ISO 27701, Clause 6.5.3 – Media Handling

ISO 27701 Controls and Clauses Explained

Book a demo

photo,young,coworkers,crew,working,with,new,startup,project,in

ICT media – whether removable or static – that is used to store and process PII is often viewed as the primary pain point for organisations looking to stay on the right side of their legal, regulatory and contractual obligations.

The difficulties with managing removable media – and the PII contained on it – grow exponentially with the size of the organisation, and the number of employees permitted to use such devices.

In addition to their operational use, storage media needs to be adequately removed from the network and disposed of when no longer required, and organisations need to ensure that no residual trace is left of any PII or privacy-related information prior re-use.

What’s Covered in ISO 27701 Clause 6.5.3

Each clause within ISO 27701 deals with the concept of PII, within the context of storage media:

  • ISO 27701 6.5.3.1 – Management of removable media (References ISO 27002 control 7.10)
  • ISO 27701 6.5.3.2 – Disposal of media (References ISO 27002 control 7.10)
  • ISO 27701 6.5.3.3 – Physical media transfer (References ISO 27002 control 7.10)

ISO 27701 Clause 6.5.3 is an amalgamation of three previous ISO 27002 clauses, that have now been consolidated into one single clause in the 2022 iteration – ISO 27002 7.10 (Storage Media).

Each control contains additional PII-related guidance that governs an organisation’s approach to storage media.

In addition, each sub-clause contains several guidance points that relate to specific articles within UK GDPR legislation.

Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.

Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.5.3.1 – Management of Removable Media

References ISO 27002 Control 7.10

Removable Storage Media

When developing policies that govern the handling of media assets involved in storing PII, organisations should:

  • Develop unique topic-specific policies based upon departmental or job-based requirements.
  • Ensure that proper authorisation is sought and granted, before personnel are able to remove storage media from the network (including keeping an accurate and up-to-date record of such activities).
  • Store media in accordance with the manufacturers specifications, free from any environmental damage.
  • Consider using encryption as a pre-requisite to access, or where this isn’t possible, implementing additional physical security measures.
  • Minimise the risk of PII becoming corrupted by transferring information between storage media, as is required.
  • Introduce PII redundancy by storing protected information on multiple assets at the same time.
  • Only authorise the use of storage media on approved inputs (i.e. SD cards and USB ports), on an asset-by-asset basis.
  • Closely monitor the transfer of PII onto storage media, for any purpose.
  • Take into consideration the risks inherent within the physical transfer of storage media (and by proxy, the PII contained on it), when moving assets between personnel or premises (see ISO 27002 5.14).

Re-Use and Disposal

When re-purposing, re-using or disposing of storage media, robust procedures should be put in place to ensure that PII is not affected in any way, including:

  1. Formatting the storage media, and ensuring that all PII is removed before re-use (see ISO 27002 8.10), including maintaining adequate documentation of all such activities.
  2. Securely disposing of any media that the organisation has no further use for, and has been used to store PII.
  3. If disposal requires involvement of a third-party, organisation’s should take great care to ensure they are a fit and proper partner to perform such duties, in-line with the organisation’s responsibility towards PII and privacy protection.
  4. Implementing procedures that identify which storage media are available for re-use, or can be disposed of accordingly.

If devices that have been used to store PII become damaged, organisation’s should carefully consider whether or not it is more appropriate to destroy such media, or send it for repair (erring on the side of the former).

Additional PII-Related Guidance

ISO warns organisations against using unencrypted storage devices for any PII-related activities.

Relevant ISO 27002 Controls

  • ISO 27002 Control 5.14

Applicable GDPR Articles

  • Article 5 – (1)(f)
  • Article 32 – (1)(a)

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

ISO 27701 Clause 6.5.3.2 – Disposal of Media

References ISO 27002 Control 7.10

See ISO 27701 Clause 6.5.3.1.

Additional PII-Related Guidance

If media is to be disposed of that previously held PII, organisations should implement procedures that document the destruction of PII and privacy-related data, including categorical assurances that it is no longer available.

Applicable GDPR Articles

  • Article 5 – (1)(f)

ISO 27701 Clause 6.5.3.3 – Physical Media Transfer

References ISO 27002 Control 7.10

See ISO 27701 Clause 6.5.3.1.

Additional PII-Related Guidance

Organisations should take extra care when transporting storage media containing PII, as distinct from standard data categories.

Records should be kept of all incoming and outgoing media containing PII, including:

  1. Media type (HDD, USB, SD card etc).
  2. Authorised senders and internal recipients.
  3. Date and time of transfer.
  4. The amount of physical media to be transferred.

Applicable GDPR Articles

  • Article 5 – (1)(f)
  • Article 32 – (1)(a)

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.5.3.1Management of Removable Media7.10 – Storage Media for ISO 27002Articles (5), (32)
6.5.3.2Disposal of Media7.10 – Storage Media for ISO 27002Article (5)
6.5.3.3Physical Media Transfer7.10 – Storage Media for ISO 27002Articles (5), (32)

How ISMS.online Helps

ISMS.online makes personal information management easy through a great cloud-based solution to support ISO 27701 compliance in your organisation.

On top of this we have information security experts and resources available to guide you through the ISO 27701 accreditation process.

Find out more and get a hands on demonstration by booking a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

Explore ISMS.online's platform with a self-guided tour - Start Now