In this ultimate how to implement guide to ISO 27001 Annex A 7.8 Storage Media, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Establish a Physical Media Inventory
- 2. Implement Strict Media Labelling
- 3. Enforce Full-Disk Encryption (FDE) by Default
- 4. Secure Physical Media Storage
- 5. Control Media Transportation and Transit
- 6. Define a Secure Destruction Procedure
- 7. Execute On-Site Media Sanitisation
- 8. Obtain Certificates of Destruction
- 9. Audit USB Port Usage and Authorisation
- 10. Conduct Quarterly Media Integrity Audits
- ISO 27001 Annex A 7.8 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 7.8 Storage Media is a critical security mandate requiring the end-to-end management of physical and digital data carriers. The Primary Implementation Requirement involves establishing strict lifecycle controls from secure inventorying and encryption to forensic destruction, providing the Business Benefit of mitigated data breach risks and verified regulatory compliance.
ISO 27001 Annex A Storage Media Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.8. This control mandates the secure management of storage media throughout its life cycle, from acquisition and usage to transportation and final disposal, to prevent unauthorised disclosure, modification, or removal of organisational data.
1. Establish a Physical Media Inventory
Control Requirement: All storage media must be accounted for and tracked. Required Implementation Step: Walk through your server room and office to identify every piece of removable and fixed storage media, including HDDs, SSDs, USB drives, backup tapes, and SD cards. Create a manual asset register that records serial numbers, physical location, and the current custodian.
Minimum Requirement: A master spreadsheet or database listing every physical storage device by serial number and owner.
2. Implement Strict Media Labelling
Control Requirement: Media must be labelled according to its classification level. Required Implementation Step: Purchase a physical label maker and apply classification stickers (e.g., ‘Confidential’, ‘Restricted’) to all removable media. Ensure the label clearly identifies the sensitivity of the data contained within so that any employee finding the device immediately knows the handling requirements.
Minimum Requirement: All backup tapes and portable drives physically marked with a classification label.
3. Enforce Full-Disk Encryption (FDE) by Default
Control Requirement: Media must be protected against unauthorised access. Required Implementation Step: Open your Group Policy Management or MDM and configure BitLocker (Windows) or FileVault (macOS) to be mandatory. Ensure encryption keys are stored in a secure, central Key Management System (KMS) and not locally on the device or in a plain-text file.
Minimum Requirement: Technical verification that 100% of portable storage media is encrypted at rest using AES-256.
