Control Definition
The organization must define clear desk rules for papers and removable storage media, and clear screen rules for information processing systems, and must enforce both as appropriate. In practice: sensitive material is locked away when unattended, and screens cannot be read or used by people with no business seeing them.
Control Objective
To reduce the risk of unauthorized access to, loss of, and damage to information sitting on desks, screens, printers, and shared surfaces — during working hours and outside them.
What This Really Means
The cheapest penetration test in existence is walking through an office at 7 p.m. and reading what is left on desks, screens, and printer trays. Clear desk and clear screen is the control that makes that walk boring. It is also the first control your certification auditor starts assessing — silently — on the way from reception to the meeting room.
The control has two halves. Clear desk covers the physical: papers and removable media locked away when you step away and at end of day, printouts collected immediately rather than aging in the tray, whiteboards wiped after meetings, and keys or access cards never left out. Clear screen covers the digital surface: an enforced automatic lock after a defined idle period, the manual-lock habit for the moment you stand up, logging out of sensitive applications when done, and shared or public-facing screens treated with extra care.
Hybrid working raised the stakes. Hot-desking means no desk has an owner, so the rule becomes structural: lockers provided, nothing left overnight, and an end-of-day sweep that belongs to facilities rather than to whoever sat there last. The same principles travel home with remote workers — lockable storage for work papers and screens positioned away from household traffic — though enforcement there runs through the remote-working policy (A.6.7) rather than office walkthroughs.
What auditors treat as the heart of A.7.7 is enforcement evidence, not policy prose. A two-line rule backed by monthly walkthrough records — findings, follow-ups, a screenshot of the MDM lock-timer configuration — beats a beautifully written policy with nothing behind it. This control fails on the floor, never on paper, and auditors assess it on the floor.
Why It Matters
Paper on a desk and an unlocked screen bypass every technical control you own. The DLP suite, the encryption, the access management — none of it applies to a printout of the payroll run lying in an open tray, or a logged-in session left unattended next to a visiting vendor. The exposure population is everyone who walks the floor: visitors, cleaning crews, other tenants in shared buildings, candidates waiting for interviews.
Where clear desk and clear screen discipline is absent, organizations face:
- •Opportunistic disclosure – Offer letters, customer lists, and medical or financial paperwork read by whoever happens to pass an empty desk
- •Unlocked sessions – Anyone can act as the logged-in user: emails sent, records altered, data exported, all attributed to the victim with no forensic trail
- •Printer-tray leaks – Uncollected printouts are the most common physical data leak in office environments, and the least defensible
- •Whiteboard residue – Architecture diagrams, credentials, and deal terms photographed by the next meeting's attendees, including external ones
- •Audit-day impressions – An unlocked, paper-strewn floor is an instantly visible nonconformity that colors how skeptically the auditor reads everything else
The second paragraph of the business case is cultural: this is the one control every employee touches every day. An organization that cannot keep desks clear reliably signals — to auditors, clients, and its own staff — that its other policies are probably aspirational too.
Regional Compliance Context
Two India-specific patterns make this control heavier than it looks. First, BFSI branch and back-office operations remain intensely paper-based — KYC documents, signed mandates, cheque books — and RBI-regulated entities are expected to protect customer information in physical form with the same seriousness as digital records, which makes clear desk discipline a regulatory posture rather than office tidiness. Second, the IT services and BPO sector regularly inherits client-mandated clean-desk and print-restriction obligations on offshore delivery floors, complete with client audit rights; A.7.7 is where those contractual rules should be operationalized once and evidenced for both audiences.
Implementation Guidance
Write a Short, Specific Policy
Replace "keep your workspace tidy" with testable rules: lock papers and removable media away when leaving your desk for an extended period and at end of day, screens lock automatically after a defined idle time, printouts are collected immediately, whiteboards are wiped after use. State that it applies in offices, at home, and at client sites. One to two pages, either standalone or as a section of the acceptable use policy.
Enforce Screen Locking Centrally
Configure the idle lock through group policy or MDM (Intune, Jamf) so users cannot weaken it — common practice is a timeout in the 5 to 15 minute range, shorter for high-exposure roles. Train the manual-lock reflex for the moment people stand up, and remember shared endpoints: conference room PCs, kiosks, and warehouse terminals are the screens most often forgotten.
Provide the Means to Comply
People cannot lock things away if nothing locks. Supply lockable pedestals or lockers, shredders or secured shredding bins for paper disposal, and cable locks where equipment must stay out. Budget for this before enforcement begins — writing up employees for failing rules the facilities cannot support is how the policy loses the floor.
Fix Printing
Deploy follow-me or pull printing so jobs release only when the owner badges at the device, with unreleased jobs auto-deleted after a set period. Where that is not feasible, position printers away from visitor paths and add a clear-the-tray rule with periodic checks. Include scanners and fax inboxes — uncollected inbound documents leak just as readily as outbound ones.
Extend the Rules to Shared Spaces
Meeting rooms are where clear desk goes to die: require whiteboards wiped, handouts collected, and room consoles logged out at meeting end, and make it the organizer's responsibility. Keep reception and front-desk areas free of visible documents, and secure internal mail points where envelopes accumulate unattended.
Set Hot-Desking and Remote Rules
For hot-desking floors: nothing left on or in desks overnight, lockers for both personal and work material, and a facilities-owned end-of-day sweep with a quarantine shelf for whatever gets left. For home workers: require lockable storage for work papers, screen privacy when working in public places, and capture it in the remote-working policy under A.6.7 with an annual attestation.
Walk the Floor and Record It
Run periodic walkthroughs — monthly or quarterly is typical, with occasional after-hours sweeps — against a short checklist: desks, screens, printer trays, whiteboards, shred bins. Log findings and follow-ups, route repeat patterns to line managers rather than public naming, and keep the records; this log is the single strongest piece of audit evidence for A.7.7.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.7.7:
Documentation
- Clear desk and clear screen policy, standalone or as a section of the acceptable use policy
- Walkthrough or sweep records with dates, findings, and follow-up actions
- Screen-lock configuration export from group policy or MDM showing the enforced timeout
- Employee acknowledgment records covering the policy
- Secure-print configuration or clear-tray check records for shared printers
Interviews
- Random employees, probed on what the rules are, what the lock timeout is, and where they lock material away
- Facilities or office manager about who performs walkthroughs and what happens with findings
- IT administrator about how the screen-lock policy is enforced and how exceptions are handled
Observations
- The floor itself — desks, unattended screens, printer trays, and shred bins as found on the audit day
- Meeting rooms checked for whiteboard residue, leftover handouts, and logged-in room consoles
- A live test of an idle workstation locking within the configured time, or a user demonstrating manual lock
Practitioner Insights
This is the control auditors begin assessing before the opening meeting starts — every desk we pass on the way in is data. The implementation mistake I see most is not weak rules but missing evidence: a perfectly good policy and zero records of anyone ever checking it. A ten-minute monthly walkthrough with a six-line checklist and a logged finding or two converts your weakest-looking control into one of your easiest. And if MDM enforces the screen lock, one configuration screenshot covers the entire technical half of the evidence.
The failure pattern that kills this control is the executive exemption. The policy applies to everyone, but the leadership floor is stacked with contracts and printed board packs, and no walkthrough ever goes up there. Staff notice within weeks, and enforcement credibility dies everywhere at once — auditors notice the asymmetry too, because we walk the executive corridor deliberately. Put clear-desk findings in front of management review like any other metric, with leadership areas explicitly in the sample.
Common Challenges & Solutions
Challenge
A policy exists, but there is no evidence anyone has ever enforced or checked it.
Solution
Stand up a recurring walkthrough — monthly or quarterly — with a short checklist and a simple log of findings and follow-ups. Even a modest cadence is defensible if it is recorded and findings visibly get closed. Add the MDM screen-lock configuration export to the evidence folder and the control moves from unprovable to comfortable in one quarter.
Challenge
Employees treat the rules as petty policing and quietly ignore them.
Solution
Sell the why, not the what: explain the actual exposure paths — visitors, cleaning crews, photos in shared buildings — and scope enforcement to sensitive material rather than coffee mugs and family photos. Launch with an amnesty period and supplied lockers before the first recorded walkthrough, and keep findings coaching-oriented rather than disciplinary.
Challenge
Hot-desking means whatever is left behind has no owner, and nobody clears it.
Solution
Make the end-of-day sweep a facilities duty rather than a per-person hope: anything left out goes to a quarantine shelf with a note, and repeat items get traced through bookings. Provide enough lockers that compliance is physically possible, and write the nothing-left-overnight rule into the desk-booking terms everyone accepts.
Challenge
Printouts accumulate at shared printers faster than any rule can clear them.
Solution
Solve it with the printing system, not with discipline: follow-me printing with badge release means uncollected jobs never print at all, and auto-deletion clears the queue after a set period. Where the budget will not stretch, relocate printers off visitor paths, add tray checks to the walkthrough, and watch the volume drop once people know jobs are logged.
Challenge
Home offices cannot be inspected, so the rules feel unenforceable for remote staff.
Solution
Do not pretend to inspect homes — set requirements instead: lockable storage for work papers, enforced screen lock (which MDM already covers regardless of location), and screen privacy in public places. Train the behaviors, collect an annual attestation, and anchor the whole arrangement in the remote-working policy under A.6.7.
