ISO 27001 Annex A 7.10 Audit Checklist

Q: 1. Media Handling Policy Formalisation Verified

Verification Criteria: A documented policy exists defining the mandatory security requirements for the management of storage media, including removable types. Required Evidence: Approved "Media Handling Policy" or "Removable Media Standard" with explicit version control and management sign-off.

Q: 2. Removable Media Usage Restrictions Confirmed

Verification Criteria: Technical or organisational controls are in place to restrict the use of unauthorised removable media (e.g. USB drives, external HDDs) on corporate endpoints. Required Evidence: GPO configuration reports or Endpoint Detection and Response (EDR) settings showing USB port blocking or "Read-Only" enforcement.

Q: 3. Cryptographic Protection of Removable Media Validated

Verification Criteria: Mandatory encryption is enforced for all sensitive data stored on removable media to prevent unauthorised access in the event of loss or theft. Required Evidence: Technical configuration logs showing BitLocker-to-Go, FileVault, or equivalent encryption enforcement for external storage devices.

Q: 4. Media Inventory and Tracking Integrity Verified

Verification Criteria: The organisation maintains a record of sensitive physical media, including its current location and the identity of the person responsible for its custody. Required Evidence: Physical Media Register or Asset Log containing serial numbers and custody trails for backup tapes, encrypted drives, or optical media.

Q: 5. Secure Media Storage Facilities Confirmed

Verification Criteria: Unused or archived storage media is housed in a secure, environmentally controlled environment with restricted access. Required Evidence: Physical sighting of a fire-rated safe or locked media cabinet with a restricted access control list (ACL).

Q: 6. Media Disposal and Sanitisation Procedures Validated

Verification Criteria: Storage media is securely disposed of or sanitised using verified technical methods when no longer required, in accordance with the data classification. Required Evidence: Certificates of Destruction from a certified vendor or internal sanitisation logs using NIST 800-88 compliant software.

Q: 7. Physical Protection of Media in Transit Verified

Verification Criteria: Measures are in place to protect physical media from unauthorised access, tampering, or damage during transit between sites. Required Evidence: Use of locked transit containers, GPS-tracked couriers, and signed "Chain of Custody" transfer logs.

Q: 8. Media Labelling and Classification Confirmed

Verification Criteria: Physical media is clearly labelled to indicate its sensitivity level, ensuring handlers are aware of the required protection standards. Required Evidence: Physical inspection of sampled media (e.g. backup tapes) for classification labels (e.g. "Confidential" or "Restricted").

Q: 9. Reusable Media Sanitisation Verification Confirmed

Verification Criteria: Media intended for reuse outside the original secure environment is verified as being completely clear of previous data. Required Evidence: Technical verification reports showing "Zero-fill" or "Wipe Verification" success for drives being repurposed or returned to a lessor.

Q: 10. Management Review of Media Security Events Verified

Verification Criteria: Any incidents involving the loss, theft, or unauthorised access of storage media are formally reviewed by management to improve controls. Required Evidence: Incident reports cross-referenced with Management Review Meeting (MRM) minutes showing Root Cause Analysis of media-related breaches.

Auditing ISO 27001 Annex A 7.10 Storage Media is the technical verification of the full lifecycle management of physical and removable assets. The Primary Implementation Requirement is the enforcement of encryption and secure sanitisation, ensuring the Business Benefit of preventing data breaches from lost, stolen, or decommissioned storage media.

ISO 27001 Annex A 7.10 Storage Media Audit Checklist

This technical verification tool is designed for lead auditors to establish the security integrity of information stored on removable and physical media throughout its lifecycle. Use this checklist to validate compliance with ISO 27001 Annex A 7.10.

1. Media Handling Policy Formalisation Verified

Verification Criteria: A documented policy exists defining the mandatory security requirements for the management of storage media, including removable types.

Required Evidence: Approved “Media Handling Policy” or “Removable Media Standard” with explicit version control and management sign-off.

Pass/Fail Test: If the organisation cannot produce a formal policy that defines how storage media is classified, handled, and protected, mark as Non-Compliant.

2. Removable Media Usage Restrictions Confirmed

Verification Criteria: Technical or organisational controls are in place to restrict the use of unauthorised removable media (e.g. USB drives, external HDDs) on corporate endpoints.

Required Evidence: GPO configuration reports or Endpoint Detection and Response (EDR) settings showing USB port blocking or “Read-Only” enforcement.

Pass/Fail Test: If any corporate laptop allows the unencrypted transfer of sensitive data to an unmanaged personal USB drive, mark as Non-Compliant.

3. Cryptographic Protection of Removable Media Validated

Verification Criteria: Mandatory encryption is enforced for all sensitive data stored on removable media to prevent unauthorised access in the event of loss or theft.

Required Evidence: Technical configuration logs showing BitLocker-to-Go, FileVault, or equivalent encryption enforcement for external storage devices.

Pass/Fail Test: If an active removable media device containing confidential organisational data is found to be unencrypted, mark as Non-Compliant.

4. Media Inventory and Tracking Integrity Verified

Verification Criteria: The organisation maintains a record of sensitive physical media, including its current location and the identity of the person responsible for its custody.

Required Evidence: Physical Media Register or Asset Log containing serial numbers and custody trails for backup tapes, encrypted drives, or optical media.

Pass/Fail Test: If a sampled backup tape or encrypted drive listed in the inventory cannot be physically located or its custody accounted for, mark as Non-Compliant.

5. Secure Media Storage Facilities Confirmed

Verification Criteria: Unused or archived storage media is housed in a secure, environmentally controlled environment with restricted access.

Required Evidence: Physical sighting of a fire-rated safe or locked media cabinet with a restricted access control list (ACL).

Pass/Fail Test: If sensitive backup media is found stored in an unlocked desk drawer or an unmonitored general office area, mark as Non-Compliant.

6. Media Disposal and Sanitisation Procedures Validated

Verification Criteria: Storage media is securely disposed of or sanitised using verified technical methods when no longer required, in accordance with the data classification.

Required Evidence: Certificates of Destruction from a certified vendor or internal sanitisation logs using NIST 800-88 compliant software.

Pass/Fail Test: If storage media is decommissioned or sent for recycling without a documented cryptographic erase or physical destruction record, mark as Non-Compliant.

7. Physical Protection of Media in Transit Verified

Verification Criteria: Measures are in place to protect physical media from unauthorised access, tampering, or damage during transit between sites.

Required Evidence: Use of locked transit containers, GPS-tracked couriers, and signed “Chain of Custody” transfer logs.

Pass/Fail Test: If sensitive media is transported by unvetted personnel in unsealed containers without a recorded handover, mark as Non-Compliant.

8. Media Labelling and Classification Confirmed

Verification Criteria: Physical media is clearly labelled to indicate its sensitivity level, ensuring handlers are aware of the required protection standards.

Required Evidence: Physical inspection of sampled media (e.g. backup tapes) for classification labels (e.g. “Confidential” or “Restricted”).

Pass/Fail Test: If a device containing highly sensitive PII lacks any visual indicator of its classification or handling requirements, mark as Non-Compliant.

9. Reusable Media Sanitisation Verification Confirmed

Verification Criteria: Media intended for reuse outside the original secure environment is verified as being completely clear of previous data.

Required Evidence: Technical verification reports showing “Zero-fill” or “Wipe Verification” success for drives being repurposed or returned to a lessor.

Pass/Fail Test: If a laptop or server drive is repurposed for a different department without a verified data wipe, mark as Non-Compliant.

10. Management Review of Media Security Events Verified

Verification Criteria: Any incidents involving the loss, theft, or unauthorised access of storage media are formally reviewed by management to improve controls.

Required Evidence: Incident reports cross-referenced with Management Review Meeting (MRM) minutes showing Root Cause Analysis of media-related breaches.

Pass/Fail Test: If a media-related incident (e.g. a lost encrypted USB) occurred but was not escalated for management review or trend analysis, mark as Non-Compliant.

ISO 27001 Annex A 7.10 SaaS / GRC Platform Failure Checklist
Control Requirement	The ‘Checkbox Compliance’ Trap	The Reality Check
Removable Media Control	Tool records “Policy.pdf” as evidence of control.	Verify the Technical Constraint. An auditor must see the MDM/GPO policy actually blocking unauthorised PIDs/VIDs.
Media Encryption	Platform marks “Pass” based on a survey response from IT.	Demand a Random Sample Check. Verify the encryption status of 3 active USB drives currently in use.
Secure Disposal	Tool identifies a “Vendor Contract” as proof of sanitisation.	Verify the Certificate. A contract doesn’t prove that this specific drive with Serial X was destroyed.
Chain of Custody	SaaS tool assumes digital data flows only.	Check the Logbook. GRC tools miss physical backup tapes. Auditors must verify physical signatures for off-site rotation.
Inventory Accuracy	Tool identifies “Media” as a generic asset category.	Verify Serial Numbers. If the safe contains 10 tapes but the register lists 8, the tracking system is a failure.
Sanitisation Standards	Platform assumes “Formatting” a drive is sufficient.	Verify the Methodology. Formatting is not sanitisation. Demand NIST 800-88 or HMG IS5 compliant wipe logs.
Physical Storage	Tool marks “Safe” as an asset and assumes it’s locked.	Check the Latch. Physical security is often bypassed by leaving keys in locks or safes propped open.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.