Free Assessment
physical Preventive Protect

A.7.7 Clear Desk and Clear Screen

M365 Admin Path: Microsoft Intune admin center (intune.microsoft.com) > Devices > Configuration profiles

Evidence Source: Microsoft Graph - Intune Device Configuration (screen lock, screen saver), Manual verification

What is this control?

ISO 27001 control A.7.7 Clear Desk and Clear Screen requires organisations to define and enforce rules protecting information from unauthorised access when workstations and physical spaces are unattended. This includes automatic screen locking with strong authentication on unlock, secure storage of physical documents and removable media, and controlled printing. For Microsoft 365 environments, clear screen is enforced through Windows Hello for Business and mobile device compliance policies requiring auto-lock.

Secure print is achieved through Microsoft Universal Print with QR code release, ensuring documents are only printed when users authenticate at the printer.

How to implement in Microsoft 365

Implement A.7.7 by deploying Windows Hello for Business via Intune for passwordless authentication on screen unlock. Enable FIDO2 security keys and Microsoft Authenticator passwordless in Entra ID authentication methods. Configure screen lock timeout to maximum 15 minutes (5 minutes for high-security areas) via Intune device configuration per CIS Windows 11 2.3.7.3.

Deploy mobile compliance policies requiring passcode/biometric and auto-lock for iOS (Auto-Lock not Never per CIS iOS 2.1.1) and Android devices. Register all printers with Microsoft Universal Print and configure QR code or badge release for pull printing, eliminating abandoned printouts. Establish clear desk procedures requiring sensitive documents to be secured in locked storage when unattended.

Conduct periodic desk audits and meeting room walk-throughs.

What an auditor looks for

Auditors will verify Windows Hello for Business configuration profiles exist in Intune or that passwordless authentication methods (FIDO2, Authenticator) are enabled in Entra ID. They will review mobile device compliance policies to confirm auto-lock and passcode requirements are configured for iOS and Android. Auditors will check that Universal Print printers are registered with pull printing capability enabled (QR code or badge release).

They will review evidence of physical desk audits confirming desks are cleared of sensitive materials. Auditors will verify meeting room clearance procedures are in place including whiteboard erasure and temporary material removal.

  • [A.7.6 (Working in secure areas)](/controls/a-7-6 (working in secure areas)/)
  • [A.8.1 (User endpoint devices)](/controls/a-8-1 (user endpoint devices)/)
  • [A.5.10 (Acceptable use of information and other associated assets)](/controls/a-5-10 (acceptable use of information and other associated assets)/)
  • [A.8.3 (Information access restriction)](/controls/a-8-3 (information access restriction)/)