What the auditor wants to verify
Audit objective
Verify that storage media is managed through acquisition, use, transportation, and disposal according to classification and handling requirements.
Evidence to request
| Evidence | Purpose |
|---|---|
| Storage media handling procedure | Shows lifecycle controls are defined |
| Approved media list | Shows media use is controlled |
| Media inventory | Shows media is accountable |
| Media movement log | Shows removal and transport are authorized |
| Transport/courier records | Shows protection during transit |
| Encryption/key handling records | Shows confidentiality controls are applied correctly |
| Disposal/destruction records | Shows media is erased or destroyed |
| Damaged media decision records | Shows repair/disposal risk is assessed |
| Staff interview evidence | Shows awareness of handling rules |
Strong evidence
Strong evidence test
Strong evidence traces media from approved use through movement, transport, erasure, destruction, and exception handling.
- Media handling follows classification.
- Media is inventoried and labelled where appropriate.
- Dispatches are authorized and recorded.
- Sensitive media is protected during transport.
- Encryption keys are separated from encrypted media.
- Destruction records are item-specific and traceable.
- Damaged media is risk-assessed before repair or return.
Weak evidence
Weak evidence warning
Weak evidence shows media exists but not that custody, transport, and disposal are controlled.
- Staff use unapproved USB drives.
- Media inventory is incomplete.
- Courier transport is not risk-assessed.
- Disposal certificates are generic.
- Damaged drives are sent for repair without assessment.
- Keys travel with encrypted media.
Sample interview questions
- Which storage media types are approved?
- How is media labelled and inventoried?
- How is media removal authorized?
- How do you choose transport controls?
- Are encryption keys transported separately?
- How is media erased before reuse or disposal?
- What happens to damaged media containing sensitive data?
Common nonconformities
- Approved media rules missing.
- Media movement not logged.
- Sensitive media transported without suitable protection.
- Disposal/destruction not traceable.
- Damaged media sent externally without risk assessment.
- Media handling not linked to classification.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A7 10
Note Metadata
Aliases: A.7.10 Evidence
Source: 04 Audit Evidence Packs/A.7.10 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.7.10 - Storage Media
- Audit Evidence MOC
- AQ-ISO27001-A.7.10 Storage Media
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.10 Storage Media
- A.7.10 Audit Checklist
- Damaged Media Handling Decision Record
- Secure Media Disposal and Destruction Register
- Storage Media Handling Procedure
- Storage Media Movement Log
- Audit Evidence Index