ISO 27001:2022 – Clear Desk and Clear Screen (Annex A 7.7)

Introduction

The Clear Desk and Clear Screen control (ISO 27001:2022 Clause A.7.7) ensures that sensitive information is protected from unauthorized access in physical work environments. This includes securing documents, removable media, and ensuring that computer screens are locked when unattended.

Without enforcing clear desk and clear screen practices, organizations risk accidental data exposure, insider threats, and unauthorized access to confidential information. This control establishes a disciplined approach to workspace security, reducing the likelihood of information leakage and strengthening overall physical and information security posture.

What This Control Is About (Basic Information)

Comply Agent shows:

• Title: Clear Desk and Clear Screen
• Control ID: UC-PH-052
• Category: Physical Security
• Subcategory: Physical Security Policies and Procedures
• Version: v1.0

Description

Define and implement clear desk and clear screen practices to protect sensitive information from unauthorized access. This includes securing physical documents, removable media, and ensuring systems are locked when not in use.

Objective

To prevent unauthorized access to sensitive information by ensuring that workspaces, documents, and systems are secured when unattended.

Implementation & Guidance

Comply Agent structures this control as a workplace security enforcement model:

1. Establish Clear Desk Policy

Organizations must:

• Prohibit leaving sensitive documents unattended
• Require secure storage (locked cabinets, drawers)
• Define rules for handling printed and physical information

2. Enforce Clear Screen Controls

Implement:

• Automatic screen lock after inactivity
• Password/PIN-protected access
• Secure log-off procedures

3. Secure Physical Workspaces

Ensure:

• Clean desk practices at end of day
• No confidential information left in open areas
• Restricted access to workstations and offices

4. Implement Monitoring and Inspections

Comply Agent highlights:

• Periodic physical inspections of work areas
• Spot checks for compliance
• Logging of inspection findings

5. Conduct Employee Awareness Training

Define:

• Training on workspace security practices
• Responsibilities for protecting physical information
• Awareness of risks (shoulder surfing, unauthorized access)

6. Maintain Compliance Records

Maintain:

• Policy acknowledgment records
• Inspection reports
• Evidence of system-enforced screen locks

Evidence Examples

Comply Agent shows:

• Clear Desk and Clear Screen Policy document
• System configuration screenshots for auto-lock settings
• Physical inspection and audit records of workspaces

Operational Details

Comply Agent shows:

• Frequency: Annually
• Review Cycle: Annually
• Owner Role: Facilities Manager
• Responsible Role: Facilities Manager
• Automation Score: 40%
• Last Updated: As per system records

Compliance & Risk Management

Comply Agent shows:

• Status: Not Started
• Compliance Status: N/A
• Control Type: Administrative
• Maturity Level: Level 3
• Risk Domain: Unauthorized Access to Information
• Clause Reference: ISO 27001:2022 A.7.7

Framework Mappings

Comply Agent shows strong cross-framework alignment:

• ISO 27001:2022 – A.7.7 (Exact)
• SOC 2 – CC6.1
• GDPR – Article 32
• DORA – Article 10
• NIST CSF – PR.AC-3, PR.AC-4

Evidence Library

Comply Agent shows the required audit evidence:

• Policy Document – Clear Desk and Clear Screen Policy
• Screenshots – Screen lock configurations and enforcement
• Audit Logs (Auto-collected) – System logs for inactivity lock
• Physical Inspection Records – Workspace audit reports

FAQs: ISO 27001:2022 – Clear Desk and Clear Screen (Annex A 7.7)

1. What is a clear desk and clear screen policy?

It ensures that no sensitive information is left exposed in physical or digital form when workspaces are unattended.

2. Who is responsible for enforcing this control?

Facilities and IT teams enforce policies, while all employees are responsible for complying with workspace security rules.

3. Why is this control important?

It reduces the risk of unauthorized access, data leakage, and insider threats in physical environments.

4. What do auditors expect as evidence?

Auditors look for policies, inspection records, system lock configurations, and employee awareness records.

5. Is automation required for this control?

Automation (like auto screen lock) is strongly recommended but must be supported by policy and user awareness.