- A Clean Desk Policy requires employees to lock away confidential documents when leaving their workstation and to lock their screen.
- ISO 27001 explicitly requires such a policy in A.7.7 (Clear Desk and Clear Screen) as a physical control.
- The biggest challenge is not the policy itself but its consistent implementation in day-to-day work. Pragmatism beats perfection.
- Clean Desk and Clear Screen go hand in hand: a tidy desk is of little use if confidential data is glowing on an unlocked screen.
- Regular, friendly checks and positive reinforcement work better than sanctions to embed the policy in daily routines.
The messy desk as a security risk
On Ms. Mueller's desk lies a printed quote worth 380,000 euros for a major client. Next to it, a sticky note with the ERP system password. A draft contract with the new supplier is half-hidden under the keyboard. And on the screen, a personnel file is open because Ms. Mueller stepped out to the kitchen for coffee.
Each of these points is a real information security risk. The major client may never learn that their quote was lying in the open when a competitor visited. The supplier contract contains terms that only the procurement department should know. And the personnel file is particularly sensitive under DSGVO (GDPR).
A Clean Desk Policy addresses exactly these risks. It is not bureaucratic harassment but a pragmatic measure to protect confidential information at the workplace. And it is an explicit requirement of ISO 27001 and BSI IT-Grundschutz.
What the standards require
ISO 27001:2022 dedicates its own control to this topic: A.7.7 Clear Desk and Clear Screen. The control requires that rules for the clear desk and locked screen be defined and enforced to reduce the risk of unauthorized access, loss, or damage to information.
BSI IT-Grundschutz covers the topic in module ORP.1 "Organization" and refers to the need for a policy on storing information media at the workplace. Specific recommendations are also found in the measures for modules INF.7 "Office Workspace" and INF.9 "Mobile Workspace."
Both frameworks make it clear: it is not enough to write a policy. You must also demonstrate that it has been communicated, understood, and implemented.
The two sides: Clean Desk and Clear Screen
A comprehensive policy covers two aspects that go together like lock and key:
Clean Desk governs the physical workspace: documents, data carriers, sticky notes, and other paper-based information media. The core rule is simple: when you leave your workstation, put away everything that is confidential.
Clear Screen governs the digital workspace: screen contents, open applications, and active sessions. The core rule: when you leave your workstation, lock your screen.
Both aspects must be considered together because they complement each other. A tidy desk is of little use if the screen displays the quarterly figures. And a locked screen doesn't help if the printed staffing plan is lying open on the table.
Contents of a practical Clean Desk Policy
A good policy is specific enough that employees know what to do and short enough that it actually gets read. The following points form the core:
Scope
Define clearly who the policy applies to: all employees, including managers, interns, and external personnel using workstations in the company. And which premises: offices, meeting rooms, printer rooms, and shared work areas.
Rules for the physical workspace
When leaving the workstation (even for brief absences over 15 minutes), confidential documents must be placed in lockable cabinets, pedestal drawers, or desk drawers. Printouts no longer needed belong in the document shredder — secure disposal is mandatory here — not in the wastepaper basket. Removable media such as USB sticks, external hard drives, and SD cards must be locked away. Whiteboards and flipcharts in meeting rooms must be wiped after the meeting if they show confidential content. Passwords, PINs, and access codes must never be attached to sticky notes, placed under the keyboard, or stuck to the monitor.
At the end of the workday, additionally: the desk is fully cleared, the pedestal drawer is locked, and printed documents are either archived or destroyed.
Rules for the digital workspace
The screen is locked every time you leave your workstation — via keyboard shortcut (Windows + L or Ctrl + Command + Q on Mac). The automatic screensaver with password protection is configured to a maximum of 5 minutes of inactivity. Confidential documents are closed after editing and not left permanently on the desktop. Printer output is picked up immediately; confidential printouts are released only with PIN printing (follow-me printing).
Exceptions and pragmatism
A rigid rule without exceptions leads to the policy being ignored. Define reasonable exceptions: documents needed for the current task may remain on the desk during brief absences (under 15 minutes) if the room is lockable and no non-company personnel have access. In private offices with lockable doors, reduced requirements apply compared to open-plan offices.
Implementation: From policy to lived practice
Experience shows that the policy itself is the easy part. The real challenge is implementing it in daily work and sustaining it.
Provide infrastructure
Before introducing a Clean Desk Policy, ensure employees can actually comply. Every workstation needs a lockable pedestal drawer or cabinet with sufficient space. At least one document shredder should be available on every floor — ideally security level P-4 or higher. Printers should support follow-me printing so printouts don't sit in the output tray for hours. The automatic screen lock must be configured centrally via group policy so users cannot disable it.
If you introduce a policy without providing the infrastructure, you produce frustration rather than security. An employee who has no lockable cabinet simply cannot comply with the policy.
Communication and training
Explain to employees not just the what but also the why. "Tidy up your desk" sounds like kindergarten. "We are protecting our customers' data and our trade secrets from unauthorized access" is a justification that adults can appreciate.
Use concrete examples: the visitor who spots the quote on the desk in passing, the cleaning staff with evening access to all offices, the colleague from another department who should not see personnel documents. Such scenarios make the abstract risk tangible.
Integrate the Clean Desk Policy into new employee onboarding and the annual security awareness training. A single mention at launch is not enough because habits only change through repetition.
Leaders as role models
If managers bury their desks under piles of paper, no employee will take the Clean Desk Policy seriously. Leaders must live the policy — no exceptions. This is not just a matter of credibility but also of risk: managers typically have access to particularly sensitive information.
Monitoring without a surveillance state
Regular spot checks are necessary to verify compliance. But the manner of the check determines acceptance. A friendly approach is recommended: announced "Clean Desk Walks" by the Information Security Officer (ISO) or team leads, ideally at varying times. For violations, a friendly reminder is given first, not a formal reprimand. Positive examples are highlighted — for instance, through a "Tidiest Desk" certificate or an appreciative mention.
Some companies use "Clean Desk Audits" as a gamification element: in the evening, a checklist is used to check, and the team with the best score receives a small reward. It sounds trivial but works far better in practice than threatening sanctions.
Sanctions should only be used as a last resort for repeated, deliberate violations. Escalate them: first violation is a verbal reminder, second violation a written reminder, from the third violation onward a meeting with the manager. In practice, the first two levels are almost always sufficient.
Clean Desk in special situations
Shared desks and desk sharing
In companies with desk sharing, the Clean Desk Policy is especially important because workstations are regularly used by different people. Here the rule is: the workstation is fully cleared after every use, no exceptions. Personal lockers replace the fixed pedestal drawer. Define clear rules for what may remain at the workstation (monitor, keyboard, mouse, docking station) and what may not (everything else).
Meeting rooms
Meeting rooms are often forgotten, even though particularly sensitive information is discussed there. After every meeting: whiteboards and flipcharts must be cleaned if they show confidential content, forgotten documents are collected and returned to the organizer rather than left behind, and video conferencing systems are logged out so the next user cannot access the previous user's calendar or contacts.
Printer rooms and copiers
Printers are information hotspots that are missing from many Clean Desk Policies. Uncollected printouts sit for hours or days in the output tray and are accessible to anyone. The best solution is follow-me printing (also called pull printing): the print job is released only when the user authenticates at the printer via badge or PIN. If follow-me printing is not available, a simple rule helps: only print what you will collect immediately.
Home office
The Clean Desk Policy also applies in the home office, which surprises many employees. There too, family members, roommates, visitors, or tradespeople can see confidential documents. Define minimum requirements: lockable cabinet or drawer for company documents, screen lock at home as well, no company documents in household waste (bring them to the office for destruction or use a personal shredder).
Common mistakes during introduction
Rules too strict: If you require the entire desk to be cleared for every trip to the restroom, nobody will comply. Differentiate between brief and extended absences and between private offices and open-plan offices.
No infrastructure: Those without a lockable cabinet cannot lock anything away. Invest in equipment first, then in the policy.
One-time communication: A single email at launch is not enough. The policy must be regularly reinforced through different channels: training, posters, intranet, team meetings.
No management buy-in: If executive management does not support the policy or fails to comply themselves, it is doomed to fail.
Focus only on paper: The digital side (Clear Screen) is often forgotten, even though today more confidential information appears on screens than on paper.
No monitoring: A policy without monitoring is merely a suggestion. Regular spot checks are necessary, even if they seem costly.
Technical support
In addition to organizational measures, you can deploy technical aids that automatically ensure compliance with the Clear Screen Policy:
Automatic screen lock: Configured via group policy to a maximum of 5 minutes of inactivity, not changeable by the user. This is the single most important measure.
Proximity-based lock: Bluetooth-based solutions automatically lock the screen when the employee moves away from the workstation (e.g., via a smartphone or token). This is more convenient than manual locking and therefore better accepted.
Follow-me printing: Print jobs are released at the printer only after authentication. Uncollected print jobs are automatically deleted after a defined period.
DLP software (Data Loss Prevention): Can detect when confidential documents are placed on the desktop or in public folders and warn the user.
Encrypted removable media: If USB sticks or external hard drives are permitted, they should be automatically encrypted in case they are lost.
Measurability and continuous improvement
How do you measure whether your Clean Desk Policy is working? Define metrics that you collect regularly:
Compliance rate: Percentage of workstations that comply with the policy during a spot check. In ISMS Lite, you can document the results of your Clean Desk walks and evaluate the trend across quarters. Target: at least 85 percent, preferably 95 percent.
Trend over time: Does the compliance rate improve after training? Does it deteriorate in certain departments or time periods?
Incidents: Have there been security incidents attributable to poor Clean Desk compliance? For example, confidential documents viewed by unauthorized persons.
Employee feedback: Are there complaints about missing infrastructure, impractical rules, or overly strict monitoring?
Use the results to continuously improve the policy and its implementation. If the compliance rate in accounting is significantly lower than in marketing, investigate the causes: Are lockable cabinets missing? Do employees work with many physical documents that aren't easily put away? Adapt the rules to reality instead of trying to adapt reality to the rules.
The Clean Desk Policy as cultural change
Ultimately, the Clean Desk Policy is about more than tidy desks. It is a visible sign that information security is taken seriously in the organization. A tidy workspace signals professionalism — both to visitors and clients and to auditors.
Experience shows that organizations that successfully implement a Clean Desk Policy also perform better in other areas of information security. This is not because a tidy desk prevents ransomware, but because awareness of information protection becomes anchored in daily routines. Someone accustomed to locking away confidential documents is also more likely to lock their screen, avoid confidential conversations in the cafeteria, and report suspicious emails.
Introducing a Clean Desk Policy is not a project with an end date but an ongoing process. Plan the policy as a living document that is regularly reviewed and adapted to changing working conditions. If you introduce desk sharing today, shift to home office tomorrow, and move into a new office building the day after, the policy must evolve accordingly.
Further reading
- Securing the server room: Access control, climate, fire protection, and monitoring
- Physical security in the home office: What employees need to know
- Building and maintaining a security awareness program
- Creating an information security policy: Structure, content, and practical tips
- Access and entry control: Creating a policy