What Changed Between the 2013 and 2022 Versions? ISO 27001:2022 Annex A 7.7

ISO 27001 Annex A 7.7 - what changed in the 2022 update

If you have ever walked through a quiet office and spotted a password on a sticky note or a sensitive document sitting on a printer, you have seen exactly why “Clear Desk and Clear Screen” policies exist. In the transition from ISO 27001:2013 to the 2022 update, this fundamental control moved from the technical back-end to a more prominent organisational spotlight. Now residing under Annex A 7.7, the requirements have evolved to match our modern, often hybrid, working world.

Table of contents

The Evolution from 11.2.9 to 7.7

In the ISO 27001:2013 version, this requirement was known as Control 11.2.9. It was tucked away in the “Physical and Environmental Security” domain, largely viewed as a physical security measure for the traditional office. The goal was simple: don’t leave papers out and lock your PC when you go to lunch.

With the 2022 update, the control has been rebranded as Annex A 7.7: Clear desk and clear screen. It is now part of the Physical Controls theme. While the name and intent remain largely the same, the 2022 version is more prescriptive and comprehensive. According to experts at Hightable.io, the shift isn’t just about a change in numbering; it’s about a more detailed focus on how we protect data in an age of digital pop-ups, open-plan offices, and remote working environments.

What is New in Annex A 7.7?

While the 2013 version provided a high-level requirement, the 2022 update introduces several specific areas of focus that reflect current security challenges. If you are transitioning your ISMS, here are the key differences you need to address:

  • Digital Pop-ups and Notifications: The 2022 version explicitly addresses the risk of sensitive information appearing in pop-ups (like email or Slack notifications) on a screen. This is especially critical during presentations or when working in public spaces.
  • Whiteboard Security: A subtle but important addition is the requirement to clear whiteboards. In 2013, the focus was mostly on “paper and removable media.” The 2022 version recognizes that a brainstorming session on a whiteboard can be just as sensitive as a printed report.
  • The “Vacated Facility” Rule: The new guidance emphasizes that when an organization vacates a facility or a specific office area, a final sweep must be conducted to ensure no physical or digital assets are left behind.
  • Authentication and Auto-Locks: While hinted at before, the 2022 guidance is much more explicit about using automatic time-out features and requiring user authentication to reactivate a screen.

Practical Implementation: Modern Expectations

In the 2013 era, “Clear Desk” often meant having a lockable drawer. In 2026, under the 2022 standard, implementation must be more integrated. Hightable.io highlights that this control is now a Preventive control. This means it isn’t just a rule in a handbook; it’s a mechanism to stop unauthorized access before it happens.

To meet the 2022 requirements, organizations should focus on:

  • Secure Printing: Implementing “Pull Printing” or “Follow-Me Printing” where a user must physically authenticate at the printer to release their job. This prevents sensitive documents from sitting in a communal tray.
  • Device Auto-Locking: Centrally managing screen timeouts (typically 60 seconds to 5 minutes depending on the risk) via Group Policy or MDM.
  • Lockable Storage: Providing secure storage not just for papers, but for “removable storage media” and portable devices like tablets and payment terminals.
ISO 27001 Document Templates
ISO 27001 Document Templates
Get Auditor Approved ISO 27001 Templates

The Role of Control Attributes

A major innovation of the ISO 27001:2022 update is the introduction of “Attributes.” For Annex A 7.7, the control is tagged with several metadata values that help you map it to other frameworks. It is classified as:

  • Control Type: Preventive
  • Information Security Properties: Confidentiality
  • Cybersecurity Concepts: Protect

By using these attributes, security managers can more easily show auditors how a simple “Clear Desk” policy contributes to the broader organizational goal of “Protecting” data confidentiality.

What Will an Auditor Look For?

When you transition to the 2022 version, the auditor’s “walk-through” will be more thorough. They won’t just look for a messy desk; they will look for the process. Expect them to check:

  • Auto-lock settings: They may literally wait by a laptop to see if it locks itself after the designated period.
  • Remote Work Awareness: They will ask how your “Clear Desk” policy applies to people working from home or in coffee shops.
  • The Printer Tray: One of the most common places for an auditor to find a non-conformity is a stack of uncollected printouts.
  • Whiteboards and Meeting Rooms: Checking if sensitive diagrams from the previous meeting have been erased.

Why the Transition to 7.7 Matters

The update to Annex A 7.7 reflects a world where the boundary between “office” and “not-office” has blurred. In 2013, we were worried about the person at the next desk. In 2026, we are worried about the person sitting behind you in a co-working space or the guest in your home office.

As suggested by Hightable.io, the best way to handle this transition is to refresh your Clear Desk and Clear Screen Policy into a “Topic-Specific Policy.” Don’t just list the rules; explain the risks of pop-up notifications and uncollected printouts. By educating your team on the “why,” you transform a perceived administrative burden into a proactive security habit that protects the business from prying eyes.