Clear Desk and Clear Screen

Clear desk and clear screen controls fail most often in the “last meter” of security: a printed drawing left on a desk, a laptop left unlocked in a conference room, or a customer file visible to visitors. VDA ISA 7.2.1 pushes you to treat these as preventable operational risks, not employee etiquette.

For a Compliance Officer, CCO, or GRC lead, the job is straightforward: translate “keep information out of sight and locked up” into measurable, enforceable requirements that apply across offices, labs, and shared spaces. You need two layers working together. First, clear rules for physical materials (papers, notebooks, removable media, prototypes, whiteboards). Second, technical enforcement for screens (auto-lock plus re-authentication), with limited, documented exceptions.

This page gives you requirement-level implementation guidance: who is in scope, what to do step-by-step, what evidence to retain for a TISAX-oriented assessment, and the common audit hangups that derail otherwise mature programs. The goal is fast operationalization with defensible proof. (VDA ISA Catalog v6.0)

Regulatory text

VDA ISA 7.2.1 requires you to “Enforce clear desk and clear screen policies to prevent unauthorized access to confidential information in work areas.” (VDA ISA Catalog v6.0)

Operationally, that breaks into two enforceable expectations:

• Clear desk: confidential documents must be secured when unattended (for example, in locked drawers, cabinets, secure bins, or access-controlled rooms). (VDA ISA Catalog v6.0)
• Clear screen: screens must automatically lock after inactivity periods, requiring re-authentication to regain access. (VDA ISA Catalog v6.0)

The word “enforce” matters. A poster and a policy statement are not enough. You need technical controls where possible (screen lock), and routine operational controls where technical enforcement is not possible (paper handling, end-of-day checks, visitor management, and supervisor oversight). (VDA ISA Catalog v6.0)

Plain-English interpretation (what the requirement really demands)

Your organization must make it hard for an unauthorized person to see or take confidential information simply by walking through a work area. That includes:

• Visitors, cleaning staff, and contractors after hours
• Employees from other teams without a need to know
• Anyone passing by shared spaces (reception, meeting rooms, manufacturing offices)

Clear desk reduces exposure from physical materials and “incidental disclosure.” Clear screen reduces exposure from unattended devices, shoulder-surfing, and opportunistic access to logged-in sessions. Together, they provide a baseline defense that auditors expect to be consistently applied, especially in environments handling automotive customer information, engineering data, or other confidential assets. (VDA ISA Catalog v6.0)

Who it applies to (entity + operational context)

Entities in scope: automotive suppliers and OEMs aligning to VDA ISA (commonly via TISAX assessments). (VDA ISA Catalog v6.0)

Operational scope: any work area where confidential information can appear, including:

• Corporate offices, engineering floors, labs, and test areas
• Conference rooms and shared workstations
• Reception areas, printer/copier zones, mailrooms
• Remote work and home offices (if confidential information is accessed there)
• Third-party premises where your personnel work or where your information is handled (manage via third-party requirements and onsite rules)

In-scope assets:

• Printed documents: contracts, drawings, customer reports, requirements, defect logs
• Handwritten notes and notebooks
• Removable media and storage devices
• Whiteboards and flip charts with confidential content
• Screens: desktops, laptops, thin clients, and kiosks that can display confidential information (VDA ISA Catalog v6.0)

What you actually need to do (step-by-step)

1) Define “confidential information” for this control

You cannot enforce clear desk if people don’t know what must be cleared.

• Map your internal information classification to “must secure when unattended.”
• Include customer-provided information and engineering artifacts explicitly.
• Define “unattended” plainly (e.g., leaving the workstation or room). (VDA ISA Catalog v6.0)

Deliverable: a short control standard section inside your policy that lists examples and required handling.

2) Write a clear desk / clear screen standard that is enforceable

Keep it short and testable. Include:

• What must be put away (documents, notes, media, badges, prototypes if applicable)
• Where it must go (locked storage, secure rooms, approved disposal bins)
• Rules for printers (no sensitive printouts left in trays; consider pull-print where available)
• Rules for meeting rooms (wipe whiteboards; collect handouts; check under tables)
• Clear screen expectation (auto-lock + re-authentication)
• Exception process (approved roles/areas only, documented, time-bound) (VDA ISA Catalog v6.0)

3) Implement physical controls that make compliance realistic

Policy-only programs fail when storage and disposal aren’t available.

• Provide sufficient lockable storage (drawers, cabinets) in areas handling confidential information.
• Place secure disposal bins where printing or document handling occurs.
• Establish a “last person out” routine for shared spaces (conference rooms, print areas).
• Add visitor management practices that reduce exposure (escorts in sensitive zones, controlled access). (VDA ISA Catalog v6.0)

4) Enforce clear screen with technical configuration

This is where you can prove enforcement quickly.

• Set a corporate standard for automatic screen lock after inactivity (your chosen time threshold should be consistent and justifiable).
• Require re-authentication on unlock.
• Apply the configuration via centralized device management where possible.
• Include laptops and desktops, plus shared workstations that can display confidential information. (VDA ISA Catalog v6.0)

Evidence focus: demonstrate that settings are pushed centrally and apply broadly, not configured ad hoc.

5) Train, reinforce, and make it a supervisor-owned behavior

Training must connect behavior to real work patterns:

• Teach print-and-forget and meeting room “leftovers” as primary risks.
• Provide a simple end-of-day checklist for teams handling sensitive materials.
• Make line managers responsible for reinforcement during onboarding and team routines. (VDA ISA Catalog v6.0)

6) Monitor and correct (lightweight, continuous)

Auditors expect you to detect noncompliance and act.

• Run periodic spot checks in higher-risk areas (print stations, engineering pods, shared labs).
• Record findings, corrective actions, and repeat issues.
• Track exceptions and confirm they are still justified. (VDA ISA Catalog v6.0)

Practical note: treat spot checks as coaching with escalation only for repeated or willful behavior. Document both coaching and escalations.

Required evidence and artifacts to retain

Maintain artifacts that show design, implementation, and operation:

Design

• Clear Desk and Clear Screen policy/standard text approved and version-controlled (VDA ISA Catalog v6.0)
• Information classification/handling rules that define what must be secured (VDA ISA Catalog v6.0)
• Exception procedure and criteria (VDA ISA Catalog v6.0)

Implementation

• Photos or inventory records showing lockable storage and secure disposal availability in relevant areas
• Visitor/physical access procedures for sensitive work areas (where applicable)
• Device management configuration baselines for screen lock and re-authentication (VDA ISA Catalog v6.0)

Operation

• Training records (new hire + periodic refresh) and acknowledgments tied to the policy
• Spot-check logs (date, area, findings, corrective action, owner)
• Exception register (who, what, why, approval, review outcome)
• Evidence of policy communication (intranet post, targeted email, signage where helpful)

If you manage third parties onsite or share space, keep contractual or site-rule artifacts that require them to follow your clear desk/clear screen expectations in your areas.

Common exam/audit questions and hangups

Auditors typically probe these points:

1. “Show me enforcement.”
   Expect requests for MDM/GPO configuration screens, baseline documents, and proof of rollout coverage for screen lock. (VDA ISA Catalog v6.0)

2. “What happens in conference rooms and print areas?”
   They will look for a control owner and a routine, not just personal responsibility.

3. “How do you handle exceptions?”
   A verbal exception is a finding. Keep a register with approvals and reviews. (VDA ISA Catalog v6.0)

4. “What about remote work?”
   Be ready to show policy applicability plus practical safeguards (screen lock, no sensitive printing unless secured, secure storage guidance).

5. “Do you test this?”
   Spot checks and corrective actions show the control operates beyond paperwork.

Frequent implementation mistakes (and how to avoid them)

• Mistake: treating clear desk as “end of day only.”
  Fix: require securing confidential materials whenever a workstation is unattended, not just after hours. (VDA ISA Catalog v6.0)

• Mistake: screen lock configured but not requiring re-authentication.
  Fix: ensure unlock requires credentials, not a simple swipe or weak mechanism, aligned to your access control standards. (VDA ISA Catalog v6.0)

• Mistake: no storage or secure disposal near where documents are created.
  Fix: add cabinets/bins where work actually happens, especially around printers and engineering spaces.

• Mistake: unmanaged shared workstations.
  Fix: include kiosks, lab PCs, and shared terminals in your configuration baselines and spot-checks.

• Mistake: exceptions become permanent.
  Fix: set approvals with owners and periodic review, and remove exceptions that no longer have a valid operational need. (VDA ISA Catalog v6.0)

Enforcement context and risk implications

No public enforcement cases were provided in the source material for this requirement, so this guidance focuses on auditability and operational risk.

Risk-wise, clear desk and clear screen failures commonly lead to:

• Confidential engineering or customer information visible to unauthorized individuals
• Unauthorized access to active sessions on unattended devices
• Loss or theft of printed material that never enters system logs

The control is low-cost compared to the impact of an information disclosure. The compliance objective is to make exposure unlikely during routine movement through work areas and during after-hours access by authorized facility personnel. (VDA ISA Catalog v6.0)

Practical 30/60/90-day execution plan

First 30 days: establish the standard and close obvious gaps

• Publish/update the clear desk and clear screen standard with concrete examples and an exception path. (VDA ISA Catalog v6.0)
• Confirm screen lock configuration exists, is centrally managed where possible, and requires re-authentication. (VDA ISA Catalog v6.0)
• Walk priority areas (engineering, print stations, conference rooms) to confirm storage and disposal exist; open facilities tickets for gaps.
• Create a simple spot-check template and assign area owners.

Days 31–60: operationalize and prove it runs

• Roll out targeted training for high-risk teams; add onboarding language for all staff. (VDA ISA Catalog v6.0)
• Start spot checks; record findings and corrective actions.
• Stand up an exception register and migrate any informal exceptions into it. (VDA ISA Catalog v6.0)
• Add conference room “reset” ownership (admin services, facilities, or the meeting host).

Days 61–90: harden, measure, and prepare for assessment

• Tune controls based on repeat findings (more bins, signage, coaching, printer workflow changes).
• Validate screen lock settings across device populations; document coverage evidence.
• Run a management review: top failure modes, corrective actions, and any unresolved exceptions.
• Package the evidence set for assessors: policy, config baselines, training records, spot-check logs, exception register. (VDA ISA Catalog v6.0)

Where Daydream fits naturally: if you struggle to keep evidence current across sites and teams, Daydream can centralize control ownership, maintain an evidence checklist per requirement, and track exceptions and spot-check results so your audit pack stays continuously ready.

Frequently Asked Questions

Does “clear desk” ban paper entirely?

No. It requires confidential documents to be secured when unattended, not eliminated from use. Focus on lockable storage, secure disposal, and meeting room/print-area routines. (VDA ISA Catalog v6.0)

What counts as “clear screen” in practice?

Automatic screen locking after inactivity plus re-authentication on unlock is the core expectation. Your evidence should show the setting is enforced through a standard configuration, not left to user preference. (VDA ISA Catalog v6.0)

How do we handle teams that need always-on dashboards or lab displays?

Treat them as exceptions: document the business need, restrict location and physical access, and add compensating controls (positioning, access-controlled rooms). Keep an exception register and review it regularly. (VDA ISA Catalog v6.0)

Are conference rooms in scope?

Yes, if confidential information is discussed or displayed there. Assign a clear “room reset” owner and include whiteboard cleaning and handout collection in the routine.

How do we evidence clear desk compliance without turning into a “gotcha” culture?

Use periodic spot checks focused on coaching and trend tracking. Keep logs of findings and corrective actions; escalate only repeat or high-risk behavior.

Do third parties onsite need to follow our clear desk/clear screen rules?

If they work in your areas or handle your confidential information, flow down the requirement through site rules, onboarding, and supervision. Keep records that the rules were communicated and enforced in those spaces. (VDA ISA Catalog v6.0)