In this guide, I will show you exactly how to implement ISO 27001 Annex A 7.10 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 7.10 Storage Media
ISO 27001 Annex A 7.10 requires organizations to manage the entire lifecycle of storage media from acquisition and use to transportation and final disposal. While it covers internal server drives, its primary focus is on Removable Media (USBs, portable hard drives, and even paper), which are high-risk assets due to how easily they can be lost, stolen, or used to introduce malware. The goal is to ensure that sensitive data on these media remains confidential and is never disclosed to unauthorised parties.
Core requirements for compliance include:
- Full Lifecycle Management: You must track storage media from the moment it is purchased until the moment it is destroyed. This includes documenting who has the device and what classification of data it contains.
- The “USB Ban” Trend: For modern compliance, many organizations now choose to technically block all personal USB ports via Endpoint Management (like Microsoft Intune) to prevent data leakage.
- Mandatory Encryption: Any removable media allowed for business use must be encrypted. If a corporate USB stick is found in a parking lot, the data should be unreadable without the encryption key.
- Secure Physical Transport: If you are moving physical backup tapes or hard drives between sites, you must use secure couriers and tamper-evident packaging.
- Professional Destruction: When a drive or a pile of sensitive paper reaches end-of-life, you must use a certified destruction service that provides a Certificate of Destruction.
Audit Focus: Auditors will look for “The Cupboard of Shame”:
- Inventory Check: “Show me your list of all company-issued encrypted USB drives.”
- The Live Test: They may try to plug a random USB into an employee’s laptop to see if it is blocked or if it prompts for encryption.
- End-of-Life Proof: “Show me the destruction receipts for the old server hard drives you replaced last quarter.”
Removable Media Control Matrix (Audit Cheat Sheet):
| Media Type | Status | Required Control |
| Corporate USBs | Allowed | Must be BitLocker or Hardware Encrypted. |
| Personal USBs | BANNED | Blocked via Endpoint Policy (Intune/Jamf). |
| External HDDs | Restricted | Requires an approved IT Support ticket & justification. |
| Optical (CD/DVD) | Read-Only | “Burn” functions disabled on all standard laptops. |
Table of Contents
- What is ISO 27001 Annex A 7.10?
- ISO 27001 Annex A 7.10 Free Training Video
- ISO 27001 Annex A 7.10 Explainer Video
- ISO 27001 Annex A 7.10 Podcast
- How to implement ISO 27001 Annex A 7.10
- Removable Media Control Matrix
- How to comply
- Top 3 ISO 27001 Annex A 7.10 mistakes and how to avoid them
- Fast Track Compliance with the ISO 27001 Toolkit
- Related ISO 27001 Controls
What is ISO 27001 Annex A 7.10?
The focus for this ISO 27001 Control is the lifecycle of storage media. As one of the ISO 27001 controls this is about managing media based on classification through to its final destruction.
ISO 27001 Annex A 7.10 Storage Media is an ISO 27001 control that looks to protect storage media.
ISO 27001 Annex A 7.10 Purpose
The purpose of ISO 27001 Storage Media is to ensure only authorised disclosure, modification, removal or destruction of information on storage media.
ISO 27001 Annex A 7.10 Definition
The ISO 27001 standard defines ISO 27001 Annex A 7.10 as:
Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organisations classification scheme and handling requirements.
ISO 27001:2022 Annex A 7.10 Storage Media
ISO 27001 Annex A 7.10 Free Training Video
In the video ISO 27001 Storage Media Explained – ISO27001:2022 Annex A 7.10 I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 7.10 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 7.10 Storage Media, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 7.10 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 7.10 Storage Media. The podcast explores what it is, why it is important and the path to compliance.
How to implement ISO 27001 Annex A 7.10
General Guidance
There is one thing that people don’t really trust like they used to, and that is external storage media. This control is looking at all types of storage media with a particular focus on removable / external storage media.
Let us first look in general terms before we give some attention to removable media and its particular challenges.
ISO 27001 Information Security Classification and Handling Policy
You will want a policy in place on Data Classification and Handling that will cover storage media, for example the Information Security Classification and Handling Policy. This is to set out and communicate what the expectations are that you have of people.
Lifecycle Management Process
Then you are going to put in full lifecycle management of the storage media. Even if it comes bundled as part of other devices.
What this means in real terms is having a process for:
How you acquire storage media, where you acquire it from, how you configure it, if and how you encrypt it, how you use it, where you use it, who is responsible for it, how you monitor it, and at its end of life how you destroy it.
To all intents and purposes, storage media is an asset under asset management.
Reuse and destruction of storage media has its own requirements. Let’s not be just deleting stuff and then popping it on eBay. If you have to reuse it then securely destroy the data on it in a proper and professional way. If you have to destroy it, whilst hitting with a FBH ( fking big hammer ) can work wonders, ideally use a reputable outsourced destruction company that provides all the required paperwork and audit trails.
Removable Storage Media
In general terms you are going to implement a topic specific policy on the use and management of removable media. What this means is addressing it in one of your other policies. As long as it is covered you are fine.
Think here about what kind of media you will allow. What the process is for allowing it. That can be both a technical processes such as port lockdowns and / or administrative process such as approval and checking.
Physical security of removable storage is paramount. A no brainer when you think about it. It is harder to steal. Harder to track. Easier to lose. Implement controls based on risk and the classification of what the storage media contains.
One thing people often overlook is that media has life span and will degrade over time. There are approaches to having multiple copies and / or multiple storage technologies. All of this will really be driven by your data retention requirements but worth thinking about.
Paper
Finally paper is storage media. If you have it, risk assess it and control it based on risk and business need. Fewer and fewer organisations rely on paper these days but it is still out there. Usually in regulated industries. If you have it, don’t over look it.
Removable Media Control Matrix
| Media Type | Policy | Control Measure |
| Corporate USBs | Allowed (Encrypted) | Must be BitLocker/Hardware Encrypted. |
| Personal USBs | BANNED | Blocked via Endpoint Manager (Intune). |
| External Hard Drives | Restricted | Requires IT Approval ticket. |
| Optical (CD/DVD) | Read-Only | Disable “Burn” function. |
How to comply
To comply with ISO 27001 Annex A 7.10 Storage Media you are going to
- Train, educate, tell and communicate to people what is expected of them
- Have policies and procedures in place
- Assess your assets and perform a risk assessment
- Implement controls proportionate to the risk posed
- Test the controls that you have to make sure they are working
Top 3 ISO 27001 Annex A 7.10 mistakes and how to avoid them
The top 3 mistakes people make for ISO 27001 Annex A 7.10 Storage Media are
1. You have loads of hard drives in a cupboard
This is the number one mistake. Having computers, hard drives, old devices, paper archives that no one knows what they are, what is on them or why you have them either in a store room or worse case on someones desk. Get your asset management sorted. Get your house in order. Do your house keeping.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have. Do they know where the policies are? Have they acknowledged them? Do you have an inventory of storage media? Is removable media managed, tracked and checked? Check!
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Fast Track Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 7.10 (Storage media), the requirement is to manage storage media throughout its life cycle, acquisition, use, transportation, and disposal, in line with classification and handling rules. This control is heavily focused on removable media (USBs, external drives) and the secure destruction of data.
While SaaS compliance platforms often try to sell you “automated asset tracking” or complex “media registers,” they cannot actually physically encrypt a USB stick or oversee its destruction, they are merely a place to host your documentation. The High Table ISO 27001 Toolkit is the logical choice because it provides the governance layer that defines these rules, allowing you to manage your storage media effectively without a recurring subscription fee.
1. Ownership: You Own Your Media Policy Forever
SaaS platforms act as a middleman for your compliance evidence. If you define your removable media rules and store your media inventory inside their proprietary system, you are essentially renting your own security standards.
- The Toolkit Advantage: You receive the Information Classification and Handling Policy and Removable Media Control Matrix in standard Word/Excel formats. These files are yours forever. You maintain permanent ownership of your standards (such as BitLocker requirements), ensuring you are always ready for an audit without an ongoing “rental” fee.
2. Simplicity: Governance for Real-World Assets
Annex A 7.10 is about managing physical media. You don’t need a complex new software interface to manage what your IT team or specialized destruction vendors (who provide physical certificates) already do.
- The Toolkit Advantage: Your team already knows which USBs are allowed. What they need is the governance layer to prove to an auditor that these are tracked, encrypted, and destroyed securely. The Toolkit provides pre-written policies and matrices (like the Removable Media Control Matrix) that formalize your existing technical work into an auditor-ready framework, without forcing your team to learn a new software platform.
3. Cost: A One-Off Fee vs. The “Asset Inventory” Tax
Many compliance SaaS platforms charge based on the number of “assets” you track. For a control that applies to every hard drive, USB, and backup tape in your organization, these monthly costs can scale aggressively.
- The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you are managing 5 USB sticks or 5,000 hard drives, the cost of your Storage Media Documentation remains the same. You save your budget for actual encryption software or professional destruction services rather than an expensive compliance dashboard.
4. Freedom: No Vendor Lock-In for Your Hardware Strategy
SaaS tools often only integrate with a limited number of “standard” asset management systems. If you use specialized hardware or change your storage providers, the SaaS tool can become a barrier to technical flexibility.
- The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can edit the Media Handling Procedures to match any environment, on-premise, remote work, or third-party facilities. You maintain total freedom to choose the best storage and disposal methods for your business without being constrained by the technical limitations of a rented SaaS platform.
Summary: For Annex A 7.10, the auditor wants to see that you have a formal policy for storage media and proof that you follow it (e.g., an inventory and destruction records). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
Related ISO 27001 Controls
There are a couple of other related controls worth reading up here as well being
- ISO 27001 Annex A 5.9 Inventory of Information and Other Associated Assets
- ISO 27001 Annex A 5.10 Acceptable Use of Information and Other Associated Assets
- ISO 27001 Annex A 5.11 Return of Assets
- ISO 27001 Annex A 5.12 Classification of Information
- ISO 27001 Annex A 5.13 Labelling of Information
- ISO 27001 Annex A 5.14 Information Transfer
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
