Clear Desk and Clear Screen Policy in ISO 27001
- Home
- Blog
Categories
Latest Post
ISO 14001 Internal Auditor Course
ISO 14001 Lead Implementer Course
ISO 9001 Internal Auditor Course
Understanding Information Classification in ISO 27001
Imagine this scene: an employee at his desk in an open-plan office is reviewing financial data on his notebook. He receives a call about a last-minute meeting or takes a break for coffee, leaving his desk unattended.
This situation is more common than you might think and poses a significant information risk. Without proper measures, all the information and assets left on the desk can be accessed, seen, or taken by unauthorized individuals. If an information system is left logged on, anyone who accesses the desk can perform activities in the employee’s name.
ISO 27001, a popular information security framework, and ISO 27002, a detailed code of practice, provide guidance on handling such risks through control A.7.7 – Clear Desk and Clear Screen. Let’s explore how to implement these best practices.
ISO 27001 Clear Desk and Clear Screen – Best Practices
Use of Locked Areas
Protection of Devices and Information Systems
Restriction on Use of Copy and Printing Technology
Adoption of a Paperless Culture
Disposal of Information in Meeting Rooms
What Are Clear Desk and Clear Screen All About?
Clear desk and clear screen practices ensure that sensitive information, both digital and physical, and assets (e.g., notebooks, cellphones, tablets, information systems) are not left unprotected at workspaces when not in use or when someone leaves their workstation.
Why Are Clear Desk and Clear Screen Policies Important?
These policies guide employees on how to handle information and assets properly. They provide guidelines on securing information and materials in the workspace.
What Does a Clear Desk and Clear Screen Policy Require?
Compliance with ISO 27001 Control A.7.7 involves simple, low-tech actions:
Lock away assets when not required.
Log off or use screen locks for computers and terminals when unattended.
Use photocopiers and similar devices only when authorized.
Remove media from printers immediately.
How to Implement a Clear Desk and Clear Screen Policy
Use of Locked Areas
Provide lockable drawers, cabinets, safes, and file rooms to store information media (e.g., paper documents, USB drives) and easily transportable devices (e.g., cellphones, tablets) when not required.
Protection of Devices and Information Systems
Position computers to avoid passersby viewing screens. Use time-activated screen savers and password protection. Log off information systems when not in use. Shut down devices at the end of the day, especially network-connected ones.
Restriction on Use of Copy and Printing Technology
Control the use of printers, photocopiers, scanners, and cameras by reducing their quantity or using code functions for authorized access. Retrieve printed information promptly.
Adoption of a Paperless Culture
Avoid unnecessary printing. Do not leave sticky notes on monitors or under keyboards. Even small pieces of information can help wrongdoers compromise security.
Disposal of Information in Meeting Rooms
Erase whiteboards and properly dispose of papers used during meetings (e.g., use a shredder).
Periodic Measures
Training and Awareness: Conduct regular training and awareness events. Use posters, email alerts, newsletters, etc., to communicate policy aspects.
Evaluations: Periodically evaluate employees’ compliance with policy practices through internal audits or random workstation checks.
What is a Clean Desk Audit?
A clean desk audit systematically evaluates if planned rules and measures are implemented and followed by employees.
Avoid Prying Eyes and Unauthorized Access
A lack of care with workspaces can lead to compromised personal or organizational information. Passwords, financial data, and sensitive emails can be disclosed, impacting privacy and competitive advantage. Negative outcomes due to accidents, human error, or malicious actions can be prevented through accessible low-tech measures in a clear desk and clear screen policy.
Don’t wait for incidents to occur. Implement preventive measures now to protect your sensitive information.
