ISO 27001 Annex A 7.10 Storage Media is a security control that mandates the lifecycle management of physical and removable drives to prevent data leakage. It requires organizations to implement mandatory encryption and secure disposal procedures, ensuring sensitive data on USBs and hard drives remains protected against theft, delivering the Business Benefit of verifiable data integrity and compliance.
In this guide, I will show you exactly how to implement ISO 27001 Annex A 7.10 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 7.10 Storage Media
ISO 27001 Annex A 7.10 requires organizations to manage the entire lifecycle of storage media from acquisition and use to transportation and final disposal. While it covers internal server drives, its primary focus is on Removable Media (USBs, portable hard drives, and even paper), which are high-risk assets due to how easily they can be lost, stolen, or used to introduce malware. The goal is to ensure that sensitive data on these media remains confidential and is never disclosed to unauthorised parties.
Core requirements for compliance include:
- Full Lifecycle Management: You must track storage media from the moment it is purchased until the moment it is destroyed. This includes documenting who has the device and what classification of data it contains.
- The “USB Ban” Trend: For modern compliance, many organizations now choose to technically block all personal USB ports via Endpoint Management (like Microsoft Intune) to prevent data leakage.
- Mandatory Encryption: Any removable media allowed for business use must be encrypted. If a corporate USB stick is found in a parking lot, the data should be unreadable without the encryption key.
- Secure Physical Transport: If you are moving physical backup tapes or hard drives between sites, you must use secure couriers and tamper-evident packaging.
- Professional Destruction: When a drive or a pile of sensitive paper reaches end-of-life, you must use a certified destruction service that provides a Certificate of Destruction.
Audit Focus: Auditors will look for “The Cupboard of Shame”:
- Inventory Check: “Show me your list of all company-issued encrypted USB drives.”
- The Live Test: They may try to plug a random USB into an employee’s laptop to see if it is blocked or if it prompts for encryption.
- End-of-Life Proof: “Show me the destruction receipts for the old server hard drives you replaced last quarter.”
Removable Media Control Matrix (Audit Cheat Sheet):
| Media Type | Usage Status | Required Technical Control | ISO 27001:2022 Control |
|---|---|---|---|
| Corporate USBs | Allowed | Must be BitLocker or Hardware Encrypted. | 7.10 (Storage Media) |
| Personal USBs | BANNED | Blocked via Endpoint Policy (Intune/Jamf). | 8.1 (User Endpoint Devices) |
| External HDDs | Restricted | Requires an approved IT Support ticket & justification. | 7.10 (Storage Media) |
| Optical (CD/DVD) | Read-Only | “Burn” functions disabled on all standard laptops. | 7.10 (Storage Media) |
Table of Contents
- What is ISO 27001 Annex A 7.10?
- ISO 27001 Annex A 7.10 Free Training Video
- ISO 27001 Annex A 7.10 Explainer Video
- ISO 27001 Annex A 7.10 Podcast
- ISO 27001 Annex A 7.10 Implementation Guidance
- How to implement ISO 27001 Annex A 7.10
- Removable Media Control Matrix
- How to comply
- Top 3 ISO 27001 Annex A 7.10 mistakes and how to avoid them
- Applicability of ISO 27001 Annex A 7.10 across different business models.
- Fast Track ISO 27001 Annex A 7.10 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 7.10 FAQ
- Related ISO 27001 Controls
What is ISO 27001 Annex A 7.10?
The focus for this ISO 27001 Control is the lifecycle of storage media. As one of the ISO 27001 controls this is about managing media based on classification through to its final destruction.
ISO 27001 Annex A 7.10 Storage Media is an ISO 27001 control that looks to protect storage media.
ISO 27001 Annex A 7.10 Purpose
The purpose of ISO 27001 Storage Media is to ensure only authorised disclosure, modification, removal or destruction of information on storage media.
ISO 27001 Annex A 7.10 Definition
The ISO 27001 standard defines ISO 27001 Annex A 7.10 as:
Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organisations classification scheme and handling requirements.
ISO 27001:2022 Annex A 7.10 Storage Media
ISO 27001 Annex A 7.10 Free Training Video
In the video ISO 27001 Storage Media Explained – ISO27001:2022 Annex A 7.10 I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 7.10 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 7.10 Storage Media, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 7.10 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 7.10 Storage Media. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 7.10 Implementation Guidance
General Guidance
There is one thing that people don’t really trust like they used to, and that is external storage media. This control is looking at all types of storage media with a particular focus on removable / external storage media.
Let us first look in general terms before we give some attention to removable media and its particular challenges.
ISO 27001 Information Security Classification and Handling Policy
You will want a policy in place on Data Classification and Handling that will cover storage media, for example the Information Security Classification and Handling Policy. This is to set out and communicate what the expectations are that you have of people.
Lifecycle Management Process
Then you are going to put in full lifecycle management of the storage media. Even if it comes bundled as part of other devices.
What this means in real terms is having a process for:
How you acquire storage media, where you acquire it from, how you configure it, if and how you encrypt it, how you use it, where you use it, who is responsible for it, how you monitor it, and at its end of life how you destroy it.
To all intents and purposes, storage media is an asset under asset management.
Reuse and destruction of storage media has its own requirements. Let’s not be just deleting stuff and then popping it on eBay. If you have to reuse it then securely destroy the data on it in a proper and professional way. If you have to destroy it, whilst hitting with a FBH ( fking big hammer ) can work wonders, ideally use a reputable outsourced destruction company that provides all the required paperwork and audit trails.
Removable Storage Media
In general terms you are going to implement a topic specific policy on the use and management of removable media. What this means is addressing it in one of your other policies. As long as it is covered you are fine.
Think here about what kind of media you will allow. What the process is for allowing it. That can be both a technical processes such as port lockdowns and / or administrative process such as approval and checking.
Physical security of removable storage is paramount. A no brainer when you think about it. It is harder to steal. Harder to track. Easier to lose. Implement controls based on risk and the classification of what the storage media contains.
One thing people often overlook is that media has life span and will degrade over time. There are approaches to having multiple copies and / or multiple storage technologies. All of this will really be driven by your data retention requirements but worth thinking about.
Paper
Finally paper is storage media. If you have it, risk assess it and control it based on risk and business need. Fewer and fewer organisations rely on paper these days but it is still out there. Usually in regulated industries. If you have it, don’t over look it.
How to implement ISO 27001 Annex A 7.10
Implementing ISO 27001 Annex A 7.10 requires a robust lifecycle management process for all physical and virtual storage media. This technical guide outlines the action-result workflow for protecting organisational data from acquisition through to secure disposal, ensuring compliance with international data protection standards.
1. Formalise a Storage Media Handling Policy
Develop and approve a topic-specific policy that defines the mandatory security requirements for all media types, providing a regulatory foundation for the Information Security Management System (ISMS).
- Define the scope of media covered, including USB drives, SSDs, backup tapes, and cloud storage volumes.
- Establish clear rules for the use of personal removable media (BYOD) within the organisation.
- Specify the required security classifications and corresponding handling instructions for sensitive data.
- Document the roles and responsibilities for asset owners and system administrators.
2. Provision Technical Endpoint Restrictions
Deploy technical controls to prevent the unauthorised use of removable media, reducing the risk of malware infection and data exfiltration.
- Implement Unified Endpoint Management (UEM) policies to block unapproved USB devices at the hardware level.
- Enforce mandatory Full Disk Encryption (FDE) using AES-256 for any media permitted to leave secure zones.
- Configure automated logging for all data transfer events to removable storage for audit trail purposes.
- Restict write access to removable media to only authorised IAM roles or specific user groups.
3. Establish Secure Storage and Transport Protocols
Ensure that media is protected from physical damage, environmental hazards, and unauthorised interception during storage and transit.
- Utilise fireproof and waterproof safes for the long term storage of physical backup media.
- Mandate the use of tamper-evident packaging and tracked courier services for physical media transport.
- Maintain a formal sign-in and sign-out log for all media entering or leaving secure areas.
- Verify the integrity of received media before it is connected to the organisational network.
4. Execute Managed Sanitisation and Disposal
Render data unrecoverable on retired media using verified technical methods to prevent data breaches via the secondary market.
- Apply NIST 800-88 compliant sanitisation techniques such as “Clear” or “Purge” for media intended for re-use.
- Provision physical destruction services, such as industrial shredding or incineration, for end-of-life hardware.
- Obtain a formal Certificate of Destruction (CoD) for every asset that is physically destroyed.
- Document the disposal method and date within the central Asset Register to maintain audit evidence.
5. Conduct Regular Asset Inventory Audits
Perform periodic reviews of all storage media to ensure that all assets are accounted for and that security controls remain effective.
- Cross-reference physical media in storage against the digital Asset Register.
- Audit encryption status on a sample of active removable devices to ensure compliance.
- Review transfer logs to identify unusual patterns or unauthorised data movements.
- Revoke access rights for any media identified as lost or stolen within the Incident Management framework.
Removable Media Control Matrix
| Media Type | Policy | Control Measure |
| Corporate USBs | Allowed (Encrypted) | Must be BitLocker/Hardware Encrypted. |
| Personal USBs | BANNED | Blocked via Endpoint Manager (Intune). |
| External Hard Drives | Restricted | Requires IT Approval ticket. |
| Optical (CD/DVD) | Read-Only | Disable “Burn” function. |
How to comply
To comply with ISO 27001 Annex A 7.10 Storage Media you are going to
- Train, educate, tell and communicate to people what is expected of them
- Have policies and procedures in place
- Assess your assets and perform a risk assessment
- Implement controls proportionate to the risk posed
- Test the controls that you have to make sure they are working
Top 3 ISO 27001 Annex A 7.10 mistakes and how to avoid them
The top 3 mistakes people make for ISO 27001 Annex A 7.10 Storage Media are
- You have loads of hard drives in a cupboard: This is the number one mistake. Having computers, hard drives, old devices, paper archives that no one knows what they are, what is on them or why you have them either in a store room or worse case on someones desk. Get your asset management sorted. Get your house in order. Do your house keeping.
- One or more members of your team haven’t done what they should have done: Prior to the audit check that all members of the team have done what they should have. Do they know where the policies are? Have they acknowledged them? Do you have an inventory of storage media? Is removable media managed, tracked and checked? Check!
- Your document and version control is wrong: Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 7.10 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Focuses on controlling the “USB Wild West.” It involves ensuring that sensitive data isn’t leaked via personal thumb drives and that paper-based storage (like printed payroll) is managed. |
|
| Tech Startups | Essential for managing the transition from physical to virtual storage. Compliance requires rigorous tracking of internal SSDs and ensuring cloud storage volumes are managed as “Virtual Media.” |
|
| AI Companies | Vital for protecting massive training datasets and proprietary model IP. Focus is on high-volume media integrity and secure transport of high-capacity storage arrays. |
|
Fast Track ISO 27001 Annex A 7.10 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 7.10 (Storage media), the requirement is to manage storage media throughout its life cycle, acquisition, use, transportation, and disposal, in line with classification and handling rules. This control is heavily focused on removable media (USBs, external drives) and the secure destruction of data.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Policy Ownership | Rents access to your handling rules; if you cancel, your documented BitLocker requirements and media registers vanish. | Permanent Assets: Fully editable Word/Excel Information Classification and Media Handling Policies that you own forever. | A localized “Removable Media Policy” defining encryption mandates for USB and external drives. |
| Operational Simplicity | Over-engineers media tracking with dashboards that cannot physically encrypt a disk or oversee its secure shredding. | Governance-First: Formalizes your existing IT asset tagging and secure media disposal workflows. | A completed “Removable Media Inventory” and a corresponding Certificate of Destruction for decommissioned drives. |
| Cost Structure | Charges an “Asset Inventory Tax” based on the volume of physical media items or storage devices tracked. | One-Off Fee: A single payment covers your governance documentation for 5 USB sticks or 5,000 hard drives. | Allocating budget to actual encryption software (e.g., VeraCrypt) rather than a monthly paperwork subscription fee. |
| Hardware Freedom | Limited by “standard” asset management integrations; struggles with specialized storage or niche hardware setups. | 100% Agnostic: Procedures adapt to any media type, encryption tool, or disposal vendor without technical limits. | The ability to change hardware encryption vendors or media destruction partners without reconfiguring a rigid SaaS module. |
Summary: For Annex A 7.10, the auditor wants to see that you have a formal policy for storage media and proof that you follow it (e.g., an inventory and destruction records). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 7.10 FAQ
What is ISO 27001 Annex A 7.10?
ISO 27001 Annex A 7.10 is an organisational and physical control that mandates the secure management of storage media throughout its entire lifecycle, from acquisition to disposal.
- Requires formal procedures for handling, storage, and transport.
- Mandates protection against unauthorised access, damage, or theft.
- Applies to all forms of media containing organisational information.
- Includes requirements for the secure disposal of retired media.
What is considered storage media under ISO 27001?
Under ISO 27001, storage media refers to any physical or virtual object used to store data, including removable hardware and digital storage environments.
- Removable media: USB flash drives, external hard drives (HDD/SSD), and SD cards.
- Fixed media: Internal server drives and workstation hard disks.
- Legacy media: Tapes, optical discs (CD/DVD), and printed paper records.
- Virtual media: Cloud storage buckets, virtual disks, and backup snapshots.
Does ISO 27001 require encryption for all removable media?
Yes, while the standard does not explicitly name technology, encryption is the industry-standard technical control required to mitigate the risk of data compromise on removable media.
- Enforce full-disk encryption for all USB drives and external SSDs.
- Utilise AES-256 or higher encryption standards for sensitive data.
- Implement centralized management to ensure encryption is active on all endpoints.
- Mandate encryption for any data being transported outside of secure zones.
How should storage media be disposed of securely?
Secure disposal requires rendering data unrecoverable through physical destruction or verified sanitisation techniques before the media leaves organisational control.
- Physical Destruction: Shredding, pulping, or incineration of hard drives and tapes.
- Sanitisation: Using software to “Purge” or “Clear” data based on NIST 800-88 standards.
- Degaussing: Using high-strength magnets to erase magnetic media like tapes or HDDs.
- Documentation: Obtaining and filing Certificates of Destruction (CoD) for audit evidence.
What are the requirements for transporting physical media?
Transporting physical media requires strict chain-of-custody controls to prevent interception, theft, or environmental damage during transit.
- Use authorised, tracked courier services with tamper-evident packaging.
- Ensure all data on the media is encrypted prior to transport.
- Keep a log of all media leaving and entering secure perimeters.
- Verify the identity of the recipient upon delivery.
How do organisations manage the use of removable media?
Management is achieved through a combination of policy restrictions, technical blocks, and user awareness training.
- Restrict the use of unauthorised personal USB devices via endpoint management software.
- Establish a “Removable Media Policy” that users must sign and follow.
- Log all data transfers to removable media for monitoring and incident response.
- Audit the inventory of physical media assets at regular intervals.
Related ISO 27001 Controls
There are a couple of other related controls worth reading up here as well being
