When the ISO 27001 standard was updated in 2022, one of the primary goals was to simplify the complex web of 114 controls and make them more intuitive for modern businesses. One area that benefited significantly from this “clean-up” is the management of physical storage media. In the 2022 version, several older controls were consolidated into Annex A 7.10: Storage Media, creating a more cohesive approach to the entire lifecycle of your data-bearing hardware.
Table of contents
The Consolidation: Three Controls Become One
In the ISO 27001:2013 version, the rules for handling media were split across multiple sections. You might remember the trio of 8.3.1 (Management of removable media), 8.3.2 (Disposal of media), and 8.3.3 (Physical media transfer). Additionally, elements of 11.2.5 (Removal of assets) often overlapped with these requirements.
The 2022 update merges these into the single Annex A 7.10. According to insights from Hightable.io, this merger isn’t just about reducing the word count; it’s about recognizing that the security of a USB drive or a hard disk is a continuous journey. By grouping acquisition, use, transportation, and disposal under one roof, the standard encourages organizations to think about “lifecycle management” rather than treating disposal or transport as isolated events.
What Exactly is New in Annex A 7.10?
While the core objective preventing unauthorised access to stored information remains the same, the 2022 version brings a more modern perspective to the table. If you are transitioning your ISMS, here are the key shifts in focus:
- Full Lifecycle Accountability: The 2022 version explicitly mentions the “acquisition” phase. You now need to consider the security of the media from the moment it is purchased and entered into your inventory.
- The Definition of “Media”: In 2013, we were primarily thinking about DVDs and thumb drives. In 2026, Annex A 7.10 covers a much broader range of hardware, including SSDs, cloud-integrated storage appliances, and even the internal drives of multi-function printers and IoT devices.
- Environmental Protection: There is a renewed emphasis on protecting media from environmental threats like heat, moisture, and electromagnetic interference while it is in storage or transit.
- Integrity and Availability: The 2013 version was heavily focused on confidentiality (preventing data leaks). The 2022 update balances this by requiring measures to ensure data remains readable and uncorrupted over time, particularly for long-term archives.
The Shift to “Physical Controls”
One of the most noticeable structural changes is that Storage Media has moved into Theme 7: Physical Controls. In the 2013 version, it sat within Domain 8 (Asset Management).
This reclassification highlights that storage media is a physical object that requires physical safeguards. As noted by Hightable.io, even if the data on a drive is encrypted (a technical control), the drive itself must be kept in a locked cabinet or a secure room (a physical control). This “Physical” categorization makes it easier for facility managers and security teams to understand their specific role in protecting the hardware that houses the company’s “digital gold.”
Practical Implementation: Modern Expectations
Under the 2022 standard, an auditor is looking for a “Chain of Custody” for your storage media. To satisfy the requirements of Annex A 7.10, your implementation should go beyond a basic policy. Key practical steps include:
- Inventory and Labelling: Maintaining a register of all media, including its classification and current status (active, archived, or pending destruction).
- Authorization Workflows: Having a clear process for who is allowed to use removable media and a log of any media that leaves the secure perimeter.
- Secure Disposal: Moving away from “deleting files” and toward certified physical destruction or cryptographic erasing, complete with certificates of destruction.
The Introduction of Control Attributes
A major innovation of the ISO 27001:2022 update is the introduction of “Attributes.” For Annex A 7.10, the control is officially tagged as a Preventive control. This helps security managers explain to stakeholders that media management is a proactive barrier.
As suggested by Hightable.io, using these attributes allows you to map your media security directly to modern frameworks like NIST. It proves that your lockable media cabinets and port-blocker software are integrated parts of a broader “Protect” strategy, rather than just isolated administrative rules.
What Will an Auditor Look For?
When you transition to the 2022 version, the auditor will be looking for discipline. They won’t just ask for your policy; they will want to see it in action. Expect them to check:
- The “Store Room” Test: Are there old hard drives or backup tapes sitting in an unlocked cupboard? This is a frequent non-conformity.
- Port Controls: Can they plug a random USB into a workstation and copy data?
- Transport Logs: If you send backup tapes off-site, is there a record of who picked them up and proof of secure transport?
- Disposal Records: Can you provide a certificate of destruction for the laptops you retired last quarter?
Why the Transition to 7.10 Matters
The update to Annex A 7.10 reflects a world where hardware is increasingly powerful and portable. In 2013, losing a USB was bad. In 2026, a single lost SSD can contain an entire company’s database. By consolidating these requirements into a single, lifecycle-focused control, ISO 27001:2022 ensures that your “physical data” is managed with the same level of rigour as your network traffic.
As suggested by Hightable.io, the best way to move forward is to refresh your Data Classification and Handling Policy. Ensure it covers the specific “Joiner-Mover-Leaver” triggers for media, such as re-imaging a drive before it is reissued. This simple step doesn’t just pass an audit; it builds a foundation of asset resilience that protects your organization from one of the most common causes of data breaches: lost or poorly managed hardware.