Annex A 7.7: Clear Desk Clear Screen

Most clear desk/clear screen programs fail for one reason: they stay at “policy posted on the intranet” and never become a managed control with verification. Annex A 7.7 is operational by design. It expects day-to-day handling rules for physical information (papers, notebooks, shipping labels), shared devices (printers, fax/scanners), and visual exposure points (monitors, conference room displays, whiteboards).

For a Compliance Officer, CCO, or GRC lead, the fastest path is to scope the requirement to where exposure is real (open offices, customer support floors, hybrid work, shared meeting rooms), define minimum behaviors, and attach lightweight checks that produce evidence. The goal is straightforward: reduce incidental disclosure, insider opportunity, and “walk-by” data exposure that can trigger security incidents, contractual breaches, or audit findings.

This page gives requirement-level implementation guidance aligned to ISO/IEC 27001:2022 Annex A 7.7, with an emphasis on fast operationalization and audit-ready artifacts. Citations refer to the ISO/IEC 27001 overview and a public Annex A control index summary, since ISO’s full control text is licensed. ¹

Regulatory text

Framework requirement (licensed text not reproduced): ISO/IEC 27001:2022 Annex A control 7.7 addresses “Clear Desk Clear Screen” as an implementation expectation within an information security management system. ¹

Operator interpretation: You must implement rules and practical safeguards so that sensitive information is not left exposed in work areas and on screens when people are away, at shift change, or at end of day. The control should cover paper records, removable media, and information displayed electronically (including monitors, meeting room displays, and laptops in public spaces). ¹

Plain-English interpretation of the requirement

Annex a 7.7: clear desk clear screen requirement is a “reduce casual exposure” control. It assumes mistakes happen: someone walks away from a desk, a printout sits in an output tray, or a conference room whiteboard keeps yesterday’s customer issue visible to the next meeting. Your job is to make the secure behavior the default and to make exceptions rare, controlled, and auditable.

Think of it as three outcomes:

1. Sensitive items are not left out (papers, badges, removable media, devices).
2. Sensitive content is not left visible (unlocked screens, shared displays, whiteboards).
3. There is a repeatable way to verify the behavior and remediate noncompliance.

Who it applies to (entity and operational context)

Entity scope: Any organization implementing ISO/IEC 27001, including service organizations, where information could be exposed through physical workspaces or visible screens. ²

Operational scope (apply where the risk is):

• Corporate offices and shared spaces: open-plan desks, hot-desking, reception, mailrooms, print stations.
• Operations floors: customer support, claims processing, finance/AP, HR, NOC/SOC.
• Hybrid/remote work: coworking spaces, travel, home offices, public areas.
• Third parties onsite: contractors, cleaners, visitors, audit teams, delivery personnel.

Information scope: Your classification scheme should drive the rule. If you don’t have one, define “sensitive” pragmatically for this control (for example: customer data, employee data, authentication secrets, contracts, pricing, security tooling screens).

What you actually need to do (step-by-step)

1) Define the rule set (write it so people can follow it)

Create a short “Clear Desk/Clear Screen Standard” (one page is fine) and align it to your policy hierarchy.

• Define what must be cleared: paper with sensitive data, notebooks with customer notes, removable media, access badges, keys, portable devices, shipping labels, check stock, etc.
• Define what must be locked: laptops when stepping away, desktops with auto-lock, filing cabinets, lockboxes for regulated paper.
• Define what must be destroyed: drafts, misprints, outdated reports, call notes, visitor sign-in sheets (based on retention).
• Define time-based triggers in plain language (avoid numbers if you can’t enforce them): “when you step away,” “at shift change,” “end of day,” “before visitors enter,” “before a meeting ends.”

Implementation tip: keep exceptions explicit (for example, “active processing piles” allowed only in designated zones with supervised access).

2) Map the standard to physical and technical controls

You need both, because behavior alone is fragile.

Physical controls:

• Lockable storage at or near workstations (drawers, cabinets).
• Secure print features for sensitive printers (badge release or PIN release if available).
• Shred bins with defined pickup and chain-of-custody expectations.
• Visitor controls (badges, escorts) for areas where desks/screens exist.

Technical controls:

• Enforced screen lock policies (endpoint management).
• Privacy screens for high-exposure roles (reception, support floors).
• Meeting room display defaults (auto-timeout, “no persistent casting,” clearing after meetings).
• Device encryption and remote wipe for laptops used in public settings.

3) Build the control into onboarding and role-based training

Add a short module to:

• New hire onboarding (what “clear” means, how to dispose, where to store).
• Role training for high-risk areas (support, HR, finance, engineers with prod access).
• Visitor/contractor briefings for people who may sit at desks or enter operational areas.

Make it concrete: show photos of “acceptable” and “not acceptable” desks/screens in your environment.

4) Create a verification mechanism that produces evidence

Auditors will test operating effectiveness. Pick one or more checks you can sustain:

• Manager walk-through attestations (simple checklist).
• Security spot checks (documented observations, noncompliance tickets).
• Facilities/physical security checks (after-hours rounds, clean desk sweeps).
• Printer station checks (output tray left-behind review, secure print logs where available).

Tie findings to a lightweight remediation workflow: notify, correct, retrain, and escalate repeat issues.

5) Operationalize for hybrid/remote

A clear desk rule that ignores home offices creates a gap.

• Require screen locking for remote work and prohibit displaying sensitive data in public spaces.
• Define expectations for paper at home (minimize printing; store in locked container; secure disposal).
• Add guidance for travel: never leave devices or papers unattended; use privacy filters in airports/cafes.

6) Document control ownership and cadence

Assign:

• Control owner: usually Security or GRC.
• Operational owners: Facilities/Physical Security, IT (endpoint enforcement), department heads.
• Cadence: set a recurring schedule for checks and reporting that you can consistently execute.

Daydream fit (earned mention): if you manage evidence across many Annex A controls, Daydream can act as the system of record for 7.7 by mapping the requirement to a documented control procedure and prompting recurring evidence capture so you are not rebuilding artifacts before an audit.

Required evidence and artifacts to retain

Keep artifacts that show both design and operation:

Design evidence (what you intended):

• Clear Desk/Clear Screen standard and approval record.
• Information classification references or “sensitive information” definition for this control.
• Endpoint configuration standards (screen lock policy description).
• Physical security standards (storage, shredding, visitor controls) where relevant.

Operational evidence (what actually happened):

• Completed walk-through checklists (dated, signed/attested).
• Spot check logs with findings and corrective actions.
• Training completion records for onboarding and high-risk roles.
• Tickets or tasks showing remediation (for example, added lockable storage, enabled secure print).
• Exception register (who has an exception, why, how controlled, review notes).

Common exam/audit questions and hangups

Auditors and certification bodies commonly probe these angles:

• “Show me how you enforce screen locking.” Expect endpoint policy screenshots, MDM configuration evidence, and sampling results.
• “What counts as sensitive information here?” If you can’t define it, people can’t comply and auditors can’t test it.
• “How do you know the policy is followed?” A policy without verification is a frequent finding.
• “How do you handle printers and shared areas?” Output trays and meeting rooms are common weak points.
• “How does this work for remote staff?” If remote is in scope for the ISMS, the control needs a remote operating model.

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails	Better approach
Publishing a policy and stopping	No operating effectiveness evidence	Add recurring checks, documented outcomes, and remediation tickets
Treating it as “paper only”	Screens and meeting rooms leak data	Include screen lock, conference room rules, and whiteboard clearing
No defined “sensitive” scope	People guess; auditors challenge	Map to your classification scheme or define categories for this control
Ignoring printers	Misprints and left-behind pages are common	Secure print where feasible; add printer station checks
Blanket exceptions (e.g., “operations needs paper piles”)	Creates permanent exposure	Use designated zones + supervision + periodic review

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not list specific cases.

Operational risk still matters:

• Confidentiality breaches from incidental exposure: unattended screens, forgotten printouts, and visible whiteboards can disclose customer data, credentials, or financial information.
• Contract and audit failures: many customer security addenda and audits expect a clear desk/clear screen discipline for areas handling their data.
• Insider opportunity: exposed documents reduce the effort required for data theft or manipulation.

Treat Annex A 7.7 as a “low cost, high nuisance” control: it does not require advanced tooling, but it requires steady execution.

A practical 30/60/90-day execution plan

Days 1–30 (Immediate stabilization)

• Name a control owner and define in-scope locations (offices, support floor, print areas, meeting rooms, remote guidance).
• Publish the Clear Desk/Clear Screen standard with a simple “step away / end of day” rule set.
• Implement or confirm screen lock enforcement via IT policy for managed endpoints.
• Set up secure disposal basics: shred bins or secure destruction process; label print areas.
• Build one verification method (manager checklist or security spot check template) and run a pilot in one department.

Days 31–60 (Expand and evidence)

• Roll the standard to all departments and include it in onboarding.
• Add targeted controls where the pilot found issues (lockable storage, privacy screens, secure print configuration).
• Start recurring checks and store evidence in a central repository (GRC tool or Daydream evidence collection workflow).
• Create an exception register with an approval and review mechanism.

Days 61–90 (Operational maturity)

• Normalize reporting: trend findings, repeat offenders, and remediation closure.
• Extend to meeting rooms: whiteboard clearing reminders, display timeout defaults, “clear at end of meeting” signage.
• Validate remote coverage: update remote work guidance, confirm endpoint compliance, add a short refresher training.
• Prepare the audit narrative: scope, control design, operating cadence, sampling results, and corrective actions.

Frequently Asked Questions

Does Annex A 7.7 apply to remote employees working from home?

If remote work is in scope for your ISMS, you need clear screen expectations and practical safeguards for home and travel. Focus on screen locking, minimizing printing, and secure storage/disposal for any paper that contains sensitive information.

What counts as “clear desk” if a team processes paper all day?

Allow controlled “active work” piles only in defined areas with supervised access, then require clean-down at shift change and end of day. Document the exception conditions and verify them during walk-through checks.

Do we need secure print (badge/PIN release) to meet the requirement?

The requirement is outcome-focused: prevent exposed printouts in shared areas. Secure print is a strong control where feasible, but you can also meet the intent with disciplined processes plus verification, especially in smaller offices.

How do we prove this control operates during an ISO 27001 audit?

Keep dated walk-through/spot-check records, evidence of screen lock enforcement, training completion records, and remediation tickets for issues found. Auditors typically want to see a sampling trail that connects findings to fixes.

Are privacy screens mandatory?

Not universally. They make sense for high-exposure roles (reception, support floors, public-facing desks) or spaces where visitors pass close to screens; document your rationale either way.

How strict should we be about whiteboards in conference rooms?

Treat whiteboards as an information asset when they contain sensitive content. Add a “clear at end of meeting” rule, supply cleaning materials, and include conference rooms in periodic checks.

Footnotes

1. ISO/IEC 27001 overview; ISMS.online Annex A control index

2. ISO/IEC 27001 overview