Prevent Unauthorised Viewing of System Displays
Ensure that unauthorised individuals can't see computer screens or keyboards in secure areas.
Plain language
This control is about making sure that people who aren't supposed to see sensitive information can't sneak a peek at your computer screens or watch you type passwords and other confidential data. If this isn't done, someone could easily gather important information simply by glancing at your screen, potentially leading to data breaches or security incidents.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
Unauthorised people are prevented from observing systems, in particular workstation displays and keyboards, within facilities.
Why it matters
Shoulder-surfing of workstation screens or keyboards can expose sensitive information and credentials, leading to unauthorised disclosure and compromise.
Operational notes
Conduct routine walk-throughs to spot visible screens/keyboards; reposition monitors away from public sightlines and fit privacy filters in shared or high-traffic areas.
Implementation tips
- Managers should arrange office furniture so that screens aren't visible from public or unauthorised areas. This might mean moving desks or adding partitions to block the view from windows or doorways where visitors pass by.
- IT teams should install privacy screens on monitors in areas where the risk of viewing by unauthorised people is high. These screens limit the viewing angle, making it harder to see the display from the side.
- Facilities management should ensure blinds or curtains are available and used on any windows that could potentially expose screens to people outside the building. During critical or confidential work, blinds should be closed to prevent viewing.
- All staff should be trained to lock their computers when stepping away from their desk, even for a short time. This can be done through regular reminders and enabling automatic lock settings after periods of inactivity.
- Security personnel or admins should conduct regular walk-throughs in secure areas to spot risks like visible screens or unauthorised access, and ensure compliance with these practices.
Audit / evidence tips
- AskA floor plan showing desk arrangements
- GoodIncludes dates of installation and maintenance checks
- AskEmployees if they consistently lock their screens when away GoodIs consistent staff awareness and practice of this security habit
- GoodObservation shows quick adaptability to close or adjust as needed
Cross-framework mappings
How ISM-0164 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.7 | ISM-0164 requires preventing unauthorised people from observing system displays and keyboards within facilities | |
| Annex A 7.8 | ISM-0164 requires preventing unauthorised people from observing workstation displays and keyboards within facilities | |
| handshake Supports (1) expand_less | ||
| Annex A 7.1 | Annex A 7.1 requires organisations to define and use physical security perimeters to protect areas containing information and associated ... | |
| link Related (4) expand_less | ||
| Annex A 7.2 | ISM-0164 requires preventing unauthorised viewing of workstation displays and keyboards inside facilities | |
| Annex A 7.3 | ISM-0164 requires that unauthorised individuals cannot observe system displays and keyboards within facilities | |
| Annex A 7.5 | Annex A 7.5 requires organisations to implement protections against physical threats that could compromise information and infrastructure | |
| Annex A 7.6 | Annex A 7.6 requires security measures to control and protect activities in secure areas, including preventing information exposure durin... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.