Clear desk and clear screen policies
Ensure desks and screens are clear of sensitive info to prevent unauthorized access.
Plain language
This control is like making sure you don't leave important stuff lying around in plain sight, like your diary open on the kitchen table. It matters because if someone sees your private notes, they might misuse that information. Keeping desks and screens clear of sensitive info prevents unauthorised people from seeing or accessing it, protecting your important data and your organisation's reputation.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Physical controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.
Why it matters
Sensitive information left visible on desks or screens can be accessed by unauthorised people, causing data leakage, compliance breaches and reputational damage.
Operational notes
Run periodic spot checks and reminders: lock screens when away, clear papers/removable media from desks, and store items in locked cabinets at day end.
Implementation tips
- The IT manager should implement a clear screen policy by configuring all computers to automatically lock the screen after a short period of inactivity, such as 5 minutes. This can be done through system settings or group policies in the network. Explain to staff that this helps keep confidential information out of sight when they are away from their desks.
- Human Resources should develop and share clear desk rules with all employees. These rules should encourage employees to tidy their desks before leaving, making sure any papers with sensitive information are locked away securely. This helps protect data from being seen by unauthorised visitors or cleaning staff.
- Office Managers should ensure that storage solutions like filing cabinets or safes are available and used for keeping important documents or removable media secure. These should have locks, and employees should be reminded to use them, especially at the end of the day or after a meeting to comply with the Privacy Act 1988.
- Procurement should choose printers that have secure printing features, like printing only when the user is present to release the document. This reduces the risk of sensitive documents being picked up by others.
- The board should support training sessions that explain the importance and the simple do's and don'ts of clear desk and screen policies. Encourage employees to regularly clear whiteboards and shared displays of any critical information once meetings conclude.
Audit / evidence tips
- AskThe clear desk and clear screen policy document GoodA detailed policy with examples and a sign-off sheet showing staff have acknowledged it
- AskRecords of staff training on the clear desk and screen policy GoodA comprehensive training program attended by all staff with regular refreshers
- AskTo see the automatic screen lock settings on company computers GoodA standardised setup where computers lock after 5 minutes of inactivity
- AskAbout procedures for securing printers and related devices GoodA documented process where only intended users can collect their printouts
- AskInspection reports of physical office sweeps after hours GoodRegular documented checks with results showing no sensitive information left unsecured
Cross-framework mappings
How Annex A 7.7 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (10) expand_less | ||
| ISM-0161 | ISM-0161 requires IT equipment and media to be secured when not in use, with an emphasis on preventing unauthorised access to physical as... | |
| ISM-0164 | ISM-0164 requires preventing unauthorised people from observing system displays and keyboards within facilities | |
| ISM-0831 | ISM-0831 requires media to be handled in a manner appropriate to its sensitivity or classification | |
| ISM-0853 | ISM-0853 requires user sessions to be terminated after inactivity and systems to be restarted daily outside business hours | |
| ISM-0866 | ISM-0866 requires that sensitive or classified data is not viewed on mobile devices in public locations unless steps are taken to reduce ... | |
| ISM-0870 | ISM-0870 requires mobile devices to be carried or stored in a secured state when not being actively used to reduce the risk of unauthoris... | |
| ISM-1076 | ISM-1076 requires televisions and computer monitors with minor burn-in or image persistence to be sanitised by displaying a solid white i... | |
| ISM-1145 | ISM-1145 requires privacy filters on SECRET and TOP SECRET mobile device screens to reduce the risk of unauthorised viewing | |
| ISM-1359 | ISM-1359 requires an organisation to establish and maintain a removable media usage policy covering safe handling and use of removable st... | |
| ISM-2012 | Annex A 7.7 requires organisations to define and enforce clear screen rules (and clear desk rules) to prevent unauthorised access to info... | |
| handshake Supports (2) expand_less | ||
| ISM-1299 | ISM-1299 advises personnel on practical precautions for secure mobile device use, including never leaving devices or removable media unat... | |
| ISM-1888 | Annex A 7.7 mandates clear screen policies to ensure unattended information processing facilities do not display sensitive information | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Want to implement this control?
Mindset Cyber runs PECB-accredited ISO/IEC 27001 training that maps directly to the controls in this library.