- See ISO 27002:2022 Control 7.10 for more information.
- See ISO 27001:2013 Annex A 8.3.1 for more information.
- See ISO 27001:2013 Annex A 8.3.2 for more information.
- See ISO 27001:2013 Annex A 8.3.3 for more information.
- See ISO 27001:2013 Annex A 11.2.5 for more information.
ISO 27001 Annex A 7.10: Protecting Sensitive Data on Storage Media
The utilisation of storage media devices, such as SSDs, USBs, external drives, and mobiles, is essential for numerous essential information handling operations, including data back-up, storage, and transfer.
The storing of sensitive and important data on these devices presents risks to the accuracy, secrecy, and accessibility of information resources. These risks may involve the disappearance or theft of storage media with confidential information, the transmission of malware across all corporate computing networks via the storage media, and the breakdown or reduction in quality of storage media used for backup.
ISO 27001:2022 Annex A 7.10 outlines the steps organisations must take to ensure the security of storage media through its entire life cycle, from acquisition to disposal. Policies and controls must be put in place to guarantee its security.
Purpose of ISO 27001:2022 Annex A 7.10
ISO 27001:2022 Annex A 7.10 facilitates organisations in mitigating and eradicating risks associated with unauthorised access, usage, deletion, alteration, and transmission of confidential data held on storage media devices. It establishes procedures for managing storage media during its entire life cycle.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
What Does Annex A 7.10 Cover?
ISO 27001:2022 Annex A 7.10 pertains to both digital and physical storage media. For instance, storage of data on physical documents is also encompassed by this control.
Along with removable storage media, hard disks as a form of fixed storage are also subject to ISO 27001:2022 Annex A 7.10.
Ownership of Annex A 7.10
ISO 27001:2022 Annex A 7.10 mandates organisations to create and execute suitable procedures, technical controls, and organisation-wide policies regarding the use of storage media according to the organisation’s own classification scheme and any data handling requirements such as legal and contractual conditions.
Information Security Managers should take charge of the whole compliance cycle.
Guidance on ISO 27001:2022 Annex A 7.10 Compliance
Removable Storage Media
Removable media are indispensable to many business operations and are widely employed by personnel. However, they pose the utmost risk to sensitive data.
ISO 27001:2022 Annex A 7.10 sets out ten conditions organisations must observe for the management of removable storage media during its life cycle:
- Organisations ought to create a policy focused on the acquisition, authorisation, use and disposal of removable storage media, informing all personnel and applicable parties of its existence.
- Organisations should, where it is practical and necessary, implement authorisation procedures for the taking of removable storage media out of corporate premises. Additionally, a log of removals should be kept for audit tracking.
- Store all removable storage media in a secure place like a safe, considering the information classification level assigned to the information and any environmental and physical threats to the media.
- If maintaining the confidentiality and trustworthiness of the information on removable media is of utmost importance, cryptographic methods should be employed to safeguard the media from unauthorised access.
- To prevent deterioration of removable storage media and data loss, the information should be moved to a fresh storage media device before the risk arises.
- It is crucial to copy and store sensitive data on multiple storage media to reduce the chance of critical information being lost.
- To reduce the possibility of a complete data loss, registering removable storage media devices can be a viable solution.
- Unless there is a business necessity, USB ports and SD card slots should not be used.
- It is necessary to monitor the transfer of information to any removable storage media devices.
- When transferring information contained in physical documents via mail or courier, there is a high chance of unauthorised access. To counter this, appropriate measures should be taken.
Guidance on Secure Reuse and Disposal of Storage Media
ISO 27001:2022 Annex A 7.10 offers direction on the secure re-use and disposal of storage media to help organisations reduce and get rid of the danger of the confidentiality of information being breached.
Annex A 7.10 states that organisations should create and carry out plans for recycling and disposing of storage media, considering the sensitivity of the data kept in the storage media.
Organisations should consider the following when setting up these measures:
- If an organisation’s internal party is to reuse a storage media, sensitive information hosted on it should be irrevocably deleted or reformatted before authorisation.
- Secure destruction of storage media hosting sensitive information is necessary once it is no longer needed. Paper documents can be shredded and digital equipment can be physically destroyed.
- A system should be developed to identify storage media which needs to be disposed of.
- Organisations should carry out due diligence when selecting an external party to collect and dispose of storage media, making sure the chosen vendor is competent and has the appropriate controls in place.
- Documenting all disposed items for an audit trail.
- When disposing of multiple storage media together, consideration should be given to the cumulative effect: Combining various pieces of data from each storage medium could result in the transformation of non-sensitive information into sensitive material.
Lastly, ISO 27001:2022 Annex A 7.10 mandates organisations to evaluate the risk of confidential data stored on damaged equipment, so as to determine whether the equipment should be destroyed or repaired.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Changes and Differences from ISO 27001:2013
ISO 27001:2022 Annex A 7.10 replaces ISO 27001:2013 Annex A 08.3.1, 08.3.2, 08.3.3 and 11.2.5.
There are four notable differences.
Changes in Structure
Unlike the 2013 version, which had three separate controls for media management, media disposal, and physical media transfer, the 2022 version combines them under Annex A 7.10.
Requirements for Storage Media Reuse Added to the 2022 Version
In contrast to the 2013 version, which only covered secure media disposal, the 2022 version also includes secure media reuse requirements.
Physical Transfer Requirements Are More Comprehensive in the 2013 Version
The 2013 version had more extensive requirements for physically transferring storage media, including ID verification for couriers and packaging standards. In contrast, Annex A 7 7.10 in the 2022 version only suggests organisations act with caution when selecting couriers.
Topic-Specific Removable Storage Media Policy Required in 2022 Version
While the 2022 and 2013 versions are similar in terms of removable storage media requirements, the 2022 version mandates a topic-specific policy on removable storage media. The 2013 version did not cover this requirement.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
How ISMS.online Help
ISMS.online takes a risk-based approach, utilising industry-leading best practices and templates, for helping you to detect the risks your organisation is exposed to and the controls needed to manage them. This assists in reducing both risk and compliance costs.
Contact us now to arrange a demonstration.
