Clear Desk and Clear Screen Policy - SME

The Clear Desk and Screen Policy (P10S) is a crucial operational guideline designed for small and medium-sized enterprises (SMEs) that need to ensure data confidentiality and maintain regulatory compliance, including ISO/IEC 27001:2022. Because it is an SME policy, as indicated by the 'S' in its document number and the assignment of the General Manager as the policy owner, it is specially adapted for organizations that might lack dedicated IT or security management teams. The policy’s core aim is to clearly outline practical, enforceable behaviors and technical controls that guard sensitive information, regardless of work location or organizational resources. At its foundation, this policy mandates that all employees, contractors, and temporary staff safeguard physical and digital workspaces by ensuring no confidential information remains visible, unattended, or improperly secured. The scope broadly covers physical offices, shared workspaces, coworking environments, and remote/home-based work settings. It applies to all paper and digital assets, such as documents, printouts, hand-written notes, removable media, computers, and mobile devices. By including such breadth, the policy addresses modern working patterns while maintaining a sharp focus on risk reduction. Roles and responsibilities are clearly streamlined for an SME context. The General Manager is entrusted with full ownership, responsible for policy communication, training, approval of exceptions, and execution of quarterly workspace compliance checks. Additional duties can be delegated to designated staff, such as the setup of screen lock settings or distribution of physical storage aids. However, the design ensures effectiveness even without formal IT or compliance departments. All personnel are held accountable to the simple but essential requirements: locking screens when unattended, securing all confidential materials, avoiding reliance solely on digital controls, and reporting potential risks or non-compliance. Policy objectives are tightly linked to both operational risk reduction and regulatory obligations. Clear, practical rules establish a baseline: automatic workstation lock after five minutes, secure storage of documents at day’s end, immediate retrieval of sensitive printouts, and signage reinforcing awareness. The General Manager is also responsible for onboarding and awareness training, logging of compliance activities, and escalations in the event of incident or breach. Importantly, the policy’s design supports a culture of vigilance and accountability, focusing on achievable controls within the capabilities of a resource-constrained SME, while maintaining alignments, such as Annex A Control 7.7 of ISO/IEC 27001 and GDPR Article 32. The overall structure equips SMEs to demonstrate due diligence during audits and to effectively mitigate physical and information risks from internal mishandling or external threats such as visitors or contractors. Realistic exception processes, tailored controls for remote workers, and defined disciplinary responses ensure both clarity and credibility. The policy includes linkage with other critical policies (e.g., Information Security Awareness, Access Control, Incident Response), forming part of a concise, coherent cyber hygiene framework ideal for smaller organizations.