Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Physical Control

A.7.7 — Clear Desk and Clear Screen

Updated on 5 min Reviewed by: Cenedril Editorial
A.7.7 ISO 27001ISO 27002BSI INF.7BSI ORP.4

The cleaning crew enters the office at 8 PM. On one desk: a printed list of all employee salaries. On another: a sticky note with “Admin PW: Welcome2024!” On a third: a USB drive labelled “Board Presentation — Confidential.” Every screen shows the Windows desktop — nobody locked their computer. By morning, the cleaners have seen more sensitive information than most employees. A.7.7 is one of the simplest controls in the standard — and one of the most frequently failed.

The control requires organizations to define and enforce rules for clearing desks of sensitive documents and locking screens when workstations are unattended. The goal is to reduce the risk of unauthorized access during and outside working hours.

What does the standard require?

The core requirements cover three areas:

  • Clear desk. Sensitive documents, removable storage media and other information carriers must be stored securely (lockable drawer, cabinet, safe) when not in active use — especially when the person leaves their workstation or the office.
  • Clear screen. Workstations must be locked or logged off when unattended. Automatic screen-lock after a defined period of inactivity must be enforced through technical controls.
  • Printer and output management. Printed documents must be collected promptly. Uncollected printouts at shared printers are a data-exposure risk. Whiteboards and displays must be cleared of sensitive content after use.

In practice

Write a clear-desk and clear-screen policy. Keep it short, practical and specific: what must be locked away, how quickly the screen must lock, what to do with printouts, who enforces it. Distribute the policy to all staff and include it in awareness training.

Provide the infrastructure. Every workstation needs a lockable drawer or pedestal. Shared printers should have pull-print or badge-print functionality so that documents are only released when the owner is standing at the printer.

Conduct spot checks. Schedule unannounced walk-throughs — weekly or bi-weekly. Check desks for exposed documents, unlocked screens and uncollected printouts. Record findings (anonymized) and report trends to management.

Include in awareness training. Demonstrate the risk: show photos of real (anonymized) clean-desk violations found during spot checks. Practical examples are far more effective than abstract policy slides.

Typical audit evidence

Auditors typically expect the following evidence for A.7.7:

  • Clear-desk and clear-screen policy — the approved policy document (link to Physical Security Policy in the Starter Kit)
  • GPO/MDM configuration — proof that automatic screen lock is enforced
  • Spot-check records — documented results of walk-through inspections
  • Awareness training materials — slides or e-learning modules covering clear desk and clear screen
  • Pull-print configuration — evidence that shared printers require badge authentication
  • Lockable furniture inventory — evidence that all workstations have secure storage

KPI

% of workstations verified compliant with clear desk and clear screen policy

Measured through spot checks: what percentage of inspected workstations had no exposed sensitive documents, a locked screen (if unattended) and no visible credentials? Target: above 90%. Most organizations start at 40–60% and improve steadily with regular spot checks and awareness campaigns.

Supplementary KPIs:

  • Number of clear-desk violations found per spot check (trending downward is the goal)
  • % of workstations with enforced screen-lock timeout
  • % of shared printers with pull-print enabled
  • Number of uncollected printouts found per spot check

BSI IT-Grundschutz

A.7.7 maps to several BSI modules:

  • INF.7.A6 (Clean desk policy) — explicitly requires a clear-desk policy for office workspaces.
  • INF.7.A7 (Locking measures) — requires lockable furniture for every workstation.
  • INF.7.A8 (Protection of workstations outside working hours) — extends clear-desk rules to cover periods when the office is unoccupied.
  • SYS.2.1.A1 (User authentication) — covers screen lock and session management.
  • ORP.4.A9 (Requirements for the handling of authentication means) — prohibits recording credentials on paper or sticky notes.
  • INF.8.A1 / INF.8.A6 (Home workplace) — extends clear-desk rules to home offices.

A.7.7 connects to information handling and access management:

Additional connections: A.5.10 (Acceptable use), A.5.12 (Classification of information) and A.5.17 (Authentication information).

Sources

Frequently asked questions

Does clear desk mean my desk must be completely empty?

The control focuses on sensitive information. Pens, a coffee cup and a keyboard are fine. Printed customer lists, access credentials, USB drives with classified data, and documents marked 'Confidential' must be secured in a lockable drawer or cabinet when you are away from your desk.

What is the required screen-lock timeout?

The standard does not specify a number. Common practice is 5 minutes of inactivity for general workstations and 1 minute (or immediate lock on departure) for workstations in high-security areas. The key is that the timeout is enforced by policy (GPO, MDM) and cannot be overridden by the user.

Should we do spot checks?

Yes. Periodic unannounced walk-throughs are the most effective way to verify compliance. Document the findings (anonymized) and share aggregated results with management. Positive trends reinforce the message; persistent issues identify areas that need additional awareness.