ISO 27001 Annex A Control 7.10

ISO 27001 control 7.10 Storage media

The basics

ISO 27001 control A.7.10 Storage media requires companies to protect and handle storage media according to the classification of data stored on such media and other security requirements. This control is to be applied during the use, transportation, or disposal of media, and is important to prevent sensitive data from being disclosed or tampered with.

Documentation

ISO 27001 control A.7.10 Storage media can be documented by writing:

  • an Information Classification Policy to determine which data are sensitive and what prevention controls need to be applied on storage media
  • smaller and mid-size companies might have an IT Security Policy or Acceptable Use Policy to define what is and what isn’t allowed for regular users regarding use of storage media
  • larger companies might have a Procedure for secure handling of storage media.
  • smaller and mid-size companies might use Security Procedures for IT Department to define specific rules on how to dispose of storage media that is not required anymore
  • larger companies may use a Disposal and Destruction Policy to define specific rules on how dispose of storage media that is not required anymore

These documents are not mandatory but are recommended for all companies.

Implementation

In order to comply with control A.7.10 Storage media you might implement the following:

  • Technology — the technology to enable the protection of storage media may include software (e.g., wiping software and encryption tools to handle stored data), and hardware (e.g., reinforced cases, secure cabinets, etc.).
  • Organization/processes — you should set up a process for defining what prevention controls need to be applied on storage media, what is and what isn’t allowed for regular users regarding use of storage media, and how to dispose of storage media that is not required anymore. You can document those processes through an IT Security Policy, Security Procedures for IT Department, or a Procedure for Secure Handling of Storage Media.
  • People — make employees aware of why protecting storage media is needed, and train them on how to handle them securely.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.7.10 Storage media: if storage media is protected and handled according to the information classification and other security requirements.