4. Media Inventory and Tracking Integrity Verified

Verification Criteria: The organisation maintains a record of sensitive physical media, including its current location and the identity of the person responsible for its custody. Required Evidence: Physical Media Register or Asset Log containing serial numbers and custody trails for backup tapes, encrypted drives, or optical media.

5. Secure Media Storage Facilities Confirmed

Verification Criteria: Unused or archived storage media is housed in a secure, environmentally controlled environment with restricted access. Required Evidence: Physical sighting of a fire-rated safe or locked media cabinet with a restricted access control list (ACL).

6. Media Disposal and Sanitisation Procedures Validated

Verification Criteria: Storage media is securely disposed of or sanitised using verified technical methods when no longer required, in accordance with the data classification. Required Evidence: Certificates of Destruction from a certified vendor or internal sanitisation logs using NIST 800-88 compliant software.

7. Physical Protection of Media in Transit Verified

Verification Criteria: Measures are in place to protect physical media from unauthorised access, tampering, or damage during transit between sites. Required Evidence: Use of locked transit containers, GPS-tracked couriers, and signed "Chain of Custody" transfer logs.

8. Media Labelling and Classification Confirmed

Verification Criteria: Physical media is clearly labelled to indicate its sensitivity level, ensuring handlers are aware of the required protection standards. Required Evidence: Physical inspection of sampled media (e.g. backup tapes) for classification labels (e.g. "Confidential" or "Restricted").

9. Reusable Media Sanitisation Verification Confirmed

Verification Criteria: Media intended for reuse outside the original secure environment is verified as being completely clear of previous data. Required Evidence: Technical verification reports showing "Zero-fill" or "Wipe Verification" success for drives being repurposed or returned to a lessor.

10. Management Review of Media Security Events Verified

Verification Criteria: Any incidents involving the loss, theft, or unauthorised access of storage media are formally reviewed by management to improve controls. Required Evidence: Incident reports cross-referenced with Management Review Meeting (MRM) minutes showing Root Cause Analysis of media-related breaches.

ISO 27001 Annex A 7.10 Audit Checklist [+ Templates]

Q: 1. Media Handling Policy Formalisation Verified

Verification Criteria: A documented policy exists defining the mandatory security requirements for the management of storage media, including removable types. Required Evidence: Approved "Media Handling Policy" or "Removable Media Standard" with explicit version control and management sign-off.

Q: 2. Removable Media Usage Restrictions Confirmed

Verification Criteria: Technical or organisational controls are in place to restrict the use of unauthorised removable media (e.g. USB drives, external HDDs) on corporate endpoints. Required Evidence: GPO configuration reports or Endpoint Detection and Response (EDR) settings showing USB port blocking or "Read-Only" enforcement.

Q: 3. Cryptographic Protection of Removable Media Validated

Verification Criteria: Mandatory encryption is enforced for all sensitive data stored on removable media to prevent unauthorised access in the event of loss or theft. Required Evidence: Technical configuration logs showing BitLocker-to-Go, FileVault, or equivalent encryption enforcement for external storage devices.

In this ultimate how to audit guide to ISO 27001 Annex A 7.10 Storage Media, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

ISO 27001 Annex A 7.10 Storage Media Audit Checklist

ISO 27001 Annex A 7.10 Storage Media Audit Checklist

Auditing ISO 27001 Annex A 7.10 Storage Media is the technical verification of the full lifecycle management of physical and removable assets. The Primary Implementation Requirement is the enforcement of encryption and secure sanitisation, ensuring the Business Benefit of preventing data breaches from lost, stolen, or decommissioned storage media.

This technical verification tool is designed for lead auditors to establish the security integrity of information stored on removable and physical media throughout its lifecycle. Use this checklist to validate compliance with ISO 27001 Annex A 7.10.

1. Media Handling Policy Formalisation Verified

Verification Criteria: A documented policy exists defining the mandatory security requirements for the management of storage media, including removable types.

Required Evidence: Approved “Media Handling Policy” or “Removable Media Standard” with explicit version control and management sign-off.

Pass/Fail Test: If the organisation cannot produce a formal policy that defines how storage media is classified, handled, and protected, mark as Non-Compliant.

2. Removable Media Usage Restrictions Confirmed

Verification Criteria: Technical or organisational controls are in place to restrict the use of unauthorised removable media (e.g. USB drives, external HDDs) on corporate endpoints.

Required Evidence: GPO configuration reports or Endpoint Detection and Response (EDR) settings showing USB port blocking or “Read-Only” enforcement.

Pass/Fail Test: If any corporate laptop allows the unencrypted transfer of sensitive data to an unmanaged personal USB drive, mark as Non-Compliant.

3. Cryptographic Protection of Removable Media Validated

Verification Criteria: Mandatory encryption is enforced for all sensitive data stored on removable media to prevent unauthorised access in the event of loss or theft.

Required Evidence: Technical configuration logs showing BitLocker-to-Go, FileVault, or equivalent encryption enforcement for external storage devices.

Pass/Fail Test: If an active removable media device containing confidential organisational data is found to be unencrypted, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

How to Audit ISO 27001 Annex A 7.10: Storage Media

Table of contents

ISO 27001 Annex A 7.10 Storage Media Audit Checklist

1. Media Handling Policy Formalisation Verified

2. Removable Media Usage Restrictions Confirmed

3. Cryptographic Protection of Removable Media Validated