Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
physical Preventive Protect

A.7.7 Clear Desk and Clear Screen

M365 Admin Path: Microsoft Intune admin center (intune.microsoft.com) > Devices > Configuration profiles

Evidence Source: Microsoft Graph - Intune Device Configuration (screen lock, screen saver), Manual verification

What is A.7.7 Clear Desk and Clear Screen?

ISO 27001 control A.7.7 Clear Desk and Clear Screen requires organisations to define and enforce rules protecting information from unauthorised access when workstations and physical spaces are unattended. This includes automatic screen locking with strong authentication on unlock, secure storage of physical documents and removable media, and controlled printing. For Microsoft 365 environments, clear screen is enforced through Windows Hello for Business and mobile device compliance policies requiring auto-lock.

Secure print is achieved through Microsoft Universal Print with QR code release, ensuring documents are only printed when users authenticate at the printer.

How to implement A.7.7 in Microsoft 365

Implement A.7.7 by deploying Windows Hello for Business

Implement A.7.7 by deploying Windows Hello for Business via Intune for passwordless authentication on screen unlock. Enable FIDO2 security keys and Microsoft Authenticator passwordless in Entra ID authentication methods.

Configure screen lock timeout to maximum 15 minutes

Configure screen lock timeout to maximum 15 minutes (5 minutes for high-security areas) via Intune device configuration per CIS Windows 11 2.3.7.3. Deploy mobile compliance policies requiring passcode/biometric and auto-lock for iOS (Auto-Lock not Never per CIS iOS 2.1.1) and Android devices.

Register all printers with Microsoft Universal Print and

Register all printers with Microsoft Universal Print and configure QR code or badge release for pull printing, eliminating abandoned printouts. Establish clear desk procedures requiring sensitive documents to be secured in locked storage when unattended. Conduct periodic desk audits and meeting room walk-throughs.

What an auditor checks for A.7.7

  • Auditors will verify Windows Hello for Business configuration profiles exist in Intune or that passwordless authentication methods (FIDO2, Authenticator) are enabled in Entra ID.
  • They will review mobile device compliance policies to confirm auto-lock and passcode requirements are configured for iOS and Android.
  • Auditors will check that Universal Print printers are registered with pull printing capability enabled (QR code or badge release).
  • They will review evidence of physical desk audits confirming desks are cleared of sensitive materials.
  • Auditors will verify meeting room clearance procedures are in place including whiteboard erasure and temporary material removal.

What your auditor expects for A.7.7

  • Control: A.7.7 (Clear desk and clear screen) - ISMS Sections 3
  • 4 Related Controls: A.7.6 (Working in secure areas)
  • A.8.1 (User endpoint devices) Shows: Intune screen lock timeout policies
  • screen saver enforcement
  • physical clear desk verification checklists Audit: Validates both automated screen protection and manual clear desk procedures
  • [A.7.6 (Working in secure areas)](/controls/a-7-6 (working in secure areas)/)
  • [A.8.1 (User endpoint devices)](/controls/a-8-1 (user endpoint devices)/)
  • [A.5.10 (Acceptable use of information and other associated assets)](/controls/a-5-10 (acceptable use of information and other associated assets)/)
  • [A.8.3 (Information access restriction)](/controls/a-8-3 (information access restriction)/)

See how your organisation scores against A.7.7 and all 93 ISO 27001 controls.

Get Your Free Assessment