Ensure Secure Screen Locking on Systems
Systems must lock screens after 15 minutes of inactivity, requiring full re-authentication to unlock without allowing the lock to be disabled.
Plain language
This control ensures that if someone leaves their computer unattended, it automatically locks itself after 15 minutes to prevent unauthorised people from accessing sensitive information. It’s like having a lock on a door; if it doesn't lock, a stranger could walk in and see private information or even cause harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Systems are configured with a screen lock that: - activates after a maximum of 15 minutes of user inactivity, or when manually activated by users - conceals all content on the screen - ensures that the screen does not enter a power saving state before the screen lock is activated - requires users to re-authenticate using all authentication factors to unlock the system - denies users the ability to disable the screen locking mechanism.
Why it matters
Without automatic screen locking, unattended systems can be easily accessed by unauthorised users, risking data breaches and loss of sensitive information.
Operational notes
Verify screen locks trigger within 15 minutes, conceal content, require full re-authentication, and cannot be disabled by users.
Implementation tips
- System administrators should configure all computers to automatically lock the screen after 15 minutes of inactivity. This can be done by accessing the computer settings and enabling the screen lock function to activate after the set period of inactivity.
- Managers should educate employees about the importance of manually locking their screens when leaving their desks. This can be done by including screen locking protocols in regular staff meetings and ensuring new hires are introduced to this practice during induction.
- The IT team should ensure that the screen lock shows a blank or generic screen, not leaving any sensitive information visible. This involves setting up the appearance of the locked screen in system settings to ensure it does not display any open applications or documents.
- System owners should verify that all authentication factors are needed when unlocking a screen after it locks. This might involve setting up multi-factor authentication, requiring a password, and possibly a second factor like a phone notification to unlock the screen.
- IT support should disable any options that would allow users to turn off or alter the screen locking function. This requires going into system policies and ensuring these options are greyed out or locked from user access.
Audit / evidence tips
-
Askthe screen lock configuration report for a random sample of devices: Request records showing the settings used for automatic screen locks on these devices
Goodconfigurations showing '15-minute auto-lock' actively applied on all devices
-
Askto see the security awareness training materials related to screen locking: Request documentation or slides from the employee training sessions
Goodmaterials clearly referencing screen lock protocols and benefits, dated within the last year
-
Askthe policy document governing screen lock setup: Request the document that outlines screen locking requirements and procedures
Gooda thorough policy document indicating non-modifiable screen lock settings
-
Aska demonstration of the screen unlocking process: Observe as a user unlocks their workstation after it auto-locks
Goodthe system demands a password and a secondary verification step before access is granted
-
Askthe system audit logs concerning screen lock compliance monitoring: Request recent logs showing compliance checks for the screen lock setup
Goodlogs clearly documenting routine compliance checks with results confirming all systems meet the control
Cross-framework mappings
How ISM-2012 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.7 | ISM-2012 requires systems to automatically lock screens after a maximum of 15 minutes of inactivity (or on manual activation), conceal sc... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.5 | ISM-2012 requires re-authentication using all authentication factors to unlock a locked screen and prevents users disabling the locking m... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.