What does control A.3.19 require?
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.
This control sits within the Shared security controls annex (A.3) and addresses a deceptively simple but high-impact risk: PII left visible on desks or screens can be seen, photographed or taken by anyone with physical or visual access to the workspace. Enforcing clear desk and clear screen policies creates a baseline physical security discipline that complements technical access controls.
What does the Annex B implementation guidance say?
Annex B (section B.3.19) provides the following guidance:
- Minimise hardcopy creation — The organisation should restrict the creation of hardcopy material including PII to the minimum needed to fulfil the identified processing purpose
- Removable storage media — Clear desk rules should explicitly cover removable media such as USB drives, external hard drives and optical discs that may contain PII
- Screen locking — Information processing facilities should be configured to lock screens automatically after a defined period of inactivity, and staff should be trained to lock screens manually when leaving their workstation
- See also A.3.18: Confidentiality or Non-Disclosure Agreements for related requirements
The guidance reinforces a privacy-by-default mindset: if PII does not need to exist in hardcopy form, it should not be created in the first place. Where hardcopy is unavoidable, clear desk rules ensure it is secured when not actively in use.
How does this map to GDPR?
Control A.3.19 maps to the following GDPR article:
- Article 5(1)(f) — The integrity and confidentiality principle, requiring that personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
Clear desk and clear screen policies are a practical implementation of Article 5(1)(f), preventing casual or opportunistic access to PII in physical and digital workspaces.
For the full GDPR-to-ISO 27701 mapping, see GDPR Compliance Guide.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered by Clause 6.8.2.9 (clear desk and clear screen policy). The 2025 edition retains the core requirements as A.3.19 with the implementation guidance consolidated in B.3.19. The emphasis on minimising hardcopy creation of PII is a notable privacy-specific addition. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.3.19, auditors will typically look for:
- Clear desk and clear screen policy — A documented policy that defines specific rules for securing papers, removable media and screens when workstations are unattended
- Automatic screen lock configuration — Evidence that information processing systems are configured to lock after a defined inactivity timeout (typically 5 to 15 minutes)
- Physical security measures — Lockable drawers, cabinets or secure storage for documents containing PII
- Staff awareness — Training records showing that personnel understand and have been trained on the clear desk and clear screen requirements
- Compliance checks — Records of periodic workplace inspections or spot checks to verify adherence to clear desk rules
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.5 Classification of information | Classification labels indicate which documents must be secured under clear desk rules |
| A.3.17 Awareness and training | Staff training should cover clear desk and clear screen obligations |
| A.3.20 Storage media | Removable media left on desks is a clear desk violation |
| A.3.22 User endpoint devices | Endpoint device policies should include screen lock requirements |
| A.3.16 Compliance with policies | Regular compliance checks should include clear desk and clear screen audits |
Who does this control apply to?
A.3.19 is a shared control that applies to both PII controllers and PII processors. Any organisation that processes PII in physical or digital workspaces must define and enforce clear desk and clear screen rules. This is particularly important in open-plan offices, shared workspaces, co-working environments and any location where non-authorised individuals may have visual access to screens or documents.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for clear desk and clear screen compliance?
ISMS.online provides practical tools for implementing and maintaining clear desk and clear screen policies:
- Policy templates — Pre-built clear desk and clear screen policy templates that you can customise to your organisation’s specific requirements and workspace types
- Awareness campaigns — Schedule and track staff awareness communications, ensuring all personnel understand their clear desk and clear screen responsibilities
- Compliance checklists — Create and manage workplace inspection checklists for periodic spot checks, with results logged for audit evidence
- Training tracking — Record completion of clear desk and clear screen training against individual staff members, with automated reminders for overdue training
- Incident logging — Log and track clear desk violations as security events, enabling trend analysis and targeted remediation
FAQs
What should a clear desk policy cover?
A clear desk policy should specify that all papers and removable storage media containing PII must be stored in locked drawers or cabinets when not actively in use. It should cover end-of-day procedures, rules for leaving workstations during the day, disposal of confidential waste, and handling of shared printers and photocopiers. The policy should also address visitor access areas where PII documents might be visible.
What is the recommended screen lock timeout?
Most security frameworks recommend an automatic screen lock timeout of between 5 and 15 minutes of inactivity. Organisations processing sensitive categories of PII (such as health data or financial records) may opt for a shorter timeout. The timeout should be enforced centrally via group policy or mobile device management and should not be configurable by end users.
How do clear desk rules apply to remote workers?
Clear desk rules apply equally to remote and home workers. Organisations should provide guidance on securing PII documents in home environments, including lockable storage where feasible. Remote workers should be reminded that family members and visitors in the home environment are not authorised to view PII. Screen privacy filters and automatic screen lock settings should be applied to all devices used for remote working.
