Skip to content

ISO 27001 Annex A 7.7: Protecting Sensitive Information with Clear Desk & Clear Screen Policies

ISO 27001:2022 Annex A 7.7 discusses how organisations can protect and maintain the confidentiality of sensitive information on digital screens and paper by implementing clear desk and clear screen rules.

An employee who leaves their workstation unattended risks unauthorised access, loss of confidentiality, and damage to the sensitive information contained in digital and physical materials.

For instance, malicious parties may exploit the opportunity to steal and misuse sensitive health data if an employee leaves their computer unattended during a lunch break while using a customer relationship management tool.

What Is The Purpose of ISO 27001:2022 Annex A 7.7?

ISO 27001:2022 Annex A 7.7 provides organisations with a method of eliminating and/or mitigating the risks of unauthorised access, use, damage, or loss of sensitive information on employee workstation screens and documents when not present.




ISMS.online gives you an 81% Headstart from the moment you log on

ISO 27001 made easy

We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.




Ownership of ISO 27001:2022 Annex A 7.7

In recognition of Annex 7.7, organisations must adopt and implement an organisation-wide policy concerning clear desks and screens. Information security officers should be responsible for producing, maintaining, and enforcing clear desk and clear screen policies throughout the organisation.

General Guidance on ISO 27001:2022 Annex A 7.7

Annex A 7.7 recommends creating and enforcing a topic-specific policy that outlines rules for clear desks and clear screens.

Furthermore, Annex A 7.7 specifies seven specific requirements that organisations should consider when establishing & enforcing clear desk and clear screen policies:

  • Digital and physical assets containing sensitive or critical information should be locked securely when not in use or when the workstation hosting them is empty. For example, paper records, laptops, and printers should be stored in secure furniture such as drawers or cabinets with locks.
  • Employee-used devices, such as laptops, scanners, printers, and notebooks, should be protected with key locks when not in use or left unattended.
  • Employees should leave their devices logged off when leaving their workspace and leaving them unattended. Reactivating the device should only be possible with user authentication. All endpoint employee devices, such as computers, should have automatic time-out and log-out features.
  • The printer should be designed so that printouts can be collected immediately by the person who printed them (originator). Furthermore, only the originator should be allowed to collect the printouts through a robust authentication mechanism.
  • Material containing sensitive information, including removable media, should be kept secure at all times. Upon no longer needing them, they should be disposed of in a secure manner.
  • It is essential for organisations to create rules for displaying pop-ups on screens and to communicate these rules to all relevant employees. For example, pop-ups (such as email notifications) that contain sensitive information may compromise the confidentiality of sensitive information if displayed during a presentation or in a public space.
  • Whiteboards should be erased when sensitive or critical information is no longer needed.

Supplementary Guidance on Annex A 7.7

ISO 27001 Annex A 7.7 warns organisations about risks arising from vacated facilities. Physical and digital materials previously stored in a facility should be securely removed when an organisation vacates to prevent the loss of sensitive information.

Therefore, Annex A 7.7 stipulates that organisations should establish procedures for the vacation of facilities to ensure that sensitive information assets are disposed of securely. A final sweep may be performed to ensure no sensitive information is left unprotected.




climbing

Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.




What Are the Changes and Differences From ISO 27001:2013?

ISO 27001:2022 Annex A 7.7 replaces ISO 27001:2013 Annex A 11.2.9 (‘Clear Desk & Screen Policy‘).

There are two noteworthy differences between the ISO 27001:2022 and the ISO 27001:2013 versions:

  • The ISO 27001:2022 version does not include criteria to consider when establishing & implementing clear desk and clear screen policies.

While the 2013 version specifies that organisations should consider organisation-wide information classification levels, legal & contractual requirements, and the types of risks they face when founding a clear desk and clear screen policy.

The ISO 27001:2022 version, however, does not mention these elements. The ISO 27001:2022 standard introduces new and more comprehensive requirements for clear desks and clear screens.

The ISO 27001:2022 version specifies the following requirements that organisations should take into account when establishing clear desk and clear screen policies:

  • Organisations should maintain the confidentiality of sensitive information by creating specific guidelines on pop-up screens.
  • Remove the sensitive information written on a whiteboard if you no longer need it.
  • Computers and other endpoint devices used by employees should be protected with key locks when not in use or unsupervised.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Organisational Controls Annex A 5.1 Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational Controls Annex A 5.2 Annex A 6.1.1 Information Security Roles and Responsibilities
Organisational Controls Annex A 5.3 Annex A 6.1.2 Segregation of Duties
Organisational Controls Annex A 5.4 Annex A 7.2.1 Management Responsibilities
Organisational Controls Annex A 5.5 Annex A 6.1.3 Contact With Authorities
Organisational Controls Annex A 5.6 Annex A 6.1.4 Contact With Special Interest Groups
Organisational Controls Annex A 5.7 NEW Threat Intelligence
Organisational Controls Annex A 5.8 Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational Controls Annex A 5.9 Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational Controls Annex A 5.10 Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational Controls Annex A 5.11 Annex A 8.1.4 Return of Assets
Organisational Controls Annex A 5.12 Annex A 8.2.1 Classification of Information
Organisational Controls Annex A 5.13 Annex A 8.2.2 Labelling of Information
Organisational Controls Annex A 5.14 Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational Controls Annex A 5.15 Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational Controls Annex A 5.16 Annex A 9.2.1 Identity Management
Organisational Controls Annex A 5.17 Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational Controls Annex A 5.18 Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational Controls Annex A 5.19 Annex A 15.1.1 Information Security in Supplier Relationships
Organisational Controls Annex A 5.20 Annex A 15.1.2 Addressing Information Security Within Supplier Agreements
Organisational Controls Annex A 5.21 Annex A 15.1.3 Managing Information Security in the ICT Supply Chain
Organisational Controls Annex A 5.22 Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational Controls Annex A 5.23 NEW Information Security for Use of Cloud Services
Organisational Controls Annex A 5.24 Annex A 16.1.1 Information Security Incident Management Planning and Preparation
Organisational Controls Annex A 5.25 Annex A 16.1.4 Assessment and Decision on Information Security Events
Organisational Controls Annex A 5.26 Annex A 16.1.5 Response to Information Security Incidents
Organisational Controls Annex A 5.27 Annex A 16.1.6 Learning From Information Security Incidents
Organisational Controls Annex A 5.28 Annex A 16.1.7 Collection of Evidence
Organisational Controls Annex A 5.29 Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational Controls Annex A 5.30 NEW ICT Readiness for Business Continuity
Organisational Controls Annex A 5.31 Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational Controls Annex A 5.32 Annex A 18.1.2 Intellectual Property Rights
Organisational Controls Annex A 5.33 Annex A 18.1.3 Protection of Records
Organisational Controls Annex A 5.34 Annex A 18.1.4 Privacy and Protection of PII
Organisational Controls Annex A 5.35 Annex A 18.2.1 Independent Review of Information Security
Organisational Controls Annex A 5.36 Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational Controls Annex A 5.37 Annex A 12.1.1 Documented Operating Procedures
ISO 27001:2022 People Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
People Controls Annex A 6.1 Annex A 7.1.1 Screening
People Controls Annex A 6.2 Annex A 7.1.2 Terms and Conditions of Employment
People Controls Annex A 6.3 Annex A 7.2.2 Information Security Awareness, Education and Training
People Controls Annex A 6.4 Annex A 7.2.3 Disciplinary Process
People Controls Annex A 6.5 Annex A 7.3.1 Responsibilities After Termination or Change of Employment
People Controls Annex A 6.6 Annex A 13.2.4 Confidentiality or Non-Disclosure Agreements
People Controls Annex A 6.7 Annex A 6.2.2 Remote Working
People Controls Annex A 6.8 Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting
ISO 27001:2022 Physical Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Physical Controls Annex A 7.1 Annex A 11.1.1 Physical Security Perimeters
Physical Controls Annex A 7.2 Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical Controls Annex A 7.3 Annex A 11.1.3 Securing Offices, Rooms and Facilities
Physical Controls Annex A 7.4 NEW Physical Security Monitoring
Physical Controls Annex A 7.5 Annex A 11.1.4 Protecting Against Physical and Environmental Threats
Physical Controls Annex A 7.6 Annex A 11.1.5 Working In Secure Areas
Physical Controls Annex A 7.7 Annex A 11.2.9 Clear Desk and Clear Screen
Physical Controls Annex A 7.8 Annex A 11.2.1 Equipment Siting and Protection
Physical Controls Annex A 7.9 Annex A 11.2.6 Security of Assets Off-Premises
Physical Controls Annex A 7.10 Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical Controls Annex A 7.11 Annex A 11.2.2 Supporting Utilities
Physical Controls Annex A 7.12 Annex A 11.2.3 Cabling Security
Physical Controls Annex A 7.13 Annex A 11.2.4 Equipment Maintenance
Physical Controls Annex A 7.14 Annex A 11.2.7 Secure Disposal or Re-Use of Equipment
ISO 27001:2022 Technological Controls
Annex A Control Type ISO/IEC 27001:2022 Annex A Identifier ISO/IEC 27001:2013 Annex A Identifier Annex A Name
Technological Controls Annex A 8.1 Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological Controls Annex A 8.2 Annex A 9.2.3 Privileged Access Rights
Technological Controls Annex A 8.3 Annex A 9.4.1 Information Access Restriction
Technological Controls Annex A 8.4 Annex A 9.4.5 Access to Source Code
Technological Controls Annex A 8.5 Annex A 9.4.2 Secure Authentication
Technological Controls Annex A 8.6 Annex A 12.1.3 Capacity Management
Technological Controls Annex A 8.7 Annex A 12.2.1 Protection Against Malware
Technological Controls Annex A 8.8 Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological Controls Annex A 8.9 NEW Configuration Management
Technological Controls Annex A 8.10 NEW Information Deletion
Technological Controls Annex A 8.11 NEW Data Masking
Technological Controls Annex A 8.12 NEW Data Leakage Prevention
Technological Controls Annex A 8.13 Annex A 12.3.1 Information Backup
Technological Controls Annex A 8.14 Annex A 17.2.1 Redundancy of Information Processing Facilities
Technological Controls Annex A 8.15 Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological Controls Annex A 8.16 NEW Monitoring Activities
Technological Controls Annex A 8.17 Annex A 12.4.4 Clock Synchronization
Technological Controls Annex A 8.18 Annex A 9.4.4 Use of Privileged Utility ProgramsAccess Rights
Technological Controls Annex A 8.19 Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological Controls Annex A 8.20 Annex A 13.1.1 Networks Security
Technological Controls Annex A 8.21 Annex A 13.1.2 Security of Network Services
Technological Controls Annex A 8.22 Annex A 13.1.3 Segregation of Networks
Technological Controls Annex A 8.23 NEW Web filtering
Technological Controls Annex A 8.24 Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological Controls Annex A 8.25 Annex A 14.2.1 Secure Development Life Cycle
Technological Controls Annex A 8.26 Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological Controls Annex A 8.27 Annex A 14.2.5 Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents
Technological Controls Annex A 8.28 NEW Secure Coding
Technological Controls Annex A 8.29 Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological Controls Annex A 8.30 Annex A 14.2.7 Outsourced Development
Technological Controls Annex A 8.31 Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological Controls Annex A 8.32 Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological Controls Annex A 8.33 Annex A 14.3.1 Test Information
Technological Controls Annex A 8.34 Annex A 12.7.1 Protection of Information Systems During Audit Testing

How ISMS.online Help

ISO 27001:2022 implementation and compliance is simple with our step-by-step checklist that guides you through the whole process.

Your complete compliance solution for ISO/IEC 27001:2022:

  • Up to 81% progress from the moment you log in.
  • Simple and total compliance solution for ISO 27001:2022.

To schedule a demo, get in touch today.


Mike Jennings

Mike is the Integrated Management System (IMS) Manager here at ISMS.online. In addition to his day-to-day responsibilities of ensuring that the IMS security incident management, threat intelligence, corrective actions, risk assessments and audits are managed effectively and kept up to date, Mike is a certified lead auditor for ISO 27001 and continues to enhance his other skills in information security and privacy management standards and frameworks including Cyber Essentials, ISO 27001 and many more.

ISO 27001:2022 Annex A Controls

Organisational Controls