ISO 27001:2022 Annex A Control 7.10
Abstract of Annex A Control 7.10: Storage media
Control 7.10 of ISO 27001 focuses on managing storage media throughout its lifecycle—from acquisition and usage to secure disposal. Proper handling of storage media ensures the confidentiality, integrity, and availability of sensitive data while mitigating risks such as unauthorized access, data loss, or information leakage.
Control Type
- Preventive
Information Security Properties
- Confidentiality
- Integrity
- Availability
Cybersecurity Concepts
- Protect
Operational Capabilities
- Physical Security
- Asset Management
Security Domains
- Protection
Objective of Control 7.10
The objective of this control is to ensure that all storage media used in an organization is securely managed. This includes:
- Preventing unauthorized access to stored information.
- Ensuring secure handling, transfer, and disposal of storage media.
- Protecting against environmental risks and physical damage.
- Reducing the risk of data corruption or degradation over time.
Purpose of Storage Media Management
Storage media contains sensitive information that, if compromised, can lead to data breaches, financial losses, or legal consequences. The management of storage media ensures:
- Data confidentiality by restricting unauthorized access.
- Data integrity by preventing unauthorized modifications or accidental corruption.
- Data availability by ensuring that information remains accessible when needed.
- Compliance with legal, regulatory, and contractual obligations.
Guidelines for Removable Storage Media
Removable storage media, such as USB drives, external hard disks, SD cards, and optical media, introduce additional security risks due to their portability and susceptibility to loss or theft. Your organization should implement the following measures:
1. Establishing Policies and Authorization Procedures
- Define a policy for the use, handling, and storage of removable media.
- Communicate this policy to all employees and contractors who handle storage media.
- Require explicit authorization for the use of removable storage devices.
- Maintain an audit trail to track who accesses or removes media from the organization.
2. Secure Storage and Environmental Protection
- Store all storage media in a physically secure environment based on data classification.
- Protect media from heat, moisture, electromagnetic interference, and other environmental hazards.
- Use lockable storage cabinets for sensitive storage media.
3. Encryption and Access Control
- Encrypt sensitive data stored on removable media to prevent unauthorized access.
- Implement access controls to restrict usage to authorized personnel only.
- Use password protection and multi-factor authentication where applicable.
4. Lifecycle Management and Data Redundancy
- Regularly transfer data from aging or degrading storage media to fresh media.
- Store multiple copies of critical data on separate media to prevent accidental loss.
- Register and catalog storage media to maintain an inventory of active and archived media.
5. Restricting Ports and Monitoring Data Transfers
- Disable USB ports and other removable media ports by default.
- Enable ports only for authorized users and specific use cases.
- Monitor and log data transfers to removable storage media to detect unauthorized activity.
6. Secure Transport of Storage Media
- Implement security controls when transferring media via postal services or couriers.
- Require tamper-proof packaging and tracking mechanisms.
- Apply security measures from ISO 27001 Control 5.14 for physical information transfer.
Secure Reuse and Disposal of Storage Media
To prevent data leaks and unauthorized recovery of sensitive information, your organization must establish procedures for secure reuse and disposal of storage media.
1. Secure Data Deletion Before Reuse
- Before reusing storage media, securely erase all sensitive data.
- Use cryptographic wiping or data sanitization tools to ensure complete deletion.
- Follow best practices outlined in ISO 27001 Control 8.10.
2. Secure Disposal of Unneeded Media
- Destroy storage media that is no longer needed using methods such as shredding, degaussing, or incineration.
- Avoid disposing of storage media in regular waste bins.
- Conduct periodic audits of disposed media to verify compliance with disposal policies.
3. Third-Party Disposal Services
- When using third-party disposal services, vet the provider to ensure they follow secure disposal standards.
- Require certificates of destruction for accountability.
- Maintain a record of disposed media for auditing purposes.
4. Logging and Auditing Disposal Activities
- Maintain an audit trail of storage media disposal, including destruction methods and responsible personnel.
- Regularly review disposal logs to ensure compliance with policies.
- Assess disposal risks, particularly for storage devices with aggregated sensitive information.
Other Relevant ISO 27001 Controls
ISO 27001 Control 7.10 is closely related to several other controls that reinforce security measures for storage media:
- Control 5.14: Information Transfer – Ensures safe transfer of data, including physical media.
- Control 7.14: Secure disposal or re-use of equipment – Addresses security risks related to damaged or compromised media.
- Control 8.10: Information deletion – Provides guidance on data deletion before reuse or disposal.
Supporting Templates for Storage media
To help your organization implement ISO 27001 Control 7.10 effectively, the following templates are available:
- Data Classification Policy Template – Defines classification levels for storage media security.
- Secure Disposal Policy Template – Outlines procedures for destroying sensitive media.
- Risk Assessment Template – Assesses security risks related to storage media handling.
FAQs
What types of storage media does this control cover?
This includes hard drives, USB devices, SD cards, DVDs, tapes, cloud storage backups, and paper documents.
Why is encryption recommended for removable storage media?
Encryption ensures that sensitive data remains protected even if the storage media is lost or stolen.
How can I ensure secure disposal of damaged media?
Conduct a risk assessment to determine if the media should be physically destroyed, degaussed, or securely erased.
How can I track the movement of storage media within my organization?
Maintain an inventory and log all access, transfers, and disposal activities. Implement an authorization system to control media usage.
Conclusion
Implementing ISO 27001 Control 7.10 ensures that data stored on media remains secure throughout its lifecycle, from acquisition and use to transfer and disposal. Organizations must establish and enforce clear policies for handling storage media, implement technical and physical security measures, and train employees on best practices.
Via encrypting sensitive data, monitoring storage media usage, and securely disposing of unneeded media, organizations can minimize security risks and maintain compliance with industry regulations. A structured storage media management strategy protects information assets, enhances business continuity, and strengthens overall cybersecurity resilience.
