ISO 27001 Annex A control 7.7 is called Clear Desk and Clear Screen. This rule asks you to keep all information safe on desks, screens, and other open spots. This control focuses on keeping items secure when the workday ends. You must lock away all private documents after working hours.
Table of contents
What is ISO 27001 Annex A 7.7?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Clear Desk and Clear Screen”.
What is the ISO 27001 Annex A 7.7 control objective?
The formal definition and control objective in the standard is: “Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced.“
What is the purpose of ISO 27001 Annex A 7.7?
The purpose of ISO 27001 Annex A 7.7 is “to ensure you address the risks of unauthorised access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours.“
Is ISO 27001 Annex A 7.7 Mandatory?
ISO 27001 Annex A control 7.7 (Clear Desk and Clear Screen in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 7.7 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
Provide Lockable Storage
To help maintain a clear desk, you should give people lockable storage. You will decide this based on your business needs and risks. Here are some examples of when you might need lockable storage:
- If you print, use, and need to store private data.
- If you use or need to keep safe confidential devices, like payment devices or card readers, that are not in use.
- If you work from home.
- For directors and shareholders.
The needed security level should match your risks and business needs, but the storage must be lockable at the very least. You should also think about:
- Fireproof materials.
- The type of locks you use.
- Having backup keys or access methods.
Enable Auto Screen Locking
To help maintain a clear screen, you should set up automatic screen locking after a short time. You should enable auto-locking on all devices. You can manage this from one central point or on each device. It is a good idea to set the lock to activate after 60 seconds, or you can set this time based on your own risk review and business needs.
Provide Guidelines and Training
After you set up your clear desk and clear screen policy, you should keep training and teaching people what the rules are and why they are important.
Secure Printers
Printers can pose a big risk to information safety because they are often placed in areas that are easy to reach and far from the user. Printouts can sit for a long time without being picked up or watched.
Think about using printers that need authentication. This means the printouts will only start printing when the correct person is standing right next to the machine.
You should check areas around printers often. Any printouts that people have discarded must be securely shredded or destroyed according to your company policy.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
Device Auto-Lock: The auditor will look for proof that your user devices lock themselves after a short time.
Lockable Storage: The auditor will check where you keep sensitive information in physical form, like papers or storage devices. You must ensure you lock these items away. They will check this in your offices, but remember, they will also check your setups if you work from home.
