not in use.
  • People that work from home
  • Directors
  • Shareholders

The level of security that the device provides will be based on risk and business need but as a minimum it should be lockable. Other considerations include

  • Fireproof
  • The level of locks
  • Backup keys or access

Enable Auto Screen Locking

To facilitate a clear screen it is now common practice to implement auto locking of screens after a set period of time. Whether managed centrally or per device, auto locking should be enabled with a recommendation of activating after 60 seconds or based on your risk assessment and business need.

Provide Guidelines and Training

Once you deploy the policy it is best practice to continue to train and educate people on clear desk and clear screen and what the requirements are.

Secure Printers

Printers represent a big risk to information security as they are often located away from users and in easy to access locations. It can be the case that printouts are left for long periods unattended and uncollected.

Consider printers with authentication functions so print outs can only be produced when the person is next to the printer.

Areas around printers should be checked on a regular basis and discarded print outs are destroyed securely in line with policy.

General Guidance

This is a straight forward control to implement. Be sure that IT have set it so that screens auto lock after a short period of time of no activity. Provide lockable storage to locations where confidential information will be stored. This could be paper or even devices and machines that are in storage whilst not allocated or in use. Consider home workers and for those home workers that do require this level of storage then provide it to them and provide them with shredders.

If you have a situation that you are permanently leaving a location having a process of someone doing a final sweep and check of the facility is good practice. It can be that papers fall behind cupboards or draws.

Watch the tutorial

Watch the ISO 27001 tutorial on clear desk and clear screen.

ISO 27001 Templates

For Annex A 7.7 you need a topic specific ISO 27001 Clear Desk and Clear Screen Policy.

Having ISO 27001 templates can help fast track your ISO 27001 implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification.

How to pass the audit

To pass the audit of ISO 27001 Annex A 7.7 you are going to

  • Implement a topic specific clear desk policy
  • Provide lockable storage to locations and people that need to store physical confidential and sensitive information
  • Implement auto locking and/or auto log out for end users
  • Put in place processes for printing that reduce the likelihood or printouts being left un collected.

For more guidance on the clear desk policy read the ISO 27001 Clear Desk Policy Beginner’s Guide

What the auditor will check

The audit is going to check a number of areas. Lets go through the main ones

1. That your devices auto lock

They will check for evidence that end user devices with auto log out or auto lock after a short period of time.

2. Lockable storage

The auditor is going to look for situations where confidential and sensitive information is required in physical form, that could be paper or devices, and they are going to check that you lock it away. This will be in offices but watch out as they will also check this for remote workers.

Top 3 Mistakes People Make

The top 3 mistakes people make for ISO 27001 Clear Desk And Clear Screen are

1. Your devices don’t auto lock

This is something that people sometimes turn off. Developers and technical people are the worst culprits for this. Make sure that if this is set and you expect it to be in place that you check this before the audit. As a minimum ensure you check on the devices of the people that are going to be audited.

2. You don’t have lockable storage

The number of times we see old laptops, archive boxes of information just lying around in meeting rooms, common areas and even kitchens. My advice would be to do some house keeping and stop storing things just in case but as a minimum get it locked away. Also to consider home and remote workers. If they receive company related post or store devices at these locations then provide them with lockable storage. Remote workers are always overlooked.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

ISO 27001 Certification Strategy Session

ISO 27001 Clear Desk And Clear Screen FAQ

Why is ISO 27001 Annex A 7.7 Clear Desk And Clear Screen important?

ISO 27001 Annex A 7.7 Clear Desk and Clear Screen is important because we are looking at physical media that can easily be compromised, taken, stolen or accessed. Paper and devices are easy to control but also easy to overlook. A breach of this kind of information can be hard to spot until it is way too late.

What are examples for ISO 27001 Annex A 7.7 clear desk items?

Paper based company or client reports
Company or confidential post
Devices that are not in use but being stored
Any confidential or sensitive print out

Do I have to satisfy ISO 27001 Annex A 7.7 Clear Desk and Clear Screen for ISO 27001 Certification?

Yes. It is a common sense, practical control that is easy to implement with significant benefit to the reduction of information security risk.

How do you auto lock end point devices?

This is a feature on all modern end point devices. Either set in manually or speak with your IT team to set it for all devices.

Where can I get templates for ISO 27001 Annex A 7.7 Clear Desk and Clear Screen?

ISO 27001 templates that support Annex A 7.7 Clear Desk and Clear Screen are located in the ISO 27001 Toolkit.

How hard is ISO 27001 Annex A 7.7 Clear Desk and Clear Screen?

It is not hard to implement it.

How long will ISO 27001 Annex A 7.7 Clear Desk and Clear Screen take me?

The technical controls are very easy to implement and will take less than an hour. You can write a clear desk policy in around 8 hours or download the ISO 27001 clear desk policy template. Providing storage will take as long as it takes you to purchase and for them to deliver it.

How much will ISO 27001 Annex A 7.7 cost me?

The cost of ISO 27001 Annex A 7.7 will depend how you go about it.

Are there free templates for ISO 27001 Annex A 7.7?

There are templates that support ISO 27001 Annex A 7.7 located in the ISO 27001 Toolkit.

Matrix of ISO 27001 controls and attribute values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityProtectPhysical securityProtection
Integrity
Availability
Share to...