A sensitive document left on a desk overnight. An unlocked workstation in a shared office. A password on a sticky note visible to anyone walking past. These are the everyday oversights that ISO 27001 Control 7.7 exists to close — and the gaps that lead to unauthorized information disclosure when left unaddressed. This guide covers what the control requires, how to implement it across your organization and vendor ecosystem, what auditors expect to see, and how 7.7 maps to other major compliance frameworks.
What 7.7 Requires
ISO 27001 Annex A Control 7.7 requires organizations to define and enforce rules for securing sensitive information in physical workspaces and on computer screens. In practical terms, this means every desk must be cleared of sensitive documents, removable storage media, and printed materials when unattended, and every computer screen must be locked when a user steps away.
The scope covers paper documents, USB drives and external storage, whiteboards, printed output at shared printers, and any information displayed on screens. The policy applies during and outside normal working hours, across all environments — office floors, shared coworking spaces, home offices, and any other location where work occurs. This broad scope is intentional: the risk of unauthorized access doesn’t disappear when the office closes or when employees work from home.
The control’s objective is straightforward: prevent opportunistic unauthorized access to information that’s simply left visible or physically accessible. The official ISO/IEC 27001:2022 standard frames this as a preventive control within the physical security domain. If someone who shouldn’t see it can walk up and read it, photograph it, or take it, Control 7.7 hasn’t been met.
Why 7.7 Matters
Consider this scenario: a cleaning crew member working after hours photographs a project plan left on a desk that contains client names, contract values, and launch dates. Or a visitor in a shared office glances at an unlocked screen displaying an employee directory with personal contact details. Neither requires technical skill or sophisticated attack tools — just physical proximity and an unguarded moment.
The risk class is unauthorized information disclosure through physical or visual access. Individually, each incident may seem minor — a single document, a briefly unlocked screen. But across an organization with hundreds of desks and dozens of shared printers, these exposures compound rapidly. A single exposed document can contain login credentials, client personal data, financial projections, or strategic plans that a competitor or malicious insider could exploit.
The numbers back this up. According to the Verizon Data Breach Investigations Report, 30% of all data breaches involve internal actors — and many of those start with information that was simply left in the open. 83% of organizations reported at least one insider attack in 2024, reinforcing that the threat from within the perimeter is real and persistent. Unlike sophisticated cyberattacks that require technical capability, exploiting a clear desk failure requires nothing more than a phone camera and a few seconds of physical access.
What Attackers Exploit
Clear desk and clear screen failures create a predictable set of opportunities that require no technical sophistication to exploit. Social engineers and malicious insiders look for exactly these openings:
- Exposed documents — Sensitive papers left on desks accessible to visitors, cleaning staff, contractors, or unauthorized personnel
- Unlocked workstations — Screens left logged in provide direct access to email, applications, file shares, and internal systems
- Written credentials — Passwords on sticky notes attached to monitors, tucked under keyboards, or pinned to cubicle walls
- Uncollected print jobs — Printed output sitting in shared printer trays for hours, visible and accessible to anyone
- Whiteboard residue — Project details, architecture diagrams, or credentials visible through glass walls or left after meetings
- Unsecured removable media — USB drives and external hard drives left in unlocked drawers or on desk surfaces
- Visual hacking — Screen content visible through windows to external observers, or readable by passersby in open-plan offices
How to Implement 7.7
Implementation requires addressing two perspectives: what your organization does internally, and what you verify across your supply chain. Both matter for compliance — your security posture is only as strong as the weakest link in your third-party risk management ecosystem. A vendor handling your data with no clear desk policy is a gap in your own compliance posture, even if your internal controls are airtight.
For Your Organization
1. Draft and publish a clear desk and clear screen policy. Define exactly what must be secured (papers, media, screens), when (any time a workspace is unattended), and by whom (all personnel, including contractors and temporary staff). The policy must explicitly cover remote and hybrid workers. For broader implementation guidance, see this ISO 27001 implementation checklist.
2. Configure automatic screen locks. Use Mobile Device Management (MDM) or Group Policy Objects (GPO) to enforce automatic screen locking after 5 minutes of inactivity across all managed devices. Don’t rely on users to lock manually — automate it.
3. Provide lockable storage. Supply lockable cabinets, desk pedestals, or drawers for every workspace where sensitive documents are handled. If people don’t have somewhere to put things, the policy will fail.
4. Implement secure printing. Deploy pull printing (also called PIN-release printing) so print jobs are only released when the user authenticates at the printer. This eliminates the risk of sensitive documents sitting uncollected in output trays.
5. Establish whiteboard protocols. Require whiteboards to be erased after every meeting, and consider using opaque covers or relocating whiteboards away from glass walls in sensitive areas.
6. Deploy privacy filters. Install privacy screens on workstations in high-traffic areas, near windows, or in open-plan offices to prevent visual hacking.
7. Extend to remote workers. Provide home workers with lockable document storage. Include guidance on screen positioning (away from windows and shared household areas) in remote work policies.
8. Install secure disposal. Place locked shredding bins in accessible locations for secure document destruction. Partner with a certified destruction service for regular collection.
9. Conduct security awareness training. Train all personnel on clear desk responsibilities during onboarding and through regular refreshers — not just once.
10. Perform compliance monitoring spot checks. Conduct periodic unannounced floor walks to verify compliance. Document findings and track corrective actions. These records become audit evidence.
Common mistakes to avoid:
- Writing a policy but never enforcing it through spot checks
- Configuring screen locks on laptops but forgetting shared terminals, kiosks, or meeting room displays
- Providing lockable storage but not verifying employees actually use it
- Ignoring remote and hybrid workers entirely
- Treating training as a one-time onboarding event rather than ongoing reinforcement
For Your Vendors
When assessing third-party compliance with Control 7.7, include these questions in your vendor risk assessment questionnaires:
- “Do you have a documented clear desk and clear screen policy?”
- “What is your screen auto-lock timeout?”
- “How do you enforce the policy for remote workers?”
- “How frequently do you conduct compliance spot checks?”
Evidence to request: Copy of the clear desk and clear screen policy, MDM configuration screenshots showing auto-lock settings, records of compliance spot checks with dates and findings, and security awareness training materials with completion records.
Red flags during assessment:
- No formal written policy
- Auto-lock timeout exceeding 10 minutes
- No mention of remote work in the policy
- No evidence of monitoring or enforcement
- Policy exists on paper but no spot-check records to prove enforcement
Verification beyond self-attestation: Request photographs or video of physical security controls during on-site audits. Ask for sample spot-check logs with dates and findings. Verify MDM configuration through screen shares or live demonstrations during assessment calls. The goal is to move beyond checkbox compliance — you want evidence that the vendor actively enforces the control, not just that a policy document exists somewhere on a shared drive.
Audit Evidence for 7.7
Auditors expect specific, documented artifacts demonstrating that Control 7.7 is both implemented and actively enforced. A common mistake is focusing only on whether a policy exists — auditors go further, looking for evidence that the policy is communicated, enforced, and monitored on an ongoing basis. If you’re preparing for cybersecurity audits, the table below outlines the key artifacts to prepare.
| Evidence Type | Example Artifact |
|---|---|
| Policy | Clear Desk and Clear Screen Policy defining scope, rules for papers/media/screens, enforcement mechanisms, and applicability to remote work |
| Technical configuration | MDM or Group Policy screenshots showing auto-lock timeout settings (≤5 minutes) |
| Training records | Security awareness training materials covering clear desk responsibilities, plus attendance and completion logs |
| Compliance monitoring | Spot-check and floor walk logs with dates, findings, and corrective actions taken |
| Physical security | Photographs or inventory of lockable storage provided to personnel |
| Secure printing | Pull printing or PIN-release configuration documentation |
| Disposal records | Certificates of destruction from a certified secure shredding service provider |
| Management review | Meeting minutes showing clear desk compliance trends reported to leadership |
Cross-Framework Mapping
If your organization manages compliance across multiple frameworks, you don’t need to implement clear desk and clear screen controls from scratch for each one. Control 7.7 maps directly to controls in several major compliance frameworks, including NIST SP 800-53 Rev. 5 and ISO 27002. This cross-reference helps you consolidate evidence and reduce duplicated compliance effort.
| Framework | Equivalent Control(s) | Coverage |
|---|---|---|
| NIST 800-53 | AC-11 (Session Lock) | Full |
| NIST 800-53 | MP-02 (Media Access) | Full |
| NIST 800-53 | MP-04 (Media Storage) | Full |
| NIST 800-53 | PE-05 (Access Control for Output Devices) | Full |
| SOC 2 | CC6.1 (Logical and Physical Access Controls) | Partial |
| CIS Controls v8.1 | 4.3 (Configure Automatic Session Locking) | Partial |
| NIST CSF 2.0 | PR.AC (Access Control), PR.PT (Protective Technology) | Partial |
Organizations already compliant with NIST 800-53 AC-11 and MP controls will find significant overlap, reducing the incremental effort for 7.7 implementation. The official NIST OLIR crosswalk provides the authoritative mapping between these frameworks. SOC 2 and CIS Controls v8.1 mappings are partial because those frameworks address the technical aspects (session locking, access controls) but don’t explicitly require the physical clear desk component.
Related ISO 27001 Controls
Control 7.7 doesn’t operate in isolation. It connects to several other controls across the physical security domain and beyond. Understanding these relationships helps you implement 7.7 as part of a cohesive security program rather than a standalone checklist item. Physical controls in Domain 7 form a layered defense — perimeter security defines where clear desk rules apply, entry controls determine who could exploit failures, and monitoring provides the enforcement mechanism.
| Control ID | Control Name | Relationship |
|---|---|---|
| 7.1 | Physical Security Perimeters | Defines the physical boundaries where clear desk rules apply |
| 7.2 | Physical Entry Controls | Controls who enters areas where sensitive information may be visible |
| 7.3 | Securing Offices, Rooms, and Facilities | Broader physical protection of areas containing information assets |
| 7.4 | Physical Security Monitoring | Surveillance that can detect clear desk violations |
| 7.8 | Equipment Siting and Protection | Positioning equipment to reduce visual exposure risk |
| 7.10 | Storage Media | Lifecycle management of the removable media 7.7 requires you to secure |
| 5.10 | Acceptable Use of Information | Defines the behavioral expectations that underpin clear desk compliance |
| 6.3 | Information Security Awareness, Education, and Training | Delivers the training that makes clear desk policies effective |
Frequently Asked Questions
What is ISO 27001 7.7?
ISO 27001 Control 7.7 requires organizations to establish rules for securing sensitive documents, removable storage media, and computer screens when workspaces are unattended. The control covers paper, USB drives, printed output, and screen content, with the goal of preventing unauthorized access through physical or visual means.
What happens if 7.7 is not implemented?
Without Control 7.7, sensitive information is exposed to unauthorized viewing or theft by anyone with physical access to the workspace — visitors, cleaning staff, or other unauthorized personnel. This creates audit non-conformities during ISO 27001 certification and increases the risk of data breaches through physical and visual access channels.
How do you audit 7.7?
Auditors conduct unannounced floor walks to check for exposed documents, unlocked screens, and unsecured media. They review MDM or Group Policy configurations to verify auto-lock settings, examine spot-check records and corrective action logs, and assess the clear desk policy for completeness — including coverage of remote workers.
How UpGuard Helps
Implementing Control 7.7 is ultimately about managing human behavior — the hardest variable in any security program. Clear desk and clear screen compliance depends on managing the human risk factors that no technical control can fully automate. UpGuard User Risk helps organizations continuously monitor and manage the people-driven risks that underpin physical security controls like 7.7 — giving security teams visibility into compliance gaps before auditors find them.