In this ultimate how to implement guide to ISO 27001 Annex A 7.10 Storage Media, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Storage Media Implementation Checklist
- 1. Establish a Verified Physical Media Inventory
- 2. Apply Physical Classification Labelling
- 3. Enforce Mandatory Cryptographic Protection at Rest
- 4. Restrict Physical Access to Media Storage
- 5. Implement Secure Media Transit Protocols
- 6. Define and Execute Forensic Data Sanitisation
- 7. Execute Physical Destruction for Failed Media
- 8. Control Removable Media Port Usage
- 9. Obtain Certificates of Destruction from Third Parties
- 10. Conduct Quarterly Media Integrity Audits
- ISO 27001 Annex A 7.10 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 7.10 Storage Media is a comprehensive security framework requiring lifecycle management of all physical data carriers. The Primary Implementation Requirement involves establishing rigorous inventory controls and forensic sanitisation, providing the Business Benefit of mitigated data breach risks and verified regulatory compliance for sensitive information.
ISO 27001 Storage Media Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.10. This control mandates the secure management of storage media throughout its life cycle—including acquisition, use, transportation, and disposal—to prevent unauthorised disclosure, modification, or removal of organisational data.
1. Establish a Verified Physical Media Inventory
Control Requirement: A complete record of all physical storage media must be maintained and tracked. Required Implementation Step: Perform a physical “floor-walk” to identify every HDD, SSD, USB drive, and backup tape within the premises. Manually record serial numbers and physical locations into a master asset register, rather than relying on automated network discovery tools that miss offline or “shadow” media stored in drawers.
Minimum Requirement: A dated inventory list reconciled by a physical sighting of each serialised media item.
2. Apply Physical Classification Labelling
Control Requirement: Media must be clearly labelled based on the sensitivity of the data it contains. Required Implementation Step: Purchase physical, tamper-evident classification stickers. Physically apply labels (e.g., “RESTRICTED” or “CONFIDENTIAL”) to the exterior of every removable disk and backup tape to ensure handlers are immediately aware of the required protection level without needing to plug the device in.
Minimum Requirement: Every piece of removable media must bear a visible classification marker matching the organisation’s Information Classification Policy.
3. Enforce Mandatory Cryptographic Protection at Rest
Control Requirement: Information stored on media must be protected against unauthorised access via encryption. Required Implementation Step: Configure local Group Policy (GPO) or hardware-level settings to enforce AES-256 bit encryption (e.g., BitLocker or LUKS) on all internal and external drives. Verify the encryption status by manually checking the disk properties on the machine, as SaaS dashboards often report “Compliant” even if the encryption key is stored in plain text locally.
Minimum Requirement: Technical verification that 100% of portable storage media is encrypted with centrally managed recovery keys.
