ISO 27001 Annex A 7.7 Clear Desk and Clear Screen: Certification Body Guide

ISO 27001 Annex 7.7 Clear Desk and Clear Screen

ISO 27001 7.7 Clear Desk and Clear Screen is a Physical control that protects information from unauthorised access and damage. It mandates that employees secure physical media and lock digital displays when workstations are unattended. This control ensures confidentiality and integrity across all organisational work environments.

Attribute Value
Control Type Physical
Information Security Properties Confidentiality, Integrity
Cybersecurity Concepts Protect
Operational Capabilities Physical Security

Implementation Difficulty & Cost

Difficulty: 2/5. The technical enforcement is straightforward. The primary challenge remains changing the organisational culture and maintaining staff compliance over time.

Cost: Low. Most organisations already own the necessary technical tools. Physical storage costs are minimal if pedestals already exist in the office.

Control Owner: Facilities Manager and IT Manager.
Accountability: CISO → Facilities/IT Manager → Department Head → Individual Employee.

ISO 27002 Control Guidance

Physical guidance focuses on the protection of information on desks. Organisations should adopt a policy that requires clearing desks of sensitive information. This applies during breaks and at the end of the working day. You must provide lockable cabinets or pedestals. This allows staff to secure sensitive papers and removable media. Whiteboards in meeting rooms must be wiped clean after use. This prevents the next occupant from viewing sensitive project data or credentials.

Technical guidance addresses the clear screen requirement. You must ensure that information on screens is not visible to unauthorised persons. This requires the use of automatic session timeouts. I recommend a maximum timeout of five to ten minutes for office environments. Personnel should manually lock their screens using keyboard shortcuts when leaving their desks. Display privacy filters are essential for staff working in public areas or near windows. These filters mitigate the risk of visual hacking by passers-by.

Behavioural guidance emphasises the human element. Security awareness is the primary driver of success for this control. Conduct regular training to explain the risks of leaving information unattended. I often see firms fail here because they treat the policy as a one-time document. You must integrate these rules into the daily working culture. Use internal newsletters or digital signage to maintain visibility. Management must lead by example to show that physical security is a shared responsibility.

In my experience as an auditor, this is where companies fail most frequently. I perform unannounced floor walks at 6:00 PM. If I find sensitive documents or unlocked laptops, I raise a non-conformity. In remote audits, I conduct “Camera Walkthroughs.” I ask workers to pan their home office webcam to verify physical security. If I see post-it notes with passwords, the management system has failed.

10 Steps to Implement Clear Desk and Clear Screen

  1. Draft the Policy Framework

    Draft a clear desk and clear screen policy in your internal repository. Use your existing SharePoint or internal wiki. This document must define rules for papers and removable media. Management should approve the policy before distribution. Version history proves active management ownership. This prevents the common template trap.

  2. Review Asset Classifications

    Identify physical assets and screens in open office areas. Map these to your information classification scheme. High-risk data requires stricter physical protection measures. Use your asset register in Jira to track sensitive hardware. This ensures that protection levels match the data sensitivity. Proper classification drives the entire security process.

  3. Configure Automated Screen Locks

    Enforce automatic screen locks via Microsoft Intune or GPO. Set a maximum timeout of five minutes for unattended systems. This prevents unauthorised individuals from accessing open sessions. Use centralised configuration to ensure uniform security across all endpoints. Documented settings provide the technical proof required during audits. This acts as a backstop for human error.

  4. Provision Lockable Storage Units

    Provide lockable pedestals or cabinets for all personnel. Ensure every workstation has a secure area for sensitive papers. Staff should lock these units before leaving their desks. Auditors check for unlocked drawers during walkthroughs. Maintenance logs for these units provide objective evidence. This secures the physical office perimeter effectively.

  5. Install Security Disposal Consoles

    Install locked shredding bins for all paper waste. Replace standard desk bins with these secure consoles. This encourages personnel to dispose of sensitive printouts correctly. Contract with a certified destruction provider. Maintain certificates of destruction in your SharePoint library. This closes the loop on the physical media lifecycle.

  6. Conduct Awareness Training Sessions

    Conduct awareness sessions on physical document handling for all staff. Explain the risks of visual hacking and opportunistic theft. Use real internal examples for better clarity. Staff must understand their role in protecting organisational data. Document training attendance in your HR portal. This satisfies Clause 7.3 requirements for security awareness.

  7. Establish Whiteboard Protocols

    Mandate wiping meeting room boards after every session concludes. Sensitive project plans often remain visible on shared boards. Install cleaning supplies in every room. Post reminders near exits to prompt personnel. This simple habit mitigates visual information leaks. It prevents the next group from seeing sensitive internal data.

  8. Adapt Rules for Remote Work

    Extend requirements to home and public work settings. Define standards for home office screen positioning. Staff should avoid screens facing windows in ground-floor rooms. Provide lockable document boxes for remote use. Document these rules in your remote work policy. This ensures a consistent security posture across all locations.

  9. Perform Regular Spot Checks

    Perform unannounced office floor walks and record the results. Check for unsecured papers and unlocked workstations. Document every violation in a central compliance log. These records prove that you monitor the control regularly. Auditors look for this evidence of operational control. Static policies without monitoring lead to non-conformities.

  10. Integrate Management Review

    Report compliance trends to the security steering committee quarterly. Discuss violation rates and root causes with senior leadership. Use this data to justify budget for better physical storage. Meeting minutes signed by management prove oversight. This ensures the management system stays relevant to the business. Leadership involvement is essential for maturity.

Requirements by Environment

  • Physical Office: Lockable pedestals, secured whiteboards, and locked shredding consoles are mandatory.
  • Home Office: Screens must face away from windows. Sensitive papers require lockable storage or immediate destruction.
  • Public Spaces: Use of privacy filters is essential. Personnel must manually lock screens before leaving the device.

The “Checkbox Compliance” Trap

Requirement Tool Trap (Theoretical) Auditor Reality (Actual)
Clear Screen Policy says “Staff must lock screens.” I verify the GPO timeout is set to 5 minutes.
Secure Storage Lockers are available on site. I check if keys are left in the locks.
Disposal Generic shredder in the corner. I check if shredding logs match disposal volumes.

10 Steps to Audit ISO 27001 7.7 (Internal Audit Guide)

  1. Policy Review: Examine the clear desk policy in your internal repository. Verify that management reviewed and approved the document within the last year.
  2. Configuration Verification: Request technical exports from Microsoft Intune. Verify that screen lock timeouts do not exceed five minutes.
  3. Physical Walkthrough: Conduct unannounced evening floor walks. Look for papers left on desks or unlocked workstations. Take photos as objective evidence.
  4. Sample Storage: Select a sample of ten pedestals. Verify that they are locked. Check if keys remain in the unit.
  5. Waste Inspection: Inspect general waste containers in common areas. Look for sensitive printouts or removable media. This indicates a training failure.
  6. Whiteboard Audit: Visit meeting rooms after sessions. Verify that personnel wiped all whiteboards clear. Sensitive data often lingers in these areas.
  7. Remote Verification: Select a sample of remote workers. Request a camera walkthrough of their workspace. Verify screen positioning and storage.
  8. Staff Interviews: Ask employees how they secure information during coffee breaks. Their answers reveal the true security culture of the firm.
  9. Review Violation Logs: Examine logs for past policy violations. Verify that management took corrective actions for every finding recorded.
  10. Examine Training Records: Check your HR portal for security awareness records. Every employee must complete training covering the physical office rules.

7.7 Audit Evidence Checklist

Evidence Item Pass/Fail Criteria Owner
Clear Desk Policy Management approved and version controlled in SharePoint. CISO
GPO Timeout Report Technical proof of lock activation after 5 minutes. IT Manager
Floor Walk Logs Dated records of inspections with corrective actions. Facilities
Shredding Certificates Certified disposal records for the previous twelve months. Facilities

Required Policy Content: A Lead Auditor’s Checklist

  • Scope: Must explicitly include the head office, remote environments, and public transit.
  • Classification Link: Define which data levels require immediate locking. Reference your classification of information policy.
  • Screen Locking: Define the 5-minute timeout and the mandatory manual lock keyboard shortcut.
  • Storage Rules: Mandate that pedestals must be locked when unattended. Keys must not remain in the unit.
  • Secure Disposal: Requirement to use consoles. Forbid use of standard waste bins for sensitive paper.
  • Whiteboard Rules: Mandatory wipe-down after every meeting room usage.
  • Enforcement Clause: Must define the specific disciplinary path for non-compliance. Explicitly state the Verbal → Written → Termination path.

What to Teach Employees

  • How to identify sensitive data using the classification matrix defined in Clause 5.12.
  • The immediate risk of visual hacking in shared offices and public transport.
  • The technical habit of locking screens manually before leaving the workstation.
  • How to use the locked shredding consoles correctly for all paper waste.

Enforcement and Consequences

A policy without enforcement is merely a suggestion. Management must support a disciplinary path for repeated breaches of Control 7.7. In my experience, auditors look for HR records that prove consequences exist. The path must follow: 1. Verbal Warning → 2. Written Warning → 3. HR Disciplinary Action → 4. Termination of Employment.

Common Implementation Challenges

Challenge Root Cause Practical Solution
Hot-desking clutter Insufficient personal storage areas. Provide larger lockers for daily usage.
Home office habits Mixing work and personal lives. Provide privacy filters for remote staff laptops.
Forgotten whiteboards Lack of room clearing ownership. Assign the meeting organiser as responsible for clearing.

Sample Statement of Applicability (SoA) Entry

Control 7.7 is Included. Justification: Necessary to protect the confidentiality of client data and internal intellectual property. Implementation: Enforced through Microsoft Intune timeouts, lockable storage pedestals, and monthly unannounced evening security walkthroughs.

Changes from ISO 27001:2013

2013 Reference 2022 Reference Nature of Change
A.11.2.9 7.7 Merged requirements. Added emphasis on remote and cloud-working environments.

How to Measure Effectiveness (KPIs)

  • Violation Rate: Number of unsecured items found per floor walk. Example: Finding 2 unsecured laptops across 50 desks equals a 4% violation rate.
  • Technical Compliance: Percentage of endpoints successfully receiving the timeout configuration. Goal: 100% compliance across the laptop fleet recorded in Intune.
  • Average Disposal Volume: Weight of securely shredded paper versus standard waste. Example: Shredding 20kg of paper per month proves active use of secure consoles.

Related ISO 27001 Controls

Control 7.7 works in concert with other physical and logical safeguards. This control relies on Annex A 5.12 Classification of Information to define which papers require locking. It also integrates with Annex A 7.5 Protecting Against Physical and Environmental Threats by protecting hardware from environmental damage. Finally, it works with Annex A 8.1 User Endpoint Device Security to secure the actual endpoint devices used by personnel.

ISO 27001 7.7 FAQ

Does a clear desk mean an empty desk? No. It means the desk is clear of sensitive information and removable media. Personal items are permitted unless they obscure security checks.
Are privacy filters mandatory? They are not specifically mandatory in the standard. However, for desks near windows or in public areas, they are an essential risk treatment.
What happens if we have no lockable storage? This will likely result in a non-conformity. You must prove how you secure physical media without locks, which is difficult to justify.
Do screensavers count as clear screen? Only if they hide the information on the display and require a password or biometric to unlock the session.
How often should we check the office? I recommend monthly unannounced sweeps. This frequency demonstrates active management oversight to the certification auditor.

Last Reviewed: 15 February 2026. Next Review: 15 February 2027.