ISO 27001:2022 Annex A Control 7.7
Explaining Annex A Control 7.7: Clear desk and clear screen
Control 7.7 of ISO 27001 focuses on the security of physical and digital information by enforcing clear desk and clear screen policies. These policies help protect sensitive data from unauthorized access, loss, or damage, particularly when workstations or office environments are left unattended.
Control Type
- Preventive
Information Security Properties
- Confidentiality
Cybersecurity Concepts
- Protect
Operational Capabilities
- Physical Security
Security Domains
- Protection
Objective of Clear desk and clear screen
The primary objective of this control is to reduce the risk of unauthorized access, information leakage, and loss of critical data by ensuring that all sensitive information is stored securely when not actively in use.
This control helps organizations:
- Protect confidential information from being accessed by unauthorized individuals.
- Prevent information leaks due to negligence, such as leaving printed documents exposed.
- Reduce insider threats by limiting opportunities for intentional or accidental misuse.
- Minimize security risks in shared workspaces and open office environments.
- Improve compliance with ISO 27001 and other industry regulations by enforcing security best practices.
Purpose of Clear desk and clear screen
The purpose of Control 7.7 is to:
- Minimize risks of information loss: This includes the unintentional exposure of sensitive or confidential information to unauthorized individuals.
- Reduce opportunities for data breaches: Sensitive information left exposed on desks or screens can be exploited by unauthorized persons.
- Ensure compliance with regulations: Following this control helps your organization meet information security requirements under ISO 27001 and other frameworks.
- Raise a culture of security awareness: A clear desk and screen policy promotes a mindset of responsibility and vigilance among employees.
Guidelines for Implementing a Clear Desk and Clear Screen Policy
To implement Control 7.7 effectively, your organization must define, communicate, and enforce a clear desk and clear screen policy. Below are the critical elements that should be included:
1. Clear Desk Policy Guidelines
A clear desk policy ensures that physical information assets are secured when not in use. Organizations should enforce the following rules:
1.1 Secure Storage of Documents and Removable Media
- Confidential and sensitive documents must be locked away in secure cabinets, safes, or drawers when not in use.
- Removable storage media (USB drives, external hard drives) should be secured in locked storage.
- Any hardcopy documents that contain personal or sensitive information should not be left on desks or unattended workspaces.
1.2 Proper Disposal of Paper Documents
- All paper documents that are no longer needed must be shredded or disposed of securely using confidential waste bins.
- Organizations should implement secure document disposal policies, including using certified shredding services where necessary.
1.3 Workspace Clean-Up Protocol
- Employees should perform a desk sweep before leaving work to ensure no confidential documents, notes, or storage devices are left behind.
- At the end of the day, all workstations should be free of sensitive information.
2. Clear Screen Policy Guidelines
A clear screen policy ensures that digital information is not visible to unauthorized individuals. Organizations should enforce the following guidelines:
2.1 Automatic Screen Locking
- All computers, laptops, and mobile devices must be set to automatically lock after a short period of inactivity (e.g., 5-10 minutes).
- Employees must manually lock their screens (using Windows Key + L on Windows or Command + Control + Q on macOS) when stepping away from their desks.
2.2 Authentication and Access Control
- Multi-factor authentication (MFA) should be used to unlock devices.
- Strong password policies should be enforced to prevent unauthorized access to systems.
2.3 Secure Use of Displays and Screens
- Employees should turn off monitors when leaving their workstations.
- Screen privacy filters should be used on devices that contain sensitive data in open areas.
- Email and messaging pop-ups should be disabled during screen sharing, presentations, or in public areas.
Secure Printing and Document Handling
Printers and multifunction devices are often overlooked security risks. Implementing secure printing protocols is essential:
- Enable Authentication for Printing
- Employees should use print release authentication, ensuring that documents print only when the user is physically present at the printer.
- Secure Printouts Immediately
- Employees should retrieve printouts immediately to prevent unauthorized access to confidential documents.
- Restrict Access to Printers
- Only authorized personnel should have access to high-security printers used for sensitive documents.
Physical Security for Devices
In addition to clear desk and screen policies, organizations must also secure physical devices to prevent unauthorized access. Best practices include:
- Using security cable locks to protect laptops and other portable devices in shared workspaces.
- Keeping USB drives and external storage devices locked when not in use.
- Ensuring workstations and conference rooms are checked for forgotten documents or devices at the end of each day.
Related ISO 27001 Controls
Control 7.7 works alongside several other ISO 27001 controls to form a comprehensive security strategy:
- Control 5.2 (Information Security Roles and Responsibilities) – Defines security responsibilities, including clear desk and screen policies.
- Control 5.12 (Classification of Information) – Ensures that sensitive data is appropriately classified and protected.
- Control 7.1 (Physical Security Perimeter) – Establishes physical security measures to prevent unauthorized access to information.
Templates for Implementation
To streamline the adoption of Control 7.7, your organization can use pre-built security policy templates from Cyberzoni.com:
- Clear Desk and Clear Screen Policy Template – A ready-to-use policy for implementing security best practices.
- Data Classification Policy Template – Helps define sensitivity levels for organizational data.
- Physical Security Policy Template – Outlines requirements for physical access and security of workspaces.
