This policy establishes simple but essential habits for all employees: lock your screen when you walk away and keep sensitive documents out of sight. It's a foundational security practice that protects your business from opportunistic data theft, both in the office and at home.
-
Prevent "Shoulder Surfing": Protect sensitive data on screens from being seen by unauthorized individuals in any environment.
-
Secure Physical Documents: Mandate the use of locked drawers and cabinets for printed materials, reducing the risk of theft or loss.
-
Strengthen Hybrid & Remote Work: Apply consistent security standards to home offices, coworking spaces, and traditional desks.
-
Meet a Key ISO 27001:2022 Control: Directly satisfy the requirements of ISO 27001:2022/27002 Control 7.7 with a documented and enforceable policy.
Read Full Overview
The Clear Desk and Clear Screen Policy for SMEs is designed to help small and medium enterprises (SMEs) maintain a secure working environment by minimizing the risk of unauthorized access to sensitive information. This policy mandates the secure handling of physical documents, workstations, screens, and removable media, whether in traditional office settings, coworking environments, or at home offices for remote workers. It supports compliance with major cybersecurity standards and regulations, including ISO/IEC 27001:2022, GDPR, and NIS2, by enforcing practical controls that prevent sensitive information from being left exposed on desks or screens. The implementation of this policy is overseen by the General Manager, who ensures compliance through regular inspections and audits. This approach not only helps in reducing potential data breaches and compliance violations but also builds customer trust by demonstrating a commitment to safeguarding sensitive data.
What's Inside
- Clear Desk Rules (End of Day)
- Clear Screen Rules (Locking Screens)
- Secure Document Handling & Disposal
- Removable Media (USB) Security
- Rules for Remote & Shared Workspaces
- Enforcement & Spot-Checks
- Roles & Responsibilities
- Compliance & Auditing
Built for Leaders, By Leaders
This policy proves to auditors and customers that you take security seriously at every level, turning simple actions into powerful protection. It was authored by a security leader to be a practical framework that stands up to auditor scrutiny.
Authored by an expert holding:
Framework Compliance
🛡️ Supported Standards & Frameworks
This product is aligned with the following compliance frameworks, with detailed clause and control mappings.
| Framework | Covered Clauses / Controls |
|---|---|
| ISO/IEC 27001:2022 | 7.28.1 |
| ISO/IEC 27002:2022 | 7.7 |
| NIST SP 800-53 Rev.5 | PE-2AC-11 |
| EU GDPR | Art. 32 |
| EU NIS2 | Art. 21(2)(d) |
| EU DORA | Art. 9(2)(f) |
| COBIT 2019 | DSS01.06DSS05.02 |
Part of a Complete ISMS Toolkit
This policy is one of 37 documents in our complete toolkit. When implemented as a set, our framework helps you achieve comprehensive compliance across major standards.
100%
ISO 27001:2022
95%
NIST
88%
NIS2
75%
DORA
70%
GDPR
Related Policies
This foundational policy is directly linked to the following organizational security policies to ensure comprehensive alignment and traceability across the ISMS.
P2S - Governance Roles & Responsibilities Policy
Clarifies authority to enforce and audit workspace behavior.
P4S - Access Control Policy
Supports technical implementation of screen lock practices.
P8S - Information Security Awareness & Training Policy
Reinforces the behavioral training needed for policy compliance.
P17S - Data Protection and Privacy Policy
Defines obligations for handling personal data in compliance with GDPR.
P30S - Incident Response Policy
Provides the response framework if a violation results in data exposure.
About This Policy
A Clear Desk and Clear Screen Policy is a fundamental security control that establishes rules for protecting sensitive information in physical and digital workspaces. For Small and Medium-sized Enterprises (SMEs), it's a highly effective, low-cost way to prevent opportunistic data theft, whether from a casual visitor in the office or in a remote work setting. This policy mandates simple yet critical habits, such as locking computer screens when unattended and securing printed documents in locked storage.
Implementing this policy helps your organization satisfy a key control (A.7.7) in the ISO 27001:2022 standard and aligns with data protection principles under GDPR. It covers all locations where work is performed, including home offices, and applies to all forms of information, from paper notes to USB drives. By making these practices a mandatory part of your company culture, you significantly reduce the risk of accidental data leakage and demonstrate a tangible commitment to security.
