How to Implement ISO 27001 Annex A 7.7 Clear Desk and Clear Screen
When you begin your journey toward information security, some controls can feel overly technical or abstract. However, ISO 27001 Annex A 7.7 is not one of them. This control, known as “Clear desk and clear screen,” is one of the most visible and practical aspects of your information security management system (ISMS). At ISO27001.com, we often find that this control is a strong indicator of your overall security culture. If you get the basics right here, it shows you take security seriously.
Implementing this control is about reducing the risk of unauthorised access to your physical and digital assets. It ensures that sensitive information is not left unprotected on desks or screens when you are not at your workstation. Here is how you can implement this control effectively and what we expect to see during an audit.
Table of contents
Understanding the Goal of Annex A 7.7
The primary objective here is to prevent unauthorised access to information. This could happen if someone walks past a desk and sees sensitive documents or an unlocked computer screen. It protects against internal threats, such as curious colleagues without clearance, and external threats, such as delivery personnel or visitors walking through your office.
You need to ensure that paper documents, removable storage media, and screens are secured when they are not in use. While it sounds simple, maintaining this discipline across an entire organisation takes effort and clear communication.
Writing the Policy
Your first step is to establish a policy that defines what is expected of your staff. This does not need to be a long document. In fact, shorter is often better. You must state clearly that all employees are required to clear their desks of sensitive information at the end of the day and whenever they leave their desk for an extended period.
The policy should also mandate that computer screens are locked when the user is away. You should define what constitutes “sensitive information” to avoid confusion. For many organisations, a “zero tolerance” approach where desks must be completely clear is easier to enforce than asking staff to judge what is sensitive and what is not.
Physical Security Implementation
To make this control work, you must provide your team with the right tools. You cannot expect a clear desk if staff members have nowhere to put their documents. You need to provide lockable drawers or cabinets for every employee who handles physical data.
You should also look at your printing facilities. Printers are a common failure point for Annex A 7.7. We frequently see sensitive payroll or HR documents sitting in printer trays. To fix this, you should implement “secure print” features where a user must enter a code or swipe a badge at the printer to release their job. If that is not possible, you must insist that papers are collected immediately.
You must also provide shredders or confidential waste bins. If it is difficult to dispose of paper securely, staff will likely leave it on their desks. Make it easy for them to do the right thing.
Digital Security Implementation
On the digital side, implementation is often handled centrally by your IT team. You should configure a forced screen lock policy. This means that after a set period of inactivity, perhaps five or ten minutes, the screen locks automatically and requires a password to unlock. This acts as a safety net for when staff forget to lock their machines manually.
You must also educate staff on the keyboard shortcuts to lock their screens instantly. Encouraging this habit is far better than relying solely on the automatic timeout.
Building the Culture
Writing the policy is the easy part. Getting people to follow it is the challenge. You need to train your staff during their induction and through regular awareness updates. Explain the “why” behind the rule. It is not just about tidiness. It is about protecting client data and the company reputation.
We recommend conducting periodic spot checks. Walk around the office at different times. If you find sensitive data left out, leave a friendly reminder note. Some organisations use gamification or small rewards for teams with the cleanest desks. This positive reinforcement helps build the habit without creating a culture of fear.
What the Auditor Will Look For
As a certification body, when we visit your site for an ISO 27001 audit, Annex A 7.7 is one of the first things we assess. We do this simply by walking from the reception to the meeting room. We observe the working environment. We look for passwords written on sticky notes attached to monitors. This is a classic failure that we still see surprisingly often.
We will look at whiteboards in meeting rooms. Have they been wiped clean after a strategy session? We will look at the printers. Are there unclaimed documents in the tray? We will also check if screens are locked in empty offices.
If you are a remote-first company, we will ask how you enforce this for home workers. Do you provide guidance on working in public spaces like coffee shops? Do you provide privacy filters for laptop screens? The principle remains the same regardless of location.
Common Pitfalls to Avoid
One common mistake is being too rigid with the policy in areas where it does not make sense, or ignoring it in areas where it matters most. For example, leaving a generic marketing flyer on a desk is rarely a risk. However, leaving a notebook open during a lunch break is a significant risk. Focus on the risk.
Another pitfall is management not leading by example. If the senior leadership team leaves confidential board papers on their desks, the rest of the staff will not take the policy seriously. Compliance starts at the top.
Conclusion
Implementing Annex A 7.7 does not require expensive technology. It requires consistent behaviour and good management. By providing lockable storage, enforcing screen locks, and fostering a culture of security, you can meet this requirement effectively. Remember that we at ISO27001.com are looking for evidence that the policy is active and understood, not just a document stored on a server. Keep it practical, keep it visible, and you will pass this part of the audit with ease.