Requirement
Requirement lens
This control requires defined and enforced rules for protecting papers, removable media, and screens from unauthorized viewing, loss, or misuse.
“Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.”
Plain-language meaning
People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, alter, or discard them.
The control should apply during working hours and outside working hours, with stricter rules where information classification or visitor exposure requires it.
Why this matters
Open offices, shared work areas, visitors, cleaners, contractors, and mobile phone cameras make unattended information easy to capture. Disorderly desks also increase the chance of misfiling, accidental disposal, and damage during fire, flood, or other events.
Implementation guidance
Implementer focus
Keep the rule simple: sensitive information should not be visible, unattended, or recoverable by people who do not need it.
1. Define clear desk rules
Rules should cover:
- papers and notebooks;
- removable media;
- printed reports;
- working files;
- confidential waste;
- filing cabinets and safes;
- shared desks and hot desks;
- end-of-day checks;
- visitor and cleaner access periods.
2. Define clear screen rules
Rules should cover:
- screen locking when leaving a workstation;
- password-protected screensavers;
- automatic lock timeout;
- shutting down or locking equipment outside working hours;
- privacy screens where needed;
- behavior when visitors enter sensitive work areas.
3. Manage printers and fax machines
Printers and fax machines can expose sensitive information.
Controls may include:
- pull printing;
- secure printer locations;
- regular checks of output trays;
- no unattended sensitive print jobs;
- secure fax location where fax is still used;
- user training on optional secure-print functions.
4. Match enforcement to information classification
More sensitive areas need stronger monitoring and enforcement. A general office may need basic clean-desk checks; a regulated processing area may need documented inspections and sanctions for repeated non-compliance.
5. Make compliance practical
Staff often see this control as irritating. Training should explain real risks: phone photos, cleaners, visitors, misplaced records, waste disposal, and disaster damage. Enforcement should be simple, fair, and consistent.
Audit guidance
Auditor focus
Do not stop at the policy. Walk the office, check screens and desks, inspect printers, and ask staff what happens when visitors or cleaners enter.
Auditors should verify:
- clear desk and clear screen policy/rules exist;
- rules align with information classification;
- staff understand and follow the rules;
- screens lock when unattended;
- sensitive papers and media are not left exposed;
- filing cabinets, safes, and storage are used correctly;
- printers and fax machines are suitably located and controlled;
- pull printing is available or used where needed;
- sanctions or corrective actions are fair and consistently applied.
Audit observation should cover both working hours and non-working hours where practical.
Evidence examples
Evidence quality
Strong evidence combines policy, technical settings, observation, staff awareness, and enforcement records.
| Evidence | What it proves |
|---|---|
| Clear desk/screen policy | Rules are defined |
| Classification and handling rules | Controls match information sensitivity |
| Auto-lock configuration | Screen locking is technically enforced |
| Walkthrough/inspection records | Compliance is monitored |
| Printer/fax security review | Output devices are controlled |
| Training records | Staff know why and how to comply |
| Corrective action/sanction records | Non-compliance is handled |
Strong evidence
- Clear desk and clear screen rules are documented and communicated.
- Auto-lock settings are configured and enforced.
- Sensitive print/fax workflows are controlled.
- Walkthroughs show desks, screens, cabinets, and printers are managed.
- Repeat non-compliance leads to training or corrective action.
Weak evidence
- Policy exists but no one checks compliance.
- Screens rely only on user memory with no auto-lock.
- Printers contain piles of uncollected documents.
- Staff do not know how to use secure printing.
- Cleaning staff or visitors can view unattended sensitive information.
- Enforcement is inconsistent or informal.
Common failures
Implementation watchouts
Clear desk/clear screen fails when it is treated as a poster campaign instead of a working control.
| Failure | Why it matters |
|---|---|
| No technical auto-lock | Users forget to lock screens |
| Printer trays unmanaged | Sensitive information is exposed in shared areas |
| Visitor warning process absent | Staff keep sensitive work visible during visits |
| Classification not considered | Controls may be too weak for sensitive areas |
| Messy desks normalized | Documents are lost, misfiled, discarded, or photographed |
| No fair enforcement | Repeated behavior does not improve |
Exam traps
Exam focus
A.7.7 is not just tidiness. It protects unattended papers, removable media, screens, printers, and fax output from unauthorized access.
| Trap | Correct interpretation |
|---|---|
| Clear desk is only housekeeping | It reduces unauthorized disclosure, loss, damage, and misfiling |
| Clear screen means turning monitors off | It means preventing unauthorized access/viewing, usually through locking or shutdown |
| Applies only after work | It applies during working and non-working hours |
| Printers are outside scope | Printers and fax machines can expose sensitive output |
| Same rule fits every area | Rules should match classification and exposure risk |
Related controls and concepts
- A.7 Physical Controls MOC
- A.7.3 Securing Offices Rooms and Facilities
- A.7.6 Working in Secure Areas
- A.5.12 Classification of Information
- A.5.13 Labelling of Information
- A.5.14 Information Transfer
- A.5.10 Acceptable Use of Information and Other Associated Assets
- Clear Desk and Clear Screen Checklist
- Printer and Fax Security Checklist
- A.7.7 Audit Evidence Pack
- A.7.7 Audit Checklist
KB-ready summary
Mentor takeaway
A.7.7 protects information that people leave exposed on desks, screens, printers, fax machines, and removable media. It is a simple control, but weak enforcement makes it fail quickly.
- Define clear desk and clear screen rules.
- Use technical enforcement for screen locking.
- Control printers, faxes, removable media, and confidential waste.
- Match controls to information classification and visitor exposure.
- Audit by direct observation, not policy review only.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Physical controls
- Clear desk
- Clear screen
- Audit
Note Metadata
Aliases: A.7.7, Clear Desk and Clear Screen
Source: 04 Annex A Physical Controls/A.7.7 Clear Desk and Clear Screen.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
9
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.6 - Working in Secure Areas
- ISO 27001 A.7.8 - Equipment Siting and Protection
- A.7 Physical Controls MOC
- A.7.7 Audit Evidence Pack
- AQ-ISO27001-A.7.7 Clear Desk and Clear Screen
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.7 Clear Desk and Clear Screen
- A.7 Physical Controls Implementation Audit Risk Mapping
- EXAM-022 - Environmental Threats, Secure Areas, and Clear Desk
- EXAM-023 - Equipment Siting and Protection
- ISO 27002 Annex A Control Interpretation Map
- A.7.7 Audit Checklist
- Clear Desk and Clear Screen Checklist
- Equipment Siting and Protection Assessment
- Printer and Fax Security Checklist
- Annex A Controls MOC