Implementing ISO 27001 Annex A 7.8 Storage Media is a critical security mandate requiring the end-to-end management of physical and digital data carriers. The Primary Implementation Requirement involves establishing strict lifecycle controls—from secure inventorying and encryption to forensic destruction—providing the Business Benefit of mitigated data breach risks and verified regulatory compliance.

ISO 27001 Annex A Storage Media Implementation Checklist

Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.8. This control mandates the secure management of storage media throughout its life cycle—from acquisition and usage to transportation and final disposal—to prevent unauthorised disclosure, modification, or removal of organisational data.

1. Establish a Physical Media Inventory

Control Requirement: All storage media must be accounted for and tracked. Required Implementation Step: Walk through your server room and office to identify every piece of removable and fixed storage media, including HDDs, SSDs, USB drives, backup tapes, and SD cards. Create a manual asset register that records serial numbers, physical location, and the current custodian.

Minimum Requirement: A master spreadsheet or database listing every physical storage device by serial number and owner.

2. Implement Strict Media Labelling

Control Requirement: Media must be labelled according to its classification level. Required Implementation Step: Purchase a physical label maker and apply classification stickers (e.g., ‘Confidential’, ‘Restricted’) to all removable media. Ensure the label clearly identifies the sensitivity of the data contained within so that any employee finding the device immediately knows the handling requirements.

Minimum Requirement: All backup tapes and portable drives physically marked with a classification label.

3. Enforce Full-Disk Encryption (FDE) by Default

Control Requirement: Media must be protected against unauthorised access. Required Implementation Step: Open your Group Policy Management or MDM and configure BitLocker (Windows) or FileVault (macOS) to be mandatory. Ensure encryption keys are stored in a secure, central Key Management System (KMS) and not locally on the device or in a plain-text file.

Minimum Requirement: Technical verification that 100% of portable storage media is encrypted at rest using AES-256.

4. Secure Physical Media Storage

Control Requirement: Media must be protected from physical damage and theft. Required Implementation Step: Install a fire-rated, biometric or key-locked safe for the storage of inactive media and backup tapes. Do not leave USB drives or external HDDs on desks; they must be locked away at the end of every working day.

Minimum Requirement: A locked, fireproof cabinet dedicated to storage media with a signed access log.

5. Control Media Transportation and Transit

Control Requirement: Media must be protected during transit outside the organisation’s premises. Required Implementation Step: Use tamper-evident bags or locked transit cases when moving physical media between sites. If using a courier, verify their security credentials and require a signed ‘Chain of Custody’ form for every handover.

Minimum Requirement: A logbook documenting every time media leaves the site, including courier details and tracking numbers.

6. Define a Secure Destruction Procedure

Control Requirement: Media no longer required must be disposed of securely. Required Implementation Step: Create a formal ‘Media Sanitisation Standard’. Define specific methods for different media types: physical shredding for SSDs (which cannot be reliably wiped), degaussing for magnetic tapes, and cryptographic erasure for encrypted drives.

Minimum Requirement: A documented policy specifying the technical method of destruction for each media category.

7. Execute On-Site Media Sanitisation

Control Requirement: Data must be unrecoverable before the media leaves the organisation’s control. Required Implementation Step: Use a hardware-based ‘wiper’ or certified software (e.g., Blancco) to perform a multi-pass overwrite of all sectors on any drive intended for reuse or disposal. Ensure the process generates a technical report verifying that the wipe was successful.

Minimum Requirement: Technical logs proving the successful sanitisation of media prior to disposal or recycling.

8. Obtain Certificates of Destruction

Control Requirement: Disposal by third parties must be verified. Required Implementation Step: If using an external shredding service, you must physically witness the destruction or receive an individual Certificate of Destruction for every serialised item. This certificate must be cross-referenced against your internal asset register.

Minimum Requirement: A folder containing serial-matched Certificates of Destruction from an accredited vendor.

9. Audit USB Port Usage and Authorisation

Control Requirement: Unauthorised use of storage media must be prevented. Required Implementation Step: Configure your Endpoint Detection and Response (EDR) tool to block all USB mass storage devices by default. Create an exception process where only company-issued, encrypted drives are ‘whitelisted’ for specific users.

Minimum Requirement: System logs showing ‘Access Denied’ for unapproved removable storage devices.

10. Conduct Quarterly Media Integrity Audits

Control Requirement: The effectiveness of media management must be reviewed. Required Implementation Step: Perform a ‘Spot Check’ every three months. Randomly select five items from your media inventory and require the custodian to physically present them within 10 minutes. If an item is missing, trigger the formal Incident Response procedure immediately.

Minimum Requirement: Quarterly audit reports signed by the CISO verifying the physical presence of sampled media.

ISO 27001 Annex A 7.8 SaaS / GRC Platform Implementation Failure Checklist

Analysis of how GRC platforms fail to manage the physical risks of storage media.
Control Requirement	The ‘Checkbox Compliance’ Trap	The Reality Check
Physical Inventory	Ticking a box that says “Inventory is maintained.”	GRC tools don’t have eyes. If a developer has a 2TB drive in their drawer that isn’t on your list, you are non-compliant.
Media Labelling	Uploading a PDF of the ‘Labelling Policy.’	Labels belong on the hardware, not in the cloud. A digital policy cannot be seen by someone who finds a dropped USB drive.
Secure Disposal	Recording that you use a “Certified Disposal Vendor.”	Did the vendor actually shred your drive? Without serial-number matching on the certificate, you have no proof.
Chain of Custody	Attesting that “couriers are secure.”	If a driver leaves the backup tapes in an unlocked van, the GRC dashboard won’t turn red. Real security is in the physical escort.
USB Blocking	Checking a box for “Endpoint Security active.”	Does it actually work on Linux machines or legacy servers? Only a physical test of the port provides assurance.
Sanitisation Verification	Assuming “formatting” a drive is sufficient.	Standard formatting leaves data recoverable. You need forensic-level sanitisation logs, which GRC tools rarely ingest.
Key Management	Storing BitLocker keys in the GRC tool.	If the GRC platform is compromised, every drive in your company is now unlocked. Keys must stay in a hardened KMS.
Physical Audit	Assigning a “Task” to a manager to check the safe.	Managers often click “Done” without looking. Only a physical audit with serial number verification counts.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.