UnixTime

Research Note

ISO 27001 A.7.10 - Storage Media

The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carr...

On this page

Requirement

Requirement lens

This control asks whether storage media is managed throughout acquisition, use, transportation, and disposal according to classification and handling requirements.

“Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.”

Plain-language meaning

The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carriers such as USB drives, backup tapes, disks, removable drives, CDs/DVDs, printed records, and other portable media.

The rule is simple: if media can store or carry organizational information, it needs handling rules that match the classification of the information it contains.

Why this matters

Storage media is easy to lose, copy, steal, transport, reuse, or dispose of badly. A discarded disk, old backup tape, unapproved USB stick, damaged drive sent for repair, or paper archive moved by an unverified courier can expose sensitive information.

Media can also create availability and integrity risk: obsolete media may not be readable, poor storage conditions may degrade backups, and newly acquired removable media may contain malware.

Implementation guidance

Implementer focus

Treat media like a controlled asset with a lifecycle: acquire, approve, label, use, store, transport, erase, destroy, and record.

1. Define approved media and handling rules

Procedures should define:

  • which media types are approved;
  • who may authorize media use;
  • how media is inventoried;
  • how media is labelled;
  • how media is stored;
  • how media is transported;
  • how media is erased, reused, repaired, destroyed, or disposed of;
  • what records must be retained.

Handling should align to A.5.12 Classification of Information and A.5.13 Labelling of Information.

2. Control acquisition and use

Unapproved media can introduce malware or bypass controls.

Examples:

  • only approved encrypted USB drives may be used;
  • backup media must be tracked and stored under defined conditions;
  • newly acquired media should be checked before use where risk justifies it;
  • media should be replaced before deterioration or obsolescence creates availability risk.

3. Control removal and transportation

Media removal and dispatch should be authorized and recorded.

Transport controls may include:

  • secure courier;
  • verified courier identity;
  • tamper-evident packaging;
  • locked containers;
  • personal delivery for high-risk items;
  • shipment splitting;
  • encryption;
  • not transporting encryption keys with encrypted media;
  • delivery confirmation records.

4. Control disposal, destruction, and damaged media

Obsolete, redundant, damaged, or discarded media can still contain recoverable information.

Procedures should define:

  • secure erasure;
  • destruction method;
  • destruction records;
  • contractor due diligence;
  • chain of custody;
  • rules for damaged media repair;
  • when damaged media must be destroyed rather than returned or repaired.

5. Keep audit trails

Records should show what media was moved, who authorized it, who carried it, when it left, when it arrived, what was destroyed, and how destruction was verified.

Audit guidance

Auditor focus

Test the media lifecycle. Do not only ask whether USB drives are allowed. Check acquisition, approval, use, transport, storage, disposal, destruction, and damaged-media handling.

Auditors should verify:

  • approved media policy and risk basis;
  • media inventory;
  • classification and labelling alignment;
  • storage conditions and manufacturer recommendations where relevant;
  • authorization for media removal and transport;
  • transport records and courier controls;
  • encryption and key separation where used;
  • disposal/destruction procedure;
  • destruction logs and certificates;
  • damaged media handling decisions;
  • staff awareness and actual practice.

Sample records should show what was delivered, when it was picked up, who authorized transport, who carried it, when it arrived, and what protection was used.

Evidence examples

Evidence quality

Strong evidence proves media is controlled across the full lifecycle and handled according to information classification.

Evidence What it proves
Media handling procedure Lifecycle controls are defined
Approved media list Media use is controlled
Media inventory Media is known and accountable
Media movement log Removal and transport are authorized
Courier/transport records Transport protection is documented
Encryption/key handling evidence Confidentiality during transport is protected
Secure destruction records Disposal is controlled
Damaged media decision records Repair/disposal risk is assessed
Staff interview evidence Users understand media handling rules

Strong evidence

  • Media handling rules align to classification.
  • Media is inventoried and labelled where appropriate.
  • Dispatches are authorized and recorded.
  • Sensitive media is encrypted or protected during transport.
  • Encryption keys are not transported with encrypted media.
  • Secure destruction records are detailed and traceable.
  • Damaged media is risk-assessed before repair or return.

Weak evidence

  • Staff use any USB stick they prefer.
  • Media inventory is incomplete.
  • Sensitive media is transported by default courier with no risk decision.
  • Disposal contractor certificates lack item-level traceability.
  • Damaged drives are sent for repair without data risk assessment.
  • Encryption keys travel with encrypted media.
  • Paper records are destroyed without logging.

Common failures

Implementation watchouts

A.7.10 fails when media is treated as a minor IT accessory instead of a carrier of classified information.

Failure Why it matters
No approved media rules Malware, loss, and uncontrolled copying become likely
No movement log The organization cannot prove custody
Weak courier controls Sensitive media can be lost or accessed in transit
Keys shipped with encrypted data Encryption protection is undermined
Disposal not traceable Sensitive information may remain recoverable
Damaged media sent for repair External parties may recover data
Obsolete media ignored Backups or records may become unreadable

Exam traps

Exam focus

A.7.10 covers the full media lifecycle. Do not reduce it to USB blocking or disposal only.

Trap Correct interpretation
Storage media means only USB drives It includes backup tapes, disks, removable drives, optical media, printed media, and similar carriers
Encryption alone solves transport Courier, packaging, authorization, records, and key separation also matter
Disposal is enough if a contractor signs a certificate The organization needs a satisfactory audit trail and contractor assurance
Damaged media can always be repaired Sensitive damaged media may need destruction instead of repair
Media controls are separate from classification Handling should follow classification and handling requirements

KB-ready summary

Mentor takeaway

A.7.10 requires media to be controlled across its lifecycle according to classification and handling rules. The strongest evidence is an audit trail for approval, custody, transport, erasure, destruction, and exceptions.

  • Define approved media and handling rules.
  • Inventory and label media where appropriate.
  • Authorize and record media movement.
  • Protect media in transport.
  • Keep encryption keys separate from encrypted media.
  • Erase or destroy media securely before reuse, repair, disposal, or transfer.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Physical controls
  • Storage media
  • Media handling
  • Audit

Note Metadata

Aliases: A.7.10, Storage Media

Source: 04 Annex A Physical Controls/A.7.10 Storage Media.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

12

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.