A.7.10 ISO 27001

ISO 27001 A.7.10: Storage media

What This Control Requires

Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements.

In Plain Language

Old hard drives in a cupboard, USB sticks rattling around in desk drawers, backup tapes from three years ago that nobody has inventoried - storage media is one of those areas where organisations tend to lose track of things, and losing track of media means losing track of data.

This control covers the full lifecycle: buying media, using it, moving it around, and eventually destroying it. The handling requirements should match the classification of the information on the media. A USB drive with client financial data needs stronger controls than one with marketing brochures.

Disposal deserves special attention. Deleting files or formatting a drive does not actually remove the data - it is still recoverable with the right tools. Auditors know this, and they will want to see that you use proper sanitisation methods: degaussing, cryptographic erasure, certified wiping, or physical destruction depending on the media type and sensitivity.

How to Implement

Write a storage media management policy that covers the full lifecycle. Define handling requirements for each phase based on information classification.

For acquisition and registration: buy media from trusted suppliers, register it in your asset inventory on receipt, assign classification labels based on intended use, and pre-encrypt media before it goes into service where possible.

For use and storage: lock away media containing sensitive information when it is not in use, maintain an inventory of all storage media including serial numbers and classification, put access controls on shared media like backup tapes, label media with its classification level and handling requirements (but not what is actually on it), and encrypt all portable storage media.

For transportation: always use encrypted media, package it to prevent physical damage, use tamper-evident containers for highly classified media, track shipments via signed receipts or courier tracking, and verify integrity on receipt.

For sanitisation and disposal: define approved methods for each media type. For magnetic media (HDDs, tapes) use approved wiping software that meets NIST SP 800-88 or equivalent, or degauss with certified equipment, or physically destroy. For solid-state media (SSDs, flash drives) use cryptographic erasure by destroying the encryption key, or physically destroy - traditional overwriting cannot reliably reach all storage cells on SSDs. For optical media use industrial shredders designed for discs.

Keep records of every disposal. Document the media identifier, classification, sanitisation method, date, and who did it. Get destruction certificates from any third-party disposal service. Vet your disposal contractors - make sure they are reputable and meet your security requirements.

Run periodic physical inventories of storage media. Compare what you find against the register. Investigate any missing items. Dispose of media that is no longer needed rather than letting it accumulate in cupboards.

Evidence Your Auditor Will Request

Storage media management policy covering the full lifecycle
Storage media inventory and register
Approved sanitization methods for each media type
Media disposal records with destruction certificates
Periodic media inventory reconciliation records

Common Mistakes

No inventory or tracking of storage media, particularly removable media
Media is disposed of without proper sanitization (simply discarded or recycled)
SSD media is wiped using methods that may not effectively remove all data
No destruction certificates are obtained for media disposed of by third parties
Portable media containing sensitive data is not encrypted

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	CC6.5	Equivalent
GDPR	Art.5(1)(e)	Related
GDPR	Art.32	Related

Frequently Asked Questions

What is the proper way to dispose of SSDs?

SSDs are trickier than traditional hard drives because wear-levelling algorithms can leave data in cells that standard overwrite tools cannot reach. Your best options are: cryptographic erasure (if the drive was encrypted, securely destroy the encryption key and the data becomes unrecoverable), the ATA Secure Erase command (which triggers the drive's built-in sanitisation routine), or physical destruction by shredding. For highly sensitive data, physical destruction is the only option that gives you complete certainty.

Do we need to track USB drives?

Yes, and it is worth the effort. USB drives are tiny, easy to lose, and can hold a surprising amount of sensitive data. Maintain an inventory of organisational USB drives. Use encrypted drives that require authentication before access. Consider DLP controls that restrict which USB devices can connect to company machines. Honestly, a lot of organisations are moving to banning removable media altogether and using encrypted cloud sharing or secure file transfer instead - it is often simpler to manage and lower risk overall.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment