Clear Desk and Clear Screen Policy

The Clear Desk and Screen Policy (P10) establishes rigorous controls to ensure sensitive information is protected from unauthorized access, disclosure, loss, or theft within any physical or hybrid workplace environment. It supports globally recognized regulatory obligations such as ISO/IEC 27001:2022 (especially clauses addressing physical and behavioral security), GDPR articles on data protection and confidentiality, and other frameworks including NIST SP 800-53, EU NIS2, EU DORA, and COBIT 2019. This policy has a broad scope, applying universally to permanent and temporary employees, contractors, third-party service providers, and even visitors who may have access to confidential workspaces. It strictly governs conduct in individual offices, open spaces, meeting rooms, and remote or hybrid work environments like hot-desking. The aim is to standardize secure behavior so that all personnel, regardless of their role or work location, must adhere to the same rules for safeguarding information. Clear requirements are established for both physical and technical means of control. Users must keep desks free from exposed sensitive documents, lock screens before stepping away, securely store or dispose of confidential materials, and not leave credentials or devices unattended. IT is mandated to configure systems for screen lock timers set to a maximum of 5 minutes, deploy privacy filters in high-traffic areas, and implement technical enforcement for all endpoints. Facilities and Physical Security teams provide lockable storage, shredders, and clear signage, while also conducting regular compliance walkthroughs and handling violations. The responsibilities for enforcement and oversight are distributed among Executive Management, the CISO/ISMS Manager, Facilities, IT, and direct line managers, ensuring a layered approach to accountability. The policy mandates a robust training program, onboarding, and periodic refreshers to educate all personnel about the risks associated with unattended sensitive information. Regular audits, tracking of compliance metrics (such as observed violations and training completion), and stringent escalation paths for non-compliance, including HR disciplinary action, demonstrate a commitment to both operational discipline and legal readiness. Exception handling and residual risk processes are also in place, requiring advanced approval, documentation, and additional controls for any deviation. Comprehensively, this policy unifies user behavior, workspace design, technical enforcement, and audit processes into a repeatable framework vital for organizational resilience and regulatory compliance. All updates are review-controlled, communicated through official channels, and require re-acknowledgment. Aligned policies on information security, risk management, asset handling, data classification, retention, disposal, and monitoring further reinforce the overall governance system.