ISO 27001 A.7.7: Clear desk and clear screen
What This Control Requires
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.
In Plain Language
That client contract sitting on someone's desk after they have gone home? The unlocked laptop showing customer data while the user is getting coffee? These are the kinds of everyday exposures that clean desk and clear screen policies are designed to prevent. Clean desk means sensitive papers, USB drives, notebooks, and any other physical media get locked away when not in active use - especially at the end of the day. Clear screen means computers lock automatically after a short idle period and users hit Windows+L (or equivalent) every time they walk away. It sounds basic, and it is. But it is also one of the most commonly failed controls in audits. Auditors love doing an after-hours walkthrough to check for documents on desks, printouts left in trays, and unlocked screens. It is a quick, visible indicator of how seriously your organisation takes information security day to day.
How to Implement
Write a clear desk and clear screen policy that is practical for your environment. Make it specific enough to be enforceable. For clear desk: sensitive documents go into locked storage when not being actively used, desks must be cleared of all sensitive materials at end of day, printers and copiers must be cleared immediately after use (or use secure print release), removable media gets locked away, whiteboards in meeting rooms get wiped after meetings, and sensitive waste goes in shredders or secure destruction bins - not regular waste bins. For clear screen: computers must be locked when the user leaves their desk, automatic screen lock must kick in after a defined idle period (5-10 minutes is standard), sensitive information should not be displayed where unauthorised people can see it, privacy screens should be used in open-plan areas and near windows, and remote desktop sessions should be disconnected when not in use. Enforce the screen lock technically. Use group policy or endpoint management to set automatic lock after 5 minutes for devices in open areas, up to 10-15 minutes for private offices. Make sure the lock requires re-authentication. Do not rely on people remembering to lock manually - enforce it at the system level. Provide the infrastructure people need to comply. Every workstation needs lockable drawers or a cabinet. Put shredders and secure destruction bins in convenient locations - if people have to walk across the building, they will not bother. Set up secure print so documents only release when someone authenticates at the printer. Audit compliance regularly. Walk through office areas after hours and check for sensitive materials on desks, documents in printer trays, and unlocked screens. Document findings. Share anonymised results with the organisation. Address repeat offenders through awareness training first, then the disciplinary process if it continues.
Evidence Your Auditor Will Request
- Documented clear desk and clear screen policy
- Technical configuration showing enforced screen lock timeout
- Secure print system configuration requiring authentication for document release
- Clear desk compliance audit records showing regular checks
- Available lockable storage for all workstations
Common Mistakes
- Policy exists but is not enforced through regular compliance checks
- Automatic screen lock is not configured or timeout is too long
- Sensitive documents are left on printers or desks overnight
- Lockable storage is not available for all workstations
- Secure destruction bins are not conveniently located
Related Controls Across Frameworks
Frequently Asked Questions
What is an appropriate screen lock timeout?
How do we enforce the clean desk policy?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment