ISO 27001 Control 7.7 Clear Desk & Clear Screen

How to Stop Sensitive Information Being Left Lying Around

ISO 27001 Control 7.7 Clear desk and clear screen is one of those controls that feels simple, but quietly does a huge amount of heavy lifting for confidentiality.

You can have encryption, access controls and VPNs in place – but if someone prints a report and abandons it on the printer, or leaves client data open on their laptop in a meeting room, it’s very easy for the wrong person to see it. Control 7.7 asks you to define clear, practical rules for how people handle information at their desks and on their screens, especially when they step away.

This guide explains what ISO 27001 Control 7.7 is really asking for, and how to implement a clear desk and clear screen policy that people can actually follow.

What ISO 27001 Control 7.7 Actually Requires

In plain English, ISO 27001 Control 7.7 – Clear desk and clear screen expects you to:

  • Make sure sensitive information isn’t left out on desks, printers, whiteboards or unattended screens.
  • Ensure devices are locked or logged off when not in use.
  • Provide secure storage and disposal for papers and removable media.
  • Define simple, consistent rules for how people work at their desks and in shared spaces.
  • Raise awareness and check that those rules are actually being followed.

It’s a preventive control, focused mainly on confidentiality, that supports:

  • Office-based staff
  • Hybrid and hot-desking environments
  • Shared spaces like meeting rooms, collaboration areas and print rooms

The idea is to make it harder for casual or opportunistic access to information – whether that’s an external visitor, a cleaner, a contractor, or even another member of staff who shouldn’t see specific data.

Step 1 – Define What “Clear Desk and Clear Screen” Means for You

Before you write rules, decide what a “clear desk” and “clear screen” actually look like in your organisation.

For ISO 27001 Control 7.7, think about:

  • What counts as sensitive information
    – Client lists, personal data, financials, HR files, access credentials, designs, strategy documents, incident reports, etc.
    – Anything classified above “public” or “internal” under your information classification scheme.
  • Where information typically appears
    – Printed documents, sticky notes, notebooks, whiteboards, flipcharts.
    – Screens, pop-ups, notifications, dashboards, shared displays.
    – USB sticks, external drives, backup media.

You can then decide:

  • Which items must be locked away when not in use.
  • Which must never be left unattended, even briefly.
  • Where screens must be locked or configured with privacy measures (e.g. reception, hot desks, open-plan areas).

Spell this out clearly in your Clear Desk and Clear Screen Policy, so there’s no ambiguity.

Step 2 – Secure Sensitive Information When It’s Not Being Used

The core of ISO 27001 Control 7.7 is simple: if you’re not actively using sensitive information, it shouldn’t be lying around.

Practical measures:

  • Lock it away
    – Use lockable drawers, cabinets, safes or secure rooms.
    – Issue keys/access to people who need them and keep a basic record of who has what.
  • Tidy desks before leaving
    – At the end of the day, desks should be clear of sensitive documents and media.
    – For some roles (e.g. HR, finance), you may want this rule to apply even when they leave their desks for shorter periods.
  • Control removable media
    – Don’t leave USB sticks, external drives or memory cards on the desk or plugged into devices.
    – Store them in secure locations when not actively in use.

A good rule of thumb for ISO 27001 Control 7.7:

If you walked past an empty desk, you shouldn’t be able to tell anything sensitive about the organisation or its customers.

Step 3 – Enforce Clear Screen Behaviour and Device Locking

Clear screens are just as important as clear desks.

For ISO 27001 Control 7.7, you should:

  • Require people to lock their screens
    – When leaving their desk, even for a short time.
    – Make this a standard behavioural expectation (“screen lock as reflex”).
  • Use automatic timeouts
    – Configure devices to lock automatically after a short period of inactivity (e.g. 5–15 minutes, based on risk).
    – Apply this to laptops, desktops, and – where feasible – other devices that display sensitive information.
  • Secure endpoints physically
    – Use cable locks, docking stations in shared areas, or lockable storage for laptops when left overnight.
    – In higher-risk environments, add port control or limits on what can be plugged in.
  • Manage what appears on screens
    – Turn off or restrict pop-up notifications (email, messaging, CRM alerts) on shared screens or when presenting.
    – Ensure meeting room PCs and shared displays don’t show mailbox notifications or other sensitive content by default.

Clear screen behaviour is one of the easiest aspects of ISO 27001 Control 7.7 for an auditor to test – they will often glance at workstations as they walk around.

Step 4 – Control Printing, Scanning and Other Outputs

Printers and multi-function devices are classic failure points for clear desk and clear screen.

For ISO 27001 Control 7.7, put controls around:

  • Collecting printouts
    – Require users to collect printed documents immediately.
    – Avoid “print and forget” behaviour by making it part of training and local reminders.
  • Secure printing features
    – Use pull-print or PIN/proximity card release where possible, so documents only print when the user is at the device.
    – This is especially useful in shared offices and open-plan environments.
  • Printed waste and misprints
    – Provide confidential waste bins or shredders near print devices.
    – Make sure people know misprints shouldn’t go in normal recycling.
  • Scanning and copying
    – Treat scanners and multi-function devices like any other system that processes sensitive data.
    – Clear cached images where relevant and ensure access is restricted to authorised users.

Coprint and abandoned output are very visible weaknesses, so getting this right goes a long way towards satisfying ISO 27001 Control 7.7.

Step 5 – Make Secure Storage and Disposal the Default

A clear desk and clear screen policy only works if there are obvious, easy ways for people to do the right thing.

To support ISO 27001 Control 7.7:

  • Provide enough secure storage
    – Lockable cabinets, drawers, and cupboards where people can quickly file documents away.
    – Shared secure storage in hot-desking environments.
  • Make secure disposal easy
    – Shredders, locked confidential waste bins, and clear guidance on what goes where.
    – Secure deletion or data wiping processes for removable media and devices (linked to your storage media and disposal controls).
  • Tackle visual information too
    – Erase whiteboards and flipcharts containing sensitive content once sessions are finished.
    – Don’t leave diagrams or credentials on sticky notes near screens or in meeting rooms.

If secure options are obvious and convenient, you’ll get much better adoption of your ISO 27001 Control 7.7 rules.

Step 6 – Build Clear Desk and Clear Screen into Everyday Routines

ISO 27001 Control 7.7 works best when it’s treated as normal working practice, not an occasional tidy-up exercise.

Ideas that help:

  • End-of-day checks
    – Encourage teams to do a quick sweep of desks and shared spaces before leaving.
    – In higher-risk areas, you might have a nominated person or supervisor responsible for a final check.
  • “Last one out” sweeps
    – Whoever is last to leave a floor or office does a quick visual check for:
    • Documents left on desks or printers
    • Screens left unlocked or logged in
    • Whiteboards or flipcharts with sensitive content
  • Move-in / move-out routines
    – When people move desks or vacate a space, add a check for any documents left in drawers, cabinets or behind furniture.

These routines give you practical evidence that ISO 27001 Control 7.7 is being applied consistently across the workplace.

Step 7 – Communicate, Train and Audit

Finally, a clear desk and clear screen policy only works if people know about it, understand it and see that it matters.

For ISO 27001 Control 7.7:

  • Publish a topic-specific policy
    – Short, practical, and written in plain English.
    – Include simple do/don’t examples, photos or diagrams if helpful.
  • Include in induction and refresher training
    – Explain why it’s important – not just “because ISO says so”, but in terms of protecting customers, colleagues and the organisation.
    – Use real-world scenarios (e.g. “A visitor walks past an empty desk and sees…”).
  • Reinforce with reminders
    – Occasional posters, intranet reminders, or short messages during awareness campaigns.
    – Local champions or team leads modelling good behaviour.
  • Audit and feedback
    – Include clear desk and clear screen in internal audits and informal walk-throughs.
    – Give constructive feedback to teams where issues are found – and recognise good practice too.

Auditors love to see that Control 7.7 isn’t just written down but is part of the organisation’s culture.

Quick Implementation Checklist for ISO 27001 Control 7.7

Use this checklist to gauge your implementation:

  • ISO 27001 Control 7.7 (Clear desk and clear screen) is covered in a specific policy or procedure.
  • You’ve defined what “clear desk” and “clear screen” mean for your organisation and which information is in scope.
  • Sensitive documents and removable media are locked away when not in use.
  • Users are required – and trained – to lock screens when leaving their workstation.
  • Devices are configured with automatic screen lock / timeout appropriate to risk.
  • Printing is controlled (e.g. secure print release; prompt collection; confidential waste for misprints).
  • Whiteboards, flipcharts and other visual aids are cleared of sensitive information after use.
  • There is sufficient secure storage and disposal capacity (cabinets, safes, shredders, confidential bins).
  • End-of-day or “last one out” checks are carried out in key areas.
  • Clear desk and clear screen expectations are part of training, awareness and internal audits.

Bringing It All Together

ISO 27001 Control 7.7 – Clear desk and clear screen – is one of the simplest controls to understand, and one of the most visible to anyone walking around your organisation.

If you:

  • Define what good looks like,
  • Make it easy for people to secure information and devices, and
  • Reinforce the behaviour through training, reminders and checks,

you’ll significantly reduce the chance of sensitive information being seen or taken by the wrong person – and you’ll be able to show an auditor that your clear desk and clear screen policy is genuinely embedded in day-to-day working, not just written down in a document.

Explore the ISO 27001 Control Group Purposes

Organisational Controls
People Controls
Physical Controls
Technological Controls

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG