ISO 27002:2022, Control 7.7 – Clear Desk and Clear Screen

ISO 27002:2022 Revised Controls

Book a demo

close,up,on,hands,of,diverce,group,of,students,sitting

When an employee leaves his/her workstation unattended, sensitive information contained in digital and physical materials on his workspace will be exposed to a heightened risk of unauthorised access, loss of confidentiality, and damage.

For instance, if an employee uses a customer relationship management tool that processes health records and leaves his/her computer unattended during a lunch break, malicious parties may capitalise on this opportunity to steal and misuse sensitive health data.

Control 7.7 addresses how organisations can design and enforce clear desk and clear screen rules to protect and maintain the confidentiality of sensitive information on digital screens and on papers.

Purpose on Control 7.7

Control 7.7 enables organisations to eliminate and/or mitigate the risks of unauthorised access, use, damage, or loss of sensitive information on screens and on papers located in employee workstations when employees are not present.

Attributes Table

Control 7.7 is a preventive type of control that requires organisations to maintain the confidentiality of information assets by describing and enforcing clear desk and clear screen rules.

Control Type Information Security PropertiesCybersecurity ConceptsOperational CapabilitiesSecurity Domains
#Preventive#Confidentiality#Protect#Physical Security#Protection
Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Ownership of Control 7.7

Considering that Control 7.7 requires organisations to adopt and implement an organisation-wide clear desk and clear screen policy, information security officers should be responsible for production, maintenance and enforcement of clear desk and clear screen rules that apply across the entire organisation.

General Guidance on Compliance

Control 7.7 highlights that organisations should create and enforce a topic-specific policy that sets out clear desk and clear screen rules.

Furthermore, Control 7.7 lists seven specific requirements that organisations should take into account when establishing and enforcing clear desk and clear screen rules:

  1. Sensitive or critical information assets stored on digital or physical items should be locked securely when they are not in use or when the workstation hosting those materials is vacated. For example, items such as paper records, computers, and printers should be stored in secure furniture such as a locked or password-protected cabinet or drawer.
  2. Devices used by employees such as computers, scanners, printers, and notebooks should be protected via security mechanisms such as key locks when they are not used or when they are left unattended.
  3. When employees vacate their workspace and leave their devices unattended, they should leave their devices logged off and the reactivation of the device should be only via a user authentication mechanism. Furthermore, automatic time-out and log-out features should be installed on all end-point employee devices such as computers.
  4. Printers should be designed in a way that print-outs are collected immediately by the person(originator) who printed the document. Furthermore, a strong authentication mechanism should be in place so that only the originator is allowed to collect the printout.
  5. Physical materials and removable storage media containing sensitive information should be kept secure at all times. When they are no longer needed, they should be disposed of through a secure mechanism.
  6. Organisations should create rules for the display of pop-ups on screens and these rules should be communicated to all relevant employees. For example, e-mail and messaging pop-ups can contain sensitive information and if they are displayed on the screen during a presentation or in a public space, this may compromise the confidentiality of sensitive information.
  7. Sensitive or critical information displayed on whiteboards should be erased when they are no longer needed.

Supplementary Guidance – Control 7.7

Control 7.7 cautions organisations against risks arising out of vacated facilities. When an organisation vacates a facility, physical and digital materials previously stored in that facility should be securely removed so that sensitive information is not left insecure.

Therefore, control 7.7 requires organisations to establish procedures for the vacation of facilities so that all sensitive information assets housed in that facility are securely disposed of. These procedures may include carrying out a final sweep so that no sensitive information is left unprotected.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Changes and Differences From ISO 27002:2013

27002:2022/7.7 replaces 27002:2013/(11.2.9)

There are two significant differences between the 2022 and the 2013 versions.

  • 2022 version does not refer to criteria to consider when establishing and implementing clear desk and clear screen rules.

In contrast to the 2022 version, the 2013 version explicitly stated that organisations should consider organisation-wide information classification levels, legal & contractual requirements, and the types of risks facing the organisation when establishing a clear desk and clear screen policy.

The ISO 27002:2022 version, however, does not refer to these elements.

  • 2022 version introduces new and more comprehensive requirements for the clear desk and clear screen rules.

In contrast to the 2013 version, the 2022 version sets out the following requirements that organisations should consider when establishing clear desk and clear screen rules.

  • Organisations should create specific rules on pop-up screens to maintain the confidentiality of sensitive information.
  • Sensitive information written on whiteboards should be removed when they are no longer needed.
  • Employee endpoint devices such as computers should be protected with key locks when they are not used or when they are left unsupervised.

How ISMS.online Helps

ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process. Your complete compliance solution for ISO/IEC 27002:2022.

  • Up to 81% progress from when you log in
  • Simple and total compliance solution

Get in touch today to book a demo.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Streamline your workflow with our new Jira integration! Learn more here.