Clear Desk and Clear Screen - ISO 27001 Annex A Control

ISO 27001 Annex A 7.7

An empty desk and a locked screen prevent more breaches than people expect.

ISO 27001 Annex A 7.7 - Clear Desk and Clear Screen

The control addresses the casual exposure that comes from how staff use their workspaces. A printout of customer data left on a desk is visible to cleaners, visitors and anyone who walks past. A laptop logged in and unattended is open to anyone who sits down. Clear desk and clear screen rules close these everyday gaps without expensive technology.

Clear desk rules typically expect that sensitive papers are filed away when not in active use, that storage media (USB drives, removable disks, paper notebooks) are locked in drawers or cabinets when staff are away from the desk, and that nothing sensitive is left out at the end of the day. The strictness of the rules scales with the sensitivity of the work being done.

Clear screen rules expect that screens are locked when staff step away. Most operating systems support automatic locking after a short idle period, which removes the reliance on staff remembering. Visible screen privacy - through positioning, privacy filters, or layout - protects against shoulder surfing in shared environments.

The clear desk audit at the end of the day is a good test of the control. We do periodic walks at 6pm to check that nothing sensitive is left out, and feed the findings back through team leads. Most issues are habit rather than malice - someone forgot to file something, or stepped away expecting to come back. The point of the rule is to make these small lapses visible and addressable rather than letting them accumulate.

Practical Compliance Guidance

Clear desk and clear screen rules are described in the IMS1 Manual in Section 8.3 IT Equipment and Physical Security.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the clear desk and clear screen expectations alongside the wider information security arrangements. Use as the source document for staff awareness and audit.
P-23 Clear Desk Screen Policy	Specific policy to address clear desk and clear screen working arrangements.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does the rule apply to all workspaces?

Yes, with the strictness scaled to the sensitivity of the information handled. Areas handling routine commercial information may need only standard clear desk rules. Areas handling personal data, legal matters or other sensitive information may have stricter rules including locked storage requirements and end-of-day desk checks.

How is screen locking enforced?

Through automatic policies on the endpoint - typically a short idle timeout that locks the screen if no activity is detected. The timeout balances security against user experience: too short and staff find it disruptive, too long and the protection is weakened. Five to fifteen minutes is a common range. Manual locking when stepping away should be reinforced through training as a backup.

What about staff working from home?

The principle still applies. Sensitive papers should not be left visible to family members or visitors at home. Screens should be locked when stepping away. The remote working policy under A.6.7 should reinforce these expectations alongside the wider remote security rules.

Further Resources