Requirement
Requirement lens
This control asks whether storage media is managed throughout acquisition, use, transportation, and disposal according to classification and handling requirements.
“Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.”
Plain-language meaning
The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carriers such as USB drives, backup tapes, disks, removable drives, CDs/DVDs, printed records, and other portable media.
The rule is simple: if media can store or carry organizational information, it needs handling rules that match the classification of the information it contains.
Why this matters
Storage media is easy to lose, copy, steal, transport, reuse, or dispose of badly. A discarded disk, old backup tape, unapproved USB stick, damaged drive sent for repair, or paper archive moved by an unverified courier can expose sensitive information.
Media can also create availability and integrity risk: obsolete media may not be readable, poor storage conditions may degrade backups, and newly acquired removable media may contain malware.
Implementation guidance
Implementer focus
Treat media like a controlled asset with a lifecycle: acquire, approve, label, use, store, transport, erase, destroy, and record.
1. Define approved media and handling rules
Procedures should define:
- which media types are approved;
- who may authorize media use;
- how media is inventoried;
- how media is labelled;
- how media is stored;
- how media is transported;
- how media is erased, reused, repaired, destroyed, or disposed of;
- what records must be retained.
Handling should align to A.5.12 Classification of Information and A.5.13 Labelling of Information.
2. Control acquisition and use
Unapproved media can introduce malware or bypass controls.
Examples:
- only approved encrypted USB drives may be used;
- backup media must be tracked and stored under defined conditions;
- newly acquired media should be checked before use where risk justifies it;
- media should be replaced before deterioration or obsolescence creates availability risk.
3. Control removal and transportation
Media removal and dispatch should be authorized and recorded.
Transport controls may include:
- secure courier;
- verified courier identity;
- tamper-evident packaging;
- locked containers;
- personal delivery for high-risk items;
- shipment splitting;
- encryption;
- not transporting encryption keys with encrypted media;
- delivery confirmation records.
4. Control disposal, destruction, and damaged media
Obsolete, redundant, damaged, or discarded media can still contain recoverable information.
Procedures should define:
- secure erasure;
- destruction method;
- destruction records;
- contractor due diligence;
- chain of custody;
- rules for damaged media repair;
- when damaged media must be destroyed rather than returned or repaired.
5. Keep audit trails
Records should show what media was moved, who authorized it, who carried it, when it left, when it arrived, what was destroyed, and how destruction was verified.
Audit guidance
Auditor focus
Test the media lifecycle. Do not only ask whether USB drives are allowed. Check acquisition, approval, use, transport, storage, disposal, destruction, and damaged-media handling.
Auditors should verify:
- approved media policy and risk basis;
- media inventory;
- classification and labelling alignment;
- storage conditions and manufacturer recommendations where relevant;
- authorization for media removal and transport;
- transport records and courier controls;
- encryption and key separation where used;
- disposal/destruction procedure;
- destruction logs and certificates;
- damaged media handling decisions;
- staff awareness and actual practice.
Sample records should show what was delivered, when it was picked up, who authorized transport, who carried it, when it arrived, and what protection was used.
Evidence examples
Evidence quality
Strong evidence proves media is controlled across the full lifecycle and handled according to information classification.
| Evidence | What it proves |
|---|---|
| Media handling procedure | Lifecycle controls are defined |
| Approved media list | Media use is controlled |
| Media inventory | Media is known and accountable |
| Media movement log | Removal and transport are authorized |
| Courier/transport records | Transport protection is documented |
| Encryption/key handling evidence | Confidentiality during transport is protected |
| Secure destruction records | Disposal is controlled |
| Damaged media decision records | Repair/disposal risk is assessed |
| Staff interview evidence | Users understand media handling rules |
Strong evidence
- Media handling rules align to classification.
- Media is inventoried and labelled where appropriate.
- Dispatches are authorized and recorded.
- Sensitive media is encrypted or protected during transport.
- Encryption keys are not transported with encrypted media.
- Secure destruction records are detailed and traceable.
- Damaged media is risk-assessed before repair or return.
Weak evidence
- Staff use any USB stick they prefer.
- Media inventory is incomplete.
- Sensitive media is transported by default courier with no risk decision.
- Disposal contractor certificates lack item-level traceability.
- Damaged drives are sent for repair without data risk assessment.
- Encryption keys travel with encrypted media.
- Paper records are destroyed without logging.
Common failures
Implementation watchouts
A.7.10 fails when media is treated as a minor IT accessory instead of a carrier of classified information.
| Failure | Why it matters |
|---|---|
| No approved media rules | Malware, loss, and uncontrolled copying become likely |
| No movement log | The organization cannot prove custody |
| Weak courier controls | Sensitive media can be lost or accessed in transit |
| Keys shipped with encrypted data | Encryption protection is undermined |
| Disposal not traceable | Sensitive information may remain recoverable |
| Damaged media sent for repair | External parties may recover data |
| Obsolete media ignored | Backups or records may become unreadable |
Exam traps
Exam focus
A.7.10 covers the full media lifecycle. Do not reduce it to USB blocking or disposal only.
| Trap | Correct interpretation |
|---|---|
| Storage media means only USB drives | It includes backup tapes, disks, removable drives, optical media, printed media, and similar carriers |
| Encryption alone solves transport | Courier, packaging, authorization, records, and key separation also matter |
| Disposal is enough if a contractor signs a certificate | The organization needs a satisfactory audit trail and contractor assurance |
| Damaged media can always be repaired | Sensitive damaged media may need destruction instead of repair |
| Media controls are separate from classification | Handling should follow classification and handling requirements |
Related controls and concepts
- A.7 Physical Controls MOC
- A.7.9 Security of Assets Off-Premises
- A.5.9 Inventory of Information and Other Associated Assets
- A.5.11 Return of Assets
- A.5.12 Classification of Information
- A.5.13 Labelling of Information
- A.5.14 Information Transfer
- A.5.33 Protection of Records
- A.5.34 Privacy and Protection of PII
- Risk Assessment
- Storage Media Handling Procedure
- Storage Media Movement Log
- Secure Media Disposal and Destruction Register
- Damaged Media Handling Decision Record
- A.7.10 Audit Evidence Pack
- A.7.10 Audit Checklist
KB-ready summary
Mentor takeaway
A.7.10 requires media to be controlled across its lifecycle according to classification and handling rules. The strongest evidence is an audit trail for approval, custody, transport, erasure, destruction, and exceptions.
- Define approved media and handling rules.
- Inventory and label media where appropriate.
- Authorize and record media movement.
- Protect media in transport.
- Keep encryption keys separate from encrypted media.
- Erase or destroy media securely before reuse, repair, disposal, or transfer.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Physical controls
- Storage media
- Media handling
- Audit
Note Metadata
Aliases: A.7.10, Storage Media
Source: 04 Annex A Physical Controls/A.7.10 Storage Media.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Control
ISO 27001 A.7.10 - Storage MediaRequirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.33 - Protection of Records
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.7 Physical Controls MOC
- A.7.10 Audit Evidence Pack
- AQ-ISO27001-A.7.10 Storage Media
- ISO 27001 A.8.10 - Information Deletion
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.10 Storage Media
- A.7 Physical Controls Implementation Audit Risk Mapping
- EXAM-024 - Off-Premises Assets and Storage Media
- ISO 27002 Annex A Control Interpretation Map
- A.7.10 Audit Checklist
- Damaged Media Handling Decision Record
- Equipment Disposal and Reuse Register
- Information Deletion and Destruction Register
- Secure Media Disposal and Destruction Register
- Storage Media Handling Procedure
- Storage Media Movement Log
- Annex A Controls MOC