How do I implement clear desk rules?

Implement rules by defining clear expectations for sensitive materials. Store your policy in SharePoint for easy staff access. Use Jira to track and resolve violations found during spot checks. This approach creates a culture of security rather than a software-led tick box.

Why is SaaS compliance software risky for this control?

SaaS platforms cannot verify the physical state of your office desks. They provide a false sense of security through dashboards. Auditors require evidence of manual inspections and internal management oversight. Store your logs in native repositories to prove genuine operational control.

ISO 27001:2022 Annex A 7.7 Guide

What is ISO 27001 Annex A 7.7 Clear Desk and Clear Screen in ISO 27001?

Annex A 7.7 requires the protection of physical and digital information in the workplace. This documented process governs how staff secure papers and screen sessions. You must integrate these rules into business-as-usual tools like SharePoint. This ensures protection against unauthorised viewing or asset theft during and after working hours.

Auditor’s Eye: The Shortcut Trap

Reliance on automated SaaS platforms leads to surface-level compliance. These tools show a green tick without verifying actual desk cleanliness. Auditors prefer seeing evidence within your native document repositories like SharePoint. Internal spot-check logs prove management ownership of office security. Digital dashboards cannot replace human oversight. Relying on “black box” platforms often results in non-conformities when an auditor walks your office floor.

ISO 27001:2013 Reference	ISO 27001:2022 Reference	Key Difference
Annex A 11.2.9	Annex A 7.7	The 2022 version emphasises both physical and digital workspaces equally. It clearly includes remote work environments.

How to Implement ISO 27001 Annex A 7.7 (Step-by-Step)

Implement Annex A 7.7 by embedding requirements into daily staff workflows. Focus on cultural change rather than software installation. Use your existing SharePoint and Confluence systems to maintain records. Lead with a policy that defines what constitutes a “clear” workspace for every employee.

Draft a clear desk policy and store it in SharePoint.
Define which documents require secure storage in locked cabinets.
Configure automated screen lock timers for all corporate devices.
Conduct monthly office walk-throughs to verify physical compliance.
Log all findings and corrective actions in a Jira project.

ISO 27001 Annex A 7.7 Clear Desk and Clear Screen Audit Evidence Checklist

Auditors look for manual records that prove continuous human oversight. They check version histories of policies and internal meeting minutes. Ensure your evidence resides in repositories your team uses daily.

A Clear Desk and Clear Screen Policy with SharePoint versioning history.
Meeting minutes showing management discussion of office security performance.
Internal inspection logs recorded on Confluence or a shared spreadsheet.
Jira tickets for remediating repeated clear desk violations.
Internal training completion reports for all office-based staff.

Relational Mapping

Control A 7.7 is connected to several other ISO 27001 requirements:

Annex A 5.1: Policies for information security.
Annex A 5.15: Access control requirements for screens.
Annex A 7.1: Physical security perimeters protecting the office.

Auditor Interview

Auditor: How do you ensure staff lock their screens when leaving desks?

Manager: We enforce a five-minute auto-lock via our central group policy. We also perform evening spot checks to verify compliance.

Auditor: Where do you record the results of these checks?

Manager: We maintain a log on our internal Confluence wiki. You can see the history of checks and any remedial actions taken.

Common Non-Conformities

Failure Mode	Description	Corrective Action
Automated Complacency	Relying on a SaaS dashboard while desks are covered in sensitive paper.	Begin manual spot checks and record them in SharePoint.
Post-it Notes	Staff keep passwords or sensitive data on monitors.	Conduct staff training and enforce strict disciplinary measures.
Unlocked Screens	Computers left active in areas accessible by visitors.	Shorten auto-lock timers and conduct random audits.

Frequently Asked Questions

What is ISO 27001 Annex A 7.7?

The Bottom Line: It is the requirement to keep desks clear of sensitive documents and screens locked. This protects information from unauthorised viewing or theft. You must document this process within your own organisational tools. Management must prove they actively monitor compliance through regular inspections.

How do I enforce a clear desk policy?

The Bottom Line: Enforce the policy through a combination of technical controls and physical audits. Use SharePoint to communicate the rules clearly to all staff. Schedule monthly evening inspections and record the results in Confluence. Use Jira to manage any non-conformities found during these walks.

Does this control apply to home offices?

The Bottom Line: Yes, the 2022 update includes remote and home work environments. Staff should ensure sensitive papers are not visible to household members. Digital screens must still lock automatically. Include remote work guidelines in your central SharePoint security policy.

LA CASA DE CERTIFICACIÓN