ICT media – whether removable or static – that is used to store and process PII is often viewed as the primary pain point for organisations looking to stay on the right side of their legal, regulatory and contractual obligations.
The difficulties with managing removable media – and the PII contained on it – grow exponentially with the size of the organisation, and the number of employees permitted to use such devices.
In addition to their operational use, storage media needs to be adequately removed from the network and disposed of when no longer required, and organisations need to ensure that no residual trace is left of any PII or privacy-related information prior re-use.
Each clause within ISO 27701 deals with the concept of PII, within the context of storage media:
ISO 27701 Clause 6.5.3 is an amalgamation of three previous ISO 27002 clauses, that have now been consolidated into one single clause in the 2022 iteration – ISO 27002 7.10 (Storage Media).
Each control contains additional PII-related guidance that governs an organisation’s approach to storage media.
In addition, each sub-clause contains several guidance points that relate to specific articles within UK GDPR legislation.
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
When developing policies that govern the handling of media assets involved in storing PII, organisations should:
When re-purposing, re-using or disposing of storage media, robust procedures should be put in place to ensure that PII is not affected in any way, including:
If devices that have been used to store PII become damaged, organisation’s should carefully consider whether or not it is more appropriate to destroy such media, or send it for repair (erring on the side of the former).
ISO warns organisations against using unencrypted storage devices for any PII-related activities.
See ISO 27701 Clause 6.5.3.1.
If media is to be disposed of that previously held PII, organisations should implement procedures that document the destruction of PII and privacy-related data, including categorical assurances that it is no longer available.
See ISO 27701 Clause 6.5.3.1.
Organisations should take extra care when transporting storage media containing PII, as distinct from standard data categories.
Records should be kept of all incoming and outgoing media containing PII, including:
ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Control | Associated GDPR Articles |
---|---|---|---|
6.5.3.1 | Management of Removable Media | 7.10 – Storage Media for ISO 27002 | Articles (5), (32) |
6.5.3.2 | Disposal of Media | 7.10 – Storage Media for ISO 27002 | Article (5) |
6.5.3.3 | Physical Media Transfer | 7.10 – Storage Media for ISO 27002 | Articles (5), (32) |
ISMS.online makes personal information management easy through a great cloud-based solution to support ISO 27701 compliance in your organisation.
On top of this we have information security experts and resources available to guide you through the ISO 27701 accreditation process.
Find out more and get a hands on demonstration by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
We can’t think of any company whose service can hold a candle to ISMS.online.