UnixTime

Research Note

ISO 27001 A.7.7 - Clear Desk and Clear Screen

People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, al...

On this page

Requirement

Requirement lens

This control requires defined and enforced rules for protecting papers, removable media, and screens from unauthorized viewing, loss, or misuse.

“Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.”

Plain-language meaning

People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, alter, or discard them.

The control should apply during working hours and outside working hours, with stricter rules where information classification or visitor exposure requires it.

Why this matters

Open offices, shared work areas, visitors, cleaners, contractors, and mobile phone cameras make unattended information easy to capture. Disorderly desks also increase the chance of misfiling, accidental disposal, and damage during fire, flood, or other events.

Implementation guidance

Implementer focus

Keep the rule simple: sensitive information should not be visible, unattended, or recoverable by people who do not need it.

1. Define clear desk rules

Rules should cover:

  • papers and notebooks;
  • removable media;
  • printed reports;
  • working files;
  • confidential waste;
  • filing cabinets and safes;
  • shared desks and hot desks;
  • end-of-day checks;
  • visitor and cleaner access periods.

2. Define clear screen rules

Rules should cover:

  • screen locking when leaving a workstation;
  • password-protected screensavers;
  • automatic lock timeout;
  • shutting down or locking equipment outside working hours;
  • privacy screens where needed;
  • behavior when visitors enter sensitive work areas.

3. Manage printers and fax machines

Printers and fax machines can expose sensitive information.

Controls may include:

  • pull printing;
  • secure printer locations;
  • regular checks of output trays;
  • no unattended sensitive print jobs;
  • secure fax location where fax is still used;
  • user training on optional secure-print functions.

4. Match enforcement to information classification

More sensitive areas need stronger monitoring and enforcement. A general office may need basic clean-desk checks; a regulated processing area may need documented inspections and sanctions for repeated non-compliance.

5. Make compliance practical

Staff often see this control as irritating. Training should explain real risks: phone photos, cleaners, visitors, misplaced records, waste disposal, and disaster damage. Enforcement should be simple, fair, and consistent.

Audit guidance

Auditor focus

Do not stop at the policy. Walk the office, check screens and desks, inspect printers, and ask staff what happens when visitors or cleaners enter.

Auditors should verify:

  • clear desk and clear screen policy/rules exist;
  • rules align with information classification;
  • staff understand and follow the rules;
  • screens lock when unattended;
  • sensitive papers and media are not left exposed;
  • filing cabinets, safes, and storage are used correctly;
  • printers and fax machines are suitably located and controlled;
  • pull printing is available or used where needed;
  • sanctions or corrective actions are fair and consistently applied.

Audit observation should cover both working hours and non-working hours where practical.

Evidence examples

Evidence quality

Strong evidence combines policy, technical settings, observation, staff awareness, and enforcement records.

Evidence What it proves
Clear desk/screen policy Rules are defined
Classification and handling rules Controls match information sensitivity
Auto-lock configuration Screen locking is technically enforced
Walkthrough/inspection records Compliance is monitored
Printer/fax security review Output devices are controlled
Training records Staff know why and how to comply
Corrective action/sanction records Non-compliance is handled

Strong evidence

  • Clear desk and clear screen rules are documented and communicated.
  • Auto-lock settings are configured and enforced.
  • Sensitive print/fax workflows are controlled.
  • Walkthroughs show desks, screens, cabinets, and printers are managed.
  • Repeat non-compliance leads to training or corrective action.

Weak evidence

  • Policy exists but no one checks compliance.
  • Screens rely only on user memory with no auto-lock.
  • Printers contain piles of uncollected documents.
  • Staff do not know how to use secure printing.
  • Cleaning staff or visitors can view unattended sensitive information.
  • Enforcement is inconsistent or informal.

Common failures

Implementation watchouts

Clear desk/clear screen fails when it is treated as a poster campaign instead of a working control.

Failure Why it matters
No technical auto-lock Users forget to lock screens
Printer trays unmanaged Sensitive information is exposed in shared areas
Visitor warning process absent Staff keep sensitive work visible during visits
Classification not considered Controls may be too weak for sensitive areas
Messy desks normalized Documents are lost, misfiled, discarded, or photographed
No fair enforcement Repeated behavior does not improve

Exam traps

Exam focus

A.7.7 is not just tidiness. It protects unattended papers, removable media, screens, printers, and fax output from unauthorized access.

Trap Correct interpretation
Clear desk is only housekeeping It reduces unauthorized disclosure, loss, damage, and misfiling
Clear screen means turning monitors off It means preventing unauthorized access/viewing, usually through locking or shutdown
Applies only after work It applies during working and non-working hours
Printers are outside scope Printers and fax machines can expose sensitive output
Same rule fits every area Rules should match classification and exposure risk

KB-ready summary

Mentor takeaway

A.7.7 protects information that people leave exposed on desks, screens, printers, fax machines, and removable media. It is a simple control, but weak enforcement makes it fail quickly.

  • Define clear desk and clear screen rules.
  • Use technical enforcement for screen locking.
  • Control printers, faxes, removable media, and confidential waste.
  • Match controls to information classification and visitor exposure.
  • Audit by direct observation, not policy review only.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Physical controls
  • Clear desk
  • Clear screen
  • Audit

Note Metadata

Aliases: A.7.7, Clear Desk and Clear Screen

Source: 04 Annex A Physical Controls/A.7.7 Clear Desk and Clear Screen.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

9

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.