ISO 27001:2022 Annex A 7.10 – Storage Media

• See ISO 27002:2022 Control 7.10 for more information.
• See ISO 27001:2013 Annex A 8.3.1 for more information.
• See ISO 27001:2013 Annex A 8.3.2 for more information.
• See ISO 27001:2013 Annex A 8.3.3 for more information.
• See ISO 27001:2013 Annex A 11.2.5 for more information.

ISO 27001 Annex A 7.10: Protecting Sensitive Data on Storage Media

The utilisation of storage media devices, such as SSDs, USBs, external drives, and mobiles, is essential for numerous essential information handling operations, including data back-up, storage, and transfer.

The storing of sensitive and important data on these devices presents risks to the accuracy, secrecy, and accessibility of information resources. These risks may involve the disappearance or theft of storage media with confidential information, the transmission of malware across all corporate computing networks via the storage media, and the breakdown or reduction in quality of storage media used for backup.

ISO 27001:2022 Annex A 7.10 outlines the steps organisations must take to ensure the security of storage media through its entire life cycle, from acquisition to disposal. Policies and controls must be put in place to guarantee its security.

Purpose of ISO 27001:2022 Annex A 7.10

ISO 27001:2022 Annex A 7.10 facilitates organisations in mitigating and eradicating risks associated with unauthorised access, usage, deletion, alteration, and transmission of confidential data held on storage media devices. It establishes procedures for managing storage media during its entire life cycle.

What Does Annex A 7.10 Cover?

ISO 27001:2022 Annex A 7.10 pertains to both digital and physical storage media. For instance, storage of data on physical documents is also encompassed by this control.

Along with removable storage media, hard disks as a form of fixed storage are also subject to ISO 27001:2022 Annex A 7.10.

Ownership of Annex A 7.10

ISO 27001:2022 Annex A 7.10 mandates organisations to create and execute suitable procedures, technical controls, and organisation-wide policies regarding the use of storage media according to the organisation’s own classification scheme and any data handling requirements such as legal and contractual conditions.

Information Security Managers should take charge of the whole compliance cycle.

Guidance on ISO 27001:2022 Annex A 7.10 Compliance

Removable Storage Media

Removable media are indispensable to many business operations and are widely employed by personnel. However, they pose the utmost risk to sensitive data.

ISO 27001:2022 Annex A 7.10 sets out ten conditions organisations must observe for the management of removable storage media during its life cycle:

1. Organisations ought to create a policy focused on the acquisition, authorisation, use and disposal of removable storage media, informing all personnel and applicable parties of its existence.
2. Organisations should, where it is practical and necessary, implement authorisation procedures for the taking of removable storage media out of corporate premises. Additionally, a log of removals should be kept for audit tracking.
3. Store all removable storage media in a secure place like a safe, considering the information classification level assigned to the information and any environmental and physical threats to the media.
4. If maintaining the confidentiality and trustworthiness of the information on removable media is of utmost importance, cryptographic methods should be employed to safeguard the media from unauthorised access.
5. To prevent deterioration of removable storage media and data loss, the information should be moved to a fresh storage media device before the risk arises.
6. It is crucial to copy and store sensitive data on multiple storage media to reduce the chance of critical information being lost.
7. To reduce the possibility of a complete data loss, registering removable storage media devices can be a viable solution.
8. Unless there is a business necessity, USB ports and SD card slots should not be used.
9. It is necessary to monitor the transfer of information to any removable storage media devices.
10. When transferring information contained in physical documents via mail or courier, there is a high chance of unauthorised access. To counter this, appropriate measures should be taken.

Guidance on Secure Reuse and Disposal of Storage Media

ISO 27001:2022 Annex A 7.10 offers direction on the secure re-use and disposal of storage media to help organisations reduce and get rid of the danger of the confidentiality of information being breached.

Annex A 7.10 states that organisations should create and carry out plans for recycling and disposing of storage media, considering the sensitivity of the data kept in the storage media.

Organisations should consider the following when setting up these measures:

• If an organisation’s internal party is to reuse a storage media, sensitive information hosted on it should be irrevocably deleted or reformatted before authorisation.
• Secure destruction of storage media hosting sensitive information is necessary once it is no longer needed. Paper documents can be shredded and digital equipment can be physically destroyed.
• A system should be developed to identify storage media which needs to be disposed of.
• Organisations should carry out due diligence when selecting an external party to collect and dispose of storage media, making sure the chosen vendor is competent and has the appropriate controls in place.
• Documenting all disposed items for an audit trail.
• When disposing of multiple storage media together, consideration should be given to the cumulative effect: Combining various pieces of data from each storage medium could result in the transformation of non-sensitive information into sensitive material.

Lastly, ISO 27001:2022 Annex A 7.10 mandates organisations to evaluate the risk of confidential data stored on damaged equipment, so as to determine whether the equipment should be destroyed or repaired.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 7.10 replaces ISO 27001:2013 Annex A 08.3.1, 08.3.2, 08.3.3 and 11.2.5.

There are four notable differences.

Changes in Structure

Unlike the 2013 version, which had three separate controls for media management, media disposal, and physical media transfer, the 2022 version combines them under Annex A 7.10.

Requirements for Storage Media Reuse Added to the 2022 Version

In contrast to the 2013 version, which only covered secure media disposal, the 2022 version also includes secure media reuse requirements.

Physical Transfer Requirements Are More Comprehensive in the 2013 Version

The 2013 version had more extensive requirements for physically transferring storage media, including ID verification for couriers and packaging standards. In contrast, Annex A 7 7.10 in the 2022 version only suggests organisations act with caution when selecting couriers.

Topic-Specific Removable Storage Media Policy Required in 2022 Version

While the 2022 and 2013 versions are similar in terms of removable storage media requirements, the 2022 version mandates a topic-specific policy on removable storage media. The 2013 version did not cover this requirement.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Help

ISMS.online takes a risk-based approach, utilising industry-leading best practices and templates, for helping you to detect the risks your organisation is exposed to and the controls needed to manage them. This assists in reducing both risk and compliance costs.

Contact us now to arrange a demonstration.