UnixTime

Research Note

EXAM-024 - Off-Premises Assets and Storage Media

- A.7.9 is not only remote access. It includes equipment, documents, data, software, paper, mobile devices, BYOD, custody, and return. - A.7.9 allows risk acceptance where off-s...

On this page

Memory cues

Control Cue
A.7.9 Security of Assets Off-Premises Protect assets when they leave controlled premises
A.7.10 Storage Media Control media from acquisition to destruction

Likely exam traps

  • A.7.9 is not only remote access. It includes equipment, documents, data, software, paper, mobile devices, BYOD, custody, and return.
  • A.7.9 allows risk acceptance where off-site protection is weaker, but the decision should be informed and approved.
  • A.7.10 is not only USB drives. It includes backup tapes, disks, removable drives, optical media, printed media, and similar information carriers.
  • A.7.10 follows classification and handling requirements.
  • Encryption does not remove the need for authorization, transport records, courier controls, packaging, and key separation.
  • Damaged media may need destruction rather than repair if sensitive information could be recovered.

Quick comparison

Question A.7.9 A.7.10
Main concern Assets outside premises Media lifecycle
Key evidence Off-site asset register, authorization, attestation, return, erase records Media inventory, movement log, transport records, destruction register
Common failure Staff take assets home informally Media is transported or destroyed without traceability
Audit method Sample off-site assets and leaver/BYOD records Trace media from approval through movement and disposal

Practical mentor takeaway

Exam lens

A.7.9 asks “where did the asset go and who is responsible?” A.7.10 asks “where did the media go through its lifecycle and can we prove safe handling?”

  • Iso27001
  • Exam
  • Physical controls

Note Metadata

Aliases: A.7.9 A.7.10 exam cues

Source: 09-Exam-Preparation/EXAM-024-Off-Premises-Assets-and-Storage-Media.md