This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.7.10 Storage media.
ISO 27001: 2022 Control Description
Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.
Purpose
To ensure only authorised disclosure, modification, removal, or destruction of information on storage media.
Guidance on implementation
Removable Storage Media
The following guidelines for managing removable storage media should be considered:
a) Establish a topic-specific policy on the management of removable storage media and communicate this policy to anyone who uses or handles such media;
b) Where necessary and practical, require authorisation for storage media to be removed from the organisation, and keep a record of such removals to maintain an audit trail;
c) Store all storage media in a safe, secure environment according to their information classification, and protect them against environmental threats (e.g. heat, moisture, humidity, electronic fields, or ageing) in accordance with manufacturers’ specifications;
d) If information confidentiality or integrity are important considerations, use cryptographic techniques to protect information on removable storage media;
e) To mitigate the risk of storage media degrading while stored information is still needed, transfer the information to fresh storage media before it becomes unreadable;
f) Store multiple copies of valuable information on separate storage media to further reduce the risk of coincidental information damage or loss;
g) Consider registering removable storage media to limit the chance of information loss;
h) Only enable removable storage media ports (e.g. secure digital [SD] card slots and universal serial bus [USB] ports) if there is an organisational reason for their use;
i) Where there is a need to use removable storage media, monitor the transfer of information to such media;
j) Recognise that information can be vulnerable to unauthorised access, misuse, or corruption during physical transport, such as when sending storage media via postal services or couriers.
In this control, media includes paper documents. When transferring physical storage media, apply the security measures outlined in Control A.5.14 - Information Transfer.
Secure Reuse or Disposal
Procedures for the secure reuse or disposal of storage media should be established to minimise the risk of confidential information leakage to unauthorised persons. The procedures should be proportional to the sensitivity of the information contained on the media. The following items should be considered:
a) If storage media containing confidential information need to be reused within the organisation, securely delete data or format the storage media before reuse;
b) Dispose of storage media containing confidential information securely when no longer needed (e.g. by destroying, shredding, or securely deleting the content);
c) Have procedures in place to identify items that may require secure disposal;
d) Many organisations offer collection and disposal services for storage media. Care should be taken in selecting a suitable external supplier with adequate controls and experience;
e) Log the disposal of sensitive items to maintain an audit trail;
f) When accumulating storage media for disposal, consider the aggregation effect, which can cause a large quantity of non-sensitive information to become sensitive.
A risk assessment should be performed on damaged devices containing sensitive data to determine whether the items should be physically destroyed rather than sent for repair or discarded.
When confidential information on storage media is not encrypted, additional physical protection of the storage media should be considered.