When to use this
Use this procedure to define how storage media is acquired, approved, labelled, used, stored, transported, erased, destroyed, and disposed of.
Related controls
- A.7.10 Storage Media
- A.5.12 Classification of Information
- A.5.13 Labelling of Information
- A.5.14 Information Transfer
Procedure rules
| Lifecycle stage | Required rule | Evidence record |
|---|---|---|
| Acquisition | Approved media sources and checks | Approved media list/procurement record |
| Use | Authorized users and permitted data types | Media inventory |
| Storage | Conditions and secure location | Storage inspection record |
| Transportation | Authorization, packaging, courier, encryption | Storage Media Movement Log |
| Reuse | Secure erase before reuse | Erasure record |
| Disposal | Secure destruction or certified disposal | Secure Media Disposal and Destruction Register |
| Damaged media | Risk decision before repair/return | Damaged Media Handling Decision Record |
Minimum handling checklist
- Media classification is known.
- Media owner/custodian is assigned.
- Media is labelled where appropriate.
- Movement is authorized and logged.
- Sensitive media is protected in transit.
- Encryption keys are not transported with encrypted media.
- Disposal/destruction is traceable.
- Template
- Iso27001
- Physical controls
- Storage media
Note Metadata
Aliases: Media Handling Procedure
Source: 90 Templates/Storage Media Handling Procedure.md
Related Notes
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.7.10 - Storage Media
- A.7 Physical Controls MOC
- A.7.10 Audit Evidence Pack
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Audit Guide
- A.7 Physical Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.7.10 Audit Checklist
- Damaged Media Handling Decision Record
- Secure Media Disposal and Destruction Register
- Storage Media Movement Log
- Templates MOC