Implementing ISO 27001 Annex A 7.10 Storage Media is a comprehensive security framework requiring lifecycle management of all physical data carriers. The Primary Implementation Requirement involves establishing rigorous inventory controls and forensic sanitisation, providing the Business Benefit of mitigated data breach risks and verified regulatory compliance for sensitive information.
ISO 27001 Annex A Storage Media Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.10. This control mandates the secure management of storage media throughout its life cycle—including acquisition, use, transportation, and disposal—to prevent unauthorised disclosure, modification, or removal of organisational data.
1. Establish a Verified Physical Media Inventory
Control Requirement: A complete record of all physical storage media must be maintained and tracked. Required Implementation Step: Perform a physical “floor-walk” to identify every HDD, SSD, USB drive, and backup tape within the premises. Manually record serial numbers and physical locations into a master asset register, rather than relying on automated network discovery tools that miss offline or “shadow” media stored in drawers.
Minimum Requirement: A dated inventory list reconciled by a physical sighting of each serialised media item.
2. Apply Physical Classification Labelling
Control Requirement: Media must be clearly labelled based on the sensitivity of the data it contains. Required Implementation Step: Purchase physical, tamper-evident classification stickers. Physically apply labels (e.g., “RESTRICTED” or “CONFIDENTIAL”) to the exterior of every removable disk and backup tape to ensure handlers are immediately aware of the required protection level without needing to plug the device in.
Minimum Requirement: Every piece of removable media must bear a visible classification marker matching the organisation’s Information Classification Policy.
3. Enforce Mandatory Cryptographic Protection at Rest
Control Requirement: Information stored on media must be protected against unauthorised access via encryption. Required Implementation Step: Configure local Group Policy (GPO) or hardware-level settings to enforce AES-256 bit encryption (e.g., BitLocker or LUKS) on all internal and external drives. Verify the encryption status by manually checking the disk properties on the machine, as SaaS dashboards often report “Compliant” even if the encryption key is stored in plain text locally.
Minimum Requirement: Technical verification that 100% of portable storage media is encrypted with centrally managed recovery keys.
4. Restrict Physical Access to Media Storage
Control Requirement: Inactive or sensitive media must be stored in a secure physical environment. Required Implementation Step: Install a fire-rated, biometric or key-locked safe specifically for offline media and backup tapes. Ensure the safe is bolted to the building structure and that the access log for the safe is physically signed by the authorised custodian during every withdrawal or deposit.
Minimum Requirement: Storage of all unencrypted or highly sensitive media within a locked, fire-resistant container.
5. Implement Secure Media Transit Protocols
Control Requirement: Media must be protected from unauthorised access or damage during transportation. Required Implementation Step: Use tamper-evident bags or locked “peli-cases” for the transport of physical media between sites. Assign a named courier or staff member and require a signed “Chain of Custody” form at every hand-off point, ensuring the media is never left unattended in a vehicle.
Minimum Requirement: A signed transit log for every movement of physical media outside of the primary secure perimeter.
6. Define and Execute Forensic Data Sanitisation
Control Requirement: Data on media must be made unrecoverable before disposal or re-use. Required Implementation Step: Use certified software (e.g., Blancco) or hardware degaussers to perform a NIST 800-88 compliant “Purge.” A simple OS “format” is insufficient; you must execute a multi-pass overwrite and retain the technical wipe report as evidence for the auditor.
Minimum Requirement: A software-generated sanitisation certificate for every drive intended for re-use or disposal.
7. Execute Physical Destruction for Failed Media
Control Requirement: Media that cannot be electronically wiped must be physically destroyed. Required Implementation Step: If a drive fails the software wipe due to hardware malfunction, it must be physically shredded or crushed. Use an on-site industrial media shredder or a hydraulic press to ensure the platters or NAND chips are rendered into fragments smaller than 2mm.
Minimum Requirement: Photographic evidence or a witness signature confirming the physical destruction of non-wipeable media.
8. Control Removable Media Port Usage
Control Requirement: Unauthorised use of storage media must be technically prevented. Required Implementation Step: Physically block unused USB ports with hardware locks or use an Endpoint Protection (EDR) tool to “deny-by-default” all removable storage. Create a manual approval process where only company-issued, encrypted, and serial-tracked USB drives are whitelisted for specific, time-limited tasks.
Minimum Requirement: System logs showing the blocking of unapproved removable storage devices.
9. Obtain Certificates of Destruction from Third Parties
Control Requirement: Third-party disposal must be verified through formal documentation. Required Implementation Step: Do not trust a general “recycling” receipt. Demand a “Certificate of Destruction” from your waste vendor that explicitly lists the serial numbers of the specific drives sent for disposal, cross-referencing this against your initial inventory to “close the loop.”
Minimum Requirement: A legally binding certificate from a certified disposal vendor (e.g., ADISA accredited) matching your asset serial numbers.
10. Conduct Quarterly Media Integrity Audits
Control Requirement: The effectiveness of media management must be periodically reviewed. Required Implementation Step: Every three months, perform a “spot check” by randomly selecting 10 serial numbers from your inventory and requiring the custodian to physically produce the media within 30 minutes. Document the outcome, including any “lost” media, which must be immediately reported as a security incident.
Minimum Requirement: An internal audit report signed by the CISO verifying the physical presence and status of sampled media.
ISO 27001 Annex A 7.10 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Media Inventory | A list of “active” laptops in a SaaS dashboard. | The dashboard doesn’t see the 50 loose HDDs sitting in a cardboard box under the IT manager’s desk. |
| Classification | Ticking “Yes” to a “Labelling Policy” task. | If the physical drive doesn’t have a sticker on it, an external cleaner won’t know it’s sensitive when they find it in the bin. |
| Data Sanitisation | Marking a disposal task as “Complete.” | “Complete” is not evidence. Only a NIST-compliant wipe report matched to a serial number survives a forensic audit. |
| Transit Security | Uploading a PDF of the “Courier Contract.” | The contract doesn’t stop a courier from leaving a bag of backup tapes in an unlocked van while they get lunch. |
| Physical Destruction | Trusting a generic “Recycling Certificate.” | General recyclers often resell drives that “look okay” without wiping them. You need a destruction-specific certificate. |
| Port Control | Setting a policy that says “No USBs allowed.” | Unless the ports are technically disabled or physically blocked, your staff will use them for convenience. |
| Ghost Media | Assuming all data is in “The Cloud.” | Staff regularly download “Cloud” data to local USBs for offline work. If you don’t track the USBs, the Cloud doesn’t matter. |
About the author
