Clear desk and clear screen policy and what it means for ISO 27001

Updated: December 05, 2022., according to the ISO 27001:2022 revision.

Imagine this scene: an employee at his desk, in an open-plan office, is reviewing on his notebook some data to prepare a report about the last quarter financial results. He receives a telephone call from his boss about a quick last-minute meeting, or simply goes on a break to drink coffee, and leaves his desk.

This situation is more common than you can imagine, and may represent a great information risk, because without proper measures, all the information and assets left at the desk by the employee can be accessed, seen, or taken by an unauthorized person. And, if there is an information system left logged on, anyone who has access to the desk can perform activities in the name of the absent employee.

ISO 27001, a popular information security framework, and ISO 27002, a detailed code of practice, can provide a good orientation on how to handle such risks, by means of the security control A.7.7 – Clear desk and clear screen. Let’s take a closer look at it.

ISO 27001 clear desk and clear screen – Best practices
  • Use of locked areas
  • Protection of devices and information systems
  • Restriction on use of copy and printing technology
  • Adoption of a paperless culture
  • Disposal of information remaining in meeting rooms


What are the clear desk and clear screen all about?

So, what is clear screen, what is clear desk, and what are they all about? The clear desk and clear screen refer to practices related to ensuring that sensitive information, in both digital and physical formats, and assets (e.g., notebooks, cellphones, tablets, information systems, etc.) are not left unprotected at personal and public workspaces when they are not in use, or when someone leaves his workstation, either for a short time or at the end of the day.

Why are the clear desk policy and clear screen policy important?

The clear desk policy and clear screen policy are instruments to explain to employees and other people how to handle its information and assets.

It’s a guideline on how to proceed properly regarding information and other material kept in the workspace.

What does a clear desk and clear screen policy compliant with ISO 27001 require?

Compliance with ISO 27001 Control A.7.7 – clear desk and clear screen requires pretty low-tech actions:

  • assets must be locked away when not required
  • computers and terminals must be left logged off or protected with a screen locking mechanism, or similar, when unattended or not in use
  • photocopiers and similar may be used only when authorized
  • media must be removed from printers immediately

These actions must be applied to information considering:

  • the level of information (e.g., sensitive or confidential) that would require secure handling
  • legal and contractual requirements that demand information protection
  • identified organizational risks
  • cultural aspects
  • measures that should be adopted to secure desks, devices, and media (as seen in the previous section)

How to implement a clear desk and clear screen policy

In a practical sense, to implement a clear desk policy and clear screen policy you should consider:

 

Clear desk policy according to ISO 27001 - What does it mean?

Use of locked areas: lockable drawers, archive cabinets, safes, and file rooms should be available to store information media (e.g., paper documents, USB flash drives, memory cards, etc.) or easily transportable devices (e.g., cellphones, tablets, and notebooks) when not required, or when there is no one to take care of them.

Protection of devices and information systems: computers and similar devices should be positioned in such a way as to avoid people passing by to have a chance to look at their screens, and configured to use time-activated screen savers and password protection to minimize chances that someone takes advantage of unattended equipment. Additionally, information systems should be logged off when not in use. At the end of the day the devices should be shut down, especially those network-connected (the less time a device is on, the less time there is for someone to try to access it).

Restriction on use of copy and printing technology: the use of printers, photocopiers, scanners, and cameras, for example, should be controlled, by reducing their quantity (the fewer units available, the fewer potential data leak points) or by the use of code functions that allow only authorized persons to have access to material sent to them. And, any information sent to printers should be retrieved as soon as practicable.

Adoption of a paperless culture: documents should not be printed unnecessarily, and sticky notes should not be left on monitors or under keyboards. Remember, even little pieces of information may be sufficient for wrongdoers to discover aspects of your life, or of the organizations’ processes, that can help them to compromise information.

Disposal of information remaining in meeting rooms: all information on white boards should be erased and all pieces of papers used during a meeting should be subject to proper disposal (e.g., by using a shredder).

Besides that, an organization should also consider periodic:

  • training and awareness events to communicate to the employees and other people involved in aspects of the policy. Good examples are posters, email alerts, reminders in email signatures, newsletters, etc.
  • evaluations of the employees’ compliance with the policy practices (let’s say, two times a year), by including this policy in internal audits, or by simply looking around the workstations randomly to see if the policy is being followed.

What is a clean desk audit? It is a systematic way to evaluate if planned rules and physical and technological measures are implemented and being followed by employees.

Do not be victim of prying eyes and unauthorized access

A lack of care with a workspace can lead to compromised personal or organizational information. Passwords, financial data, and sensitive emails can be disclosed, impacting privacy or a competitive edge. A lost document containing information about a contract/proposal due date can cause a tender to be lost and a decrease in the expected revenue.

Whether due to accidents, human error, or malicious actions, these negative results can be avoided by the adoption and audit of accessible low-tech measures related to a clear desk and clear screen policy. So, do not wait for these situations to occur before taking action. In this case, the solution’s cost would hardly be an excuse to not act preventively.

To learn how to comply with ISO 27001, while also implementing privacy and cybersecurity controls, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.