What does control A.3.20 require?
Storage media with PII shall be managed through its life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.
This control sits within the Shared security controls annex (A.3) and addresses the full life cycle of any physical or removable media that stores PII. Unlike purely digital security controls, A.3.20 focuses on the tangible risks of media being lost, stolen, intercepted or improperly disposed of at each stage of its journey through the organisation.
What does the Annex B implementation guidance say?
Annex B (section B.3.20) provides extensive guidance covering several key areas:
- Document all removable media use — The organisation should document any use of removable media or devices for the storage of PII, creating an auditable record of what media exists and where it is used
- Encrypt wherever feasible — Removable physical media or devices used for storing PII should permit encryption. Unencrypted media should only be used where unavoidable, with compensating controls such as tamper-evident packaging to mitigate risks
- Secure disposal procedures — Where removable media containing PII is disposed of, secure disposal procedures must be documented and implemented to ensure previously stored PII is not accessible
- Physical media transfer controls — A system should record incoming and outgoing physical media containing PII, including media type, authorised sender, authorised recipients, date and time, and volume of media
- Encryption in transit — Where possible, additional measures such as encryption should ensure data can only be accessed at the point of destination, not in transit
- Authorisation before leaving premises — Physical media containing PII must go through an authorisation procedure before leaving the organisation’s premises, ensuring PII is not accessible to anyone other than authorised personnel
The guidance emphasises that removable media taken outside the organisation’s physical premises is particularly vulnerable to loss, damage and inappropriate access. Encrypting removable media adds a critical layer of protection that reduces both security and privacy risks if the media is compromised.
How does this map to GDPR?
Control A.3.20 maps to the following GDPR articles:
- Article 5(1)(f) — The integrity and confidentiality principle, requiring appropriate security including protection against unauthorised processing and accidental loss
- Article 32(1)(a) — The requirement to implement appropriate technical and organisational measures, including the pseudonymisation and encryption of personal data
The GDPR‘s explicit mention of encryption in Article 32(1)(a) aligns directly with A.3.20’s emphasis on encrypting removable media wherever feasible.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was spread across Clauses 6.5.3.1 (management of removable media), 6.5.3.2 (disposal of media), 6.5.3.3 (physical media transfer) and 6.8.2.5. The 2025 edition consolidates all of these into a single control A.3.20, providing a more coherent life-cycle view of storage media management. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.3.20, auditors will typically look for:
- Media inventory — A register of all removable and portable storage media used for PII, including media type, owner, classification level and physical location
- Encryption policy and evidence — A policy mandating encryption for removable media containing PII, with evidence that encryption is enforced (e.g. BitLocker, hardware-encrypted USB drives)
- Transfer log — Records of physical media transfers showing sender, recipient, authorisation, date and media type
- Disposal records — Certificates of destruction or secure disposal logs for media that has been decommissioned
- Authorisation procedures — A documented process for approving the removal of PII-containing media from organisational premises
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.5 Classification of information | Media handling requirements are determined by the classification of the PII it contains |
| A.3.6 Labelling of information | Storage media should be labelled according to its classification level |
| A.3.21 Secure disposal or re-use | Disposal of equipment containing storage media must follow secure procedures |
| A.3.26 Use of cryptography | Encryption requirements for media are governed by the cryptography policy |
| A.3.7 Information transfer | Physical media transfer is one form of information transfer covered by A.3.7 Information Transfer |
Who does this control apply to?
A.3.20 is a shared control that applies to both PII controllers and PII processors. Any organisation that uses physical or removable storage media for PII must manage that media throughout its entire life cycle. This is particularly relevant for organisations that transfer PII via removable media between sites, to third parties or to clients.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for storage media management?
ISMS.online provides practical tools for managing storage media containing PII:
- Asset register — Maintain a central inventory of all storage media, linked to classification levels, owners and physical locations, with lifecycle tracking from acquisition to disposal
- Transfer workflows — Log and authorise physical media transfers with approval workflows, ensuring every movement is recorded and auditable
- Disposal tracking — Record secure disposal events with certificates of destruction, linked directly to the asset register for complete traceability
- Policy management — Publish and distribute storage media policies with acknowledgement tracking, so you can demonstrate that staff understand the requirements
- Audit evidence packs — Generate pre-built evidence packs for A.3.20 that bring together your media inventory, transfer logs, disposal records and policy acknowledgements
FAQs
What counts as storage media under this control?
Storage media includes any physical device capable of storing data: USB flash drives, external hard drives, SD cards, optical discs (CDs, DVDs, Blu-ray), magnetic tapes, solid-state drives and even paper records. The control covers both removable media and media that is built into portable equipment such as laptops. If the media can store PII and can leave the organisation’s premises, it falls within the scope of A.3.20.
Is encryption mandatory for all removable media?
The guidance states that encryption should be used wherever feasible. Unencrypted media should only be used where unavoidable, and compensating controls must be in place. In practice, modern hardware-encrypted USB drives and full-disk encryption tools make encryption feasible in almost all scenarios. Auditors will expect a clear justification for any cases where encryption is not used.
How should organisations handle cloud storage under this control?
A.3.20 specifically focuses on physical and removable storage media rather than cloud storage. Cloud storage is addressed by other controls including A.3.10 Supplier Agreements (supplier agreements) and A.3.7 Information Transfer (information transfer). However, if data is downloaded from cloud storage onto removable media, that media immediately falls within the scope of A.3.20 and must be managed accordingly.
