ISO 27001 Annex A 7.10 is about the full life of your storage media. You must manage media from its first use to its final destruction based on how sensitive the information is. ISO 27001 Annex A 7.10 protects your storage media from harm.
Table of contents
What is ISO 27001 Annex A 7.10?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Storage Media”.
What is the ISO 27001 Annex A 7.10 control objective?
The formal definition and control objective in the standard is: “Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organisations classification scheme and handling requirements.“
What is the purpose of ISO 27001 Annex A 7.10?
The purpose of ISO 27001 Annex A 7.10 is “to ensure only authorised disclosure, modification, removal or destruction of information on storage media.“
Is ISO 27001 Annex A 7.10 Mandatory?
ISO 27001 Annex A control 7.10 (Storage Media in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 7.10 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
General Guidance
You will need a policy that covers storage media. For example, a Data Classification and Handling policy is great. This policy will clearly tell your staff what you expect them to do.
You should then manage all storage media throughout its whole life. This is true even if the media came with other equipment.
In short, you need a process for every step:
- How you buy storage media.
- How you set it up and if you encrypt it.
- How you use it and who is in charge of it.
- How you watch over it.
- How you destroy it when it is no longer needed.
For all purposes, storage media is considered an asset under asset management.
Reuse and Destruction
Reusing or destroying storage media has specific rules. You should not just delete data and sell the device online. If you plan to reuse media, you must first wipe the data cleanly and professionally. If you need to destroy it, do not just smash it. You should use a certified destruction company that gives you all the needed paperwork and audit logs.
Portable Storage Media
You will create a specific policy for how you use and manage portable media. This means you must cover it within one of your existing policies. As long as it is covered, you are fine.
Think about what types of media you will allow. Create a process for getting permission to use it. This process can be technical (like locking down USB ports) or administrative (like needing approval and checking).
Physical security for portable storage is very important. This is simple when you think about it: it is easy to steal, lose, and hard to track. You must set controls based on the risk and the data level of the storage media.
One thing often missed is that media does not last forever and will wear out. You should plan to have many copies of data and/or use different storage methods. Your data retention rules will drive these choices, but you should still think about them.
Paper
Finally, remember that paper is storage media too. If you use paper, you must check its risk level and control it based on risk and business need. Fewer companies use paper today, but it still exists, often in regulated fields. If you use it, do not forget about it.
