Memory cues
| Control | Cue |
|---|---|
| A.7.9 Security of Assets Off-Premises | Protect assets when they leave controlled premises |
| A.7.10 Storage Media | Control media from acquisition to destruction |
Likely exam traps
- A.7.9 is not only remote access. It includes equipment, documents, data, software, paper, mobile devices, BYOD, custody, and return.
- A.7.9 allows risk acceptance where off-site protection is weaker, but the decision should be informed and approved.
- A.7.10 is not only USB drives. It includes backup tapes, disks, removable drives, optical media, printed media, and similar information carriers.
- A.7.10 follows classification and handling requirements.
- Encryption does not remove the need for authorization, transport records, courier controls, packaging, and key separation.
- Damaged media may need destruction rather than repair if sensitive information could be recovered.
Quick comparison
| Question | A.7.9 | A.7.10 |
|---|---|---|
| Main concern | Assets outside premises | Media lifecycle |
| Key evidence | Off-site asset register, authorization, attestation, return, erase records | Media inventory, movement log, transport records, destruction register |
| Common failure | Staff take assets home informally | Media is transported or destroyed without traceability |
| Audit method | Sample off-site assets and leaver/BYOD records | Trace media from approval through movement and disposal |
Practical mentor takeaway
Exam lens
A.7.9 asks “where did the asset go and who is responsible?” A.7.10 asks “where did the media go through its lifecycle and can we prove safe handling?”
- Iso27001
- Exam
- Physical controls
Note Metadata
Aliases: A.7.9 A.7.10 exam cues
Source: 09-Exam-Preparation/EXAM-024-Off-Premises-Assets-and-Storage-Media.md