The basics
ISO 27001 control A.7.7 Clear desk and clear screen requires companies to define rules that protect sensitive information on various media (paper, removable media, etc.), and to protect unauthorized persons to see sensitive information on computer screens.
Documentation
ISO 27001 control A.7.7 Clear desk and clear screen can be documented:
- for smaller companies – through an IT Security Policy
- for mid-sized and larger companies – by writing a Clear Desk and Clear Screen Policy.
These socuments are not mandatory, but are recommended .
Implementation
In order to comply with control A.7.7 Clear desk and clear screen you might implement the following:
- Technology — the technology to enable a clear desk and clear screen may be already available in companies. Small companies can use features in the local computers to turn off screens automatically, while bigger companies can enforce such a corporate policy in a centralized way through specialized software. Companies of all sizes can make use of secure cabinets to implement clear desk policy.
- Organization/processes — you should set up a process for defining criteria on when to apply clear desk and clear screen, and configure clear screen on companies’ devices. You can document those processes through an IT Security Policy or a Clear Desk and Clear Screen Policy.
- People — make employees aware of why a clear desk and clear screen are needed, and train them on how to comply with them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.7.7 Clear desk and clear screen: if rules to protect sensitive information on media, and on computer screens are defined.
