This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.7.7 Clear desk and clear screen.
ISO 27001: 2022 Control Description
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.
Purpose
To minimise the risks of unauthorised access, loss, and damage to information left on desks, screens, and other accessible locations during and outside normal working hours.
Guidance on implementation
The organisation should establish and communicate a topic-specific policy regarding clear desk and clear screen practices to all relevant interested parties.
The following guidelines should be considered:
a) Securing sensitive or critical business information (e.g., on paper or electronic storage media) by locking it away in a safe, cabinet, or other secure furniture when not in use, especially when the workspace is unattended.
b) Protecting user endpoint devices with key locks or other security measures when they are not in use or left unattended.
c) Logging off user endpoint devices or activating screen and keyboard locking mechanisms controlled by user authentication when devices are unattended. All computers and systems should be configured with automatic timeout or logout features.
d) Ensuring that individuals collect printouts from printers or multi-function devices immediately after printing. Consider using printers with authentication functions so that documents are only released when the originator is present at the device.
e) Securely storing documents and removable storage media containing sensitive information, and disposing of them securely when no longer needed through appropriate disposal mechanisms.
f) Establishing and communicating rules and guidance for configuring screen pop-ups (e.g., disabling new email and messaging notifications during presentations, screen sharing, or when in public areas, where possible).
g) Erasing sensitive or critical information from whiteboards and other display surfaces once it is no longer required.
The organisation should have procedures in place for vacating facilities, including conducting a final inspection before leaving to ensure that no organisational assets are left behind (e.g., documents that may have fallen behind drawers or furniture).