Welcome to your guide on ISO 27001 Annex A 7.10. As a certification body, we often see businesses struggle with the physical side of data security. You might have excellent firewalls, but if someone loses a USB drive full of client data, your digital defenses do not matter.
This control is all about storage media. It covers how you manage it, how you transport it, and importantly, how you destroy it when you are done. At iso27001.com, we want to ensure you have complete control over every device that holds your information.
Table of contents
What is Annex A 7.10?
Annex A 7.10 deals with storage media. In the past, this was often split into different controls regarding removable media and media disposal. Now, it is brought together to cover the full lifecycle of media management.
The goal is simple. You must prevent the unauthorized disclosure, modification, removal, or destruction of information stored on media. This applies to paper documents, USB drives, hard drives, tapes, and even the hard drive inside your office printer.
Where to Start with Implementation
You need to start with a policy. We recommend creating a Topic Specific Policy for storage media. This document will tell your staff exactly what they can and cannot do.
Your policy needs to answer a few key questions. Who is allowed to use removable media? How should they protect it? What happens when a device is broken or old? If you do not write these rules down, you cannot expect your team to follow them.
Managing Removable Media
Removable media poses a high risk. It is small, portable, and easily lost. Many organizations we audit choose to ban removable media entirely. This is a valid approach. You can disable USB ports on laptops to stop people from copying data.
If you must use removable media, you need strict rules. You should require encryption on all USB drives. This ensures that if a drive is lost on a train, the data remains safe. You should also maintain a log of who has which device. This is basic asset management.
Disposal and Re-use of Media
When you are finished with a piece of storage media, you have two choices. You can destroy it, or you can clean it for re-use. This is a common area where we find non-conformities.
If you are re-using media, standard formatting is often not enough. You need to ensure the data is truly unrecoverable. For high-security data, you might need specialized software to overwrite the disk multiple times.
If you are destroying media, you need evidence. Ideally, you will use a service that provides a certificate of destruction. If you do it yourself, you need to be thorough. Drilling a single hole in a hard drive might not be enough to stop a determined attacker. We expect to see a process that renders the media unreadable.
What the Auditor Expects to See
When an auditor from a body like iso27001.com visits your office, they will look for physical evidence. We will not just read your policy. We will look at your desks and your bins.
Clear Desk and Clear Screen
We will walk around your office. If we see USB drives left on desks overnight, that is a problem. If we see confidential papers in a standard waste bin instead of a confidential shredding console, that is a major issue. You need to ensure your physical reality matches your written policy.
The Transfer of Media
If you move tapes or drives between sites, how do you do it? Do you use a trusted courier? Do you log the media out and back in? We expect to see a secure chain of custody. If you send backup tapes offsite, we want to see the contract with the storage company and the logs of what was sent.
Common Mistakes to Avoid
We see the same mistakes happen frequently. The most common one is forgetting about old hardware. You might have a cupboard full of old laptops. Even if they are broken, the hard drives inside them still hold data.
You must treat this cupboard as a security risk. Log every item. When you dispose of the laptops, remove the hard drives first and destroy them separately. Do not just hand them over to a recycler without checking.
Another mistake is lacking verification. If you pay a company to shred your documents, do you check they actually did it? You should ask for a certificate of destruction. Keep this on file. It is your proof that you followed the process.
How We Can Help
Implementing Annex A 7.10 does not have to be complex. It requires a tidy mindset and a good process. Start with your inventory. Know what media you have. Then, decide how to protect it.
If you need templates or guidance, iso27001.com is here to support you. We can help you draft your policies and prepare for your audit. Remember, the goal is not just to pass the audit. The goal is to keep your data safe from physical theft and loss.
Would you like me to help you draft a Topic Specific Policy for your storage media based on these guidelines?