ISO 27001:2022 Annex A Control 7.10

Storage Media

Book a demo

group,of,happy,coworkers,discussing,in,conference,room

The utilisation of storage media devices, such as SSDs, USBs, external drives, and mobiles, is essential for numerous essential information handling operations, including data back-up, storage, and transfer.

The storing of sensitive and important data on these devices presents risks to the accuracy, secrecy, and accessibility of information resources. These risks may involve the disappearance or theft of storage media with confidential information, the transmission of malware across all corporate computing networks via the storage media, and the breakdown or reduction in quality of storage media used for backup.

ISO 27001:2022 Annex A 7.10 outlines the steps organisations must take to ensure the security of storage media through its entire life cycle, from acquisition to disposal. Policies and controls must be put in place to guarantee its security.

Purpose of ISO 27001:2022 Annex A 7.10

ISO 27001:2022 Annex A 7.10 facilitates organisations in mitigating and eradicating risks associated with unauthorised access, usage, deletion, alteration, and transmission of confidential data held on storage media devices. It establishes procedures for managing storage media during its entire life cycle.

What Does Annex A 7.10 Cover?

ISO 27001:2022 Annex A 7.10 pertains to both digital and physical storage media. For instance, storage of data on physical documents is also encompassed by this control.

Along with removable storage media, hard disks as a form of fixed storage are also subject to ISO 27001:2022 Annex A 7.10.

Ownership of Annex A 7.10

ISO 27001:2022 Annex A 7.10 mandates organisations to create and execute suitable procedures, technical controls, and organisation-wide policies regarding the use of storage media according to the organisation’s own classification scheme and any data handling requirements such as legal and contractual conditions.

Information Security Managers should take charge of the whole compliance cycle.

Guidance on ISO 27001:2022 Annex A 7.10 Compliance

Removable Storage Media

Removable media are indispensable to many business operations and are widely employed by personnel. However, they pose the utmost risk to sensitive data.

ISO 27001:2022 Annex A 7.10 sets out ten conditions organisations must observe for the management of removable storage media during its life cycle:

  1. Organisations ought to create a policy focused on the acquisition, authorisation, use and disposal of removable storage media, informing all personnel and applicable parties of its existence.
  2. Organisations should, where it is practical and necessary, implement authorisation procedures for the taking of removable storage media out of corporate premises. Additionally, a log of removals should be kept for audit tracking.
  3. Store all removable storage media in a secure place like a safe, considering the information classification level assigned to the information and any environmental and physical threats to the media.
  4. If maintaining the confidentiality and trustworthiness of the information on removable media is of utmost importance, cryptographic methods should be employed to safeguard the media from unauthorised access.
  5. To prevent deterioration of removable storage media and data loss, the information should be moved to a fresh storage media device before the risk arises.
  6. It is crucial to copy and store sensitive data on multiple storage media to reduce the chance of critical information being lost.
  7. To reduce the possibility of a complete data loss, registering removable storage media devices can be a viable solution.
  8. Unless there is a business necessity, USB ports and SD card slots should not be used.
  9. It is necessary to monitor the transfer of information to any removable storage media devices.
  10. When transferring information contained in physical documents via mail or courier, there is a high chance of unauthorised access. To counter this, appropriate measures should be taken.

Guidance on Secure Reuse and Disposal of Storage Media

ISO 27001:2022 Annex A 7.10 offers direction on the secure re-use and disposal of storage media to help organisations reduce and get rid of the danger of the confidentiality of information being breached.

Annex A 7.10 states that organisations should create and carry out plans for recycling and disposing of storage media, considering the sensitivity of the data kept in the storage media.

Organisations should consider the following when setting up these measures:

  • If an organisation’s internal party is to reuse a storage media, sensitive information hosted on it should be irrevocably deleted or reformatted before authorisation.
  • Secure destruction of storage media hosting sensitive information is necessary once it is no longer needed. Paper documents can be shredded and digital equipment can be physically destroyed.
  • A system should be developed to identify storage media which needs to be disposed of.
  • Organisations should carry out due diligence when selecting an external party to collect and dispose of storage media, making sure the chosen vendor is competent and has the appropriate controls in place.
  • Documenting all disposed items for an audit trail.
  • When disposing of multiple storage media together, consideration should be given to the cumulative effect: Combining various pieces of data from each storage medium could result in the transformation of non-sensitive information into sensitive material.

Lastly, ISO 27001:2022 Annex A 7.10 mandates organisations to evaluate the risk of confidential data stored on damaged equipment, so as to determine whether the equipment should be destroyed or repaired.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 7.10 replaces ISO 27001:2013 Annex A 08.3.1, 08.3.2, 08.3.3 and 11.2.5.

There are four notable differences.

Changes in Structure

Unlike the 2013 version, which had three separate controls for media management, media disposal, and physical media transfer, the 2022 version combines them under Annex A 7.10.

Requirements for Storage Media Reuse Added to the 2022 Version

In contrast to the 2013 version, which only covered secure media disposal, the 2022 version also includes secure media reuse requirements.

Physical Transfer Requirements Are More Comprehensive in the 2013 Version

The 2013 version had more extensive requirements for physically transferring storage media, including ID verification for couriers and packaging standards. In contrast, Annex A 7 7.10 in the 2022 version only suggests organisations act with caution when selecting couriers.

Topic-Specific Removable Storage Media Policy Required in 2022 Version

While the 2022 and 2013 versions are similar in terms of removable storage media requirements, the 2022 version mandates a topic-specific policy on removable storage media. The 2013 version did not cover this requirement.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Help

ISMS.online takes a risk-based approach, utilising industry-leading best practices and templates, for helping you to detect the risks your organisation is exposed to and the controls needed to manage them. This assists in reducing both risk and compliance costs.

Contact us now to arrange a demonstration.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.