Contribute to the cybersecurity survey asking the questions others didn't dare to... Click here

ISO 27001 Control 7.10: Storage Media

How to Control Data on Disks, Drives and Devices

ISO 27001 Control 7.10 Storage media is all about making sure that anything holding your information – hard drives, USB sticks, backup tapes, SSDs, memory cards, even multifunction printers – is managed securely throughout its entire lifecycle.

If storage media isn’t controlled, sensitive information can leak out via lost USB sticks, old laptops, “dead” disks, or boxes of backup tapes in a cupboard. Control 7.10 asks you to be deliberate about how you issue, use, move, reuse and dispose of storage media so that only authorised people and processes ever see what’s on it.

This guide explains what ISO 27001 Control 7.10 is really asking for, and how to implement storage media controls in a practical, risk-based way.

What ISO 27001 Control 7.10 Actually Requires

In simple terms, ISO 27001 Control 7.10 – Storage media expects you to:

  • Manage storage media across its full lifecycle: acquisition, use, transport, reuse, and disposal.
  • Ensure information on storage media is only disclosed, changed, removed, or destroyed by authorised people and processes.
  • Apply controls in proportion to the sensitivity and classification of the information.
  • Pay particular attention to removable storage media (USB drives, external disks, SD cards, etc.), as these are easy to lose or misuse.

From a security perspective, this is a preventive control that supports:

  • Confidentiality – preventing data leakage.
  • Integrity – avoiding unauthorised or accidental changes.
  • Availability – ensuring data remains readable when needed.

Typical domains touched by ISO 27001 Control 7.10 include physical security, asset management, and technical controls on endpoints and servers.

Step 1 – Create a Clear Storage Media Policy

Start by defining your position on storage media in a topic-specific policy. This policy should cover:

  • Scope and media types
    – Internal drives, removable USB devices, external disks, NAS devices, backup tapes, optical media, memory cards, and devices that store data (e.g. MFPs, phones, IoT devices where relevant).
  • When storage media can be used
    – Business scenarios where removable media is allowed (or explicitly prohibited).
    – Rules for working with third parties (e.g. exchanging data on encrypted media only).
  • Roles and responsibilities
    – Who can authorise media use and removal from premises.
    – Who manages encryption, registration, and secure disposal.
    – How staff are expected to handle and report issues with storage media.
  • Link to other controls
    – Asset management (asset registers, ownership).
    – Access control (who can write/read to particular media).
    – Backup and retention policies.

A good storage media policy gives you a single reference point when you implement the more detailed procedures required by ISO 27001 Control 7.10.

Step 2 – Control the Use of Removable Storage Media

Removable media is one of the highest-risk areas under ISO 27001 Control 7.10. It’s small, easily lost, and often poorly monitored.

You should:

  • Allow removable media only where there is a clear business need
    – Default to blocking or restricting use unless justified.
    – Use endpoint tools to enforce policy, not just trust.
  • Require authorisation for media leaving the organisation
    – Approval for external transfer of data via USB, disks, tapes, etc.
    – Simple logging of who took what, when, and why (an audit trail).
  • Register important storage media
    – Give sensitive or high-value media an ID and owner.
    – Track where it is stored and when it is moved.
  • Monitor data transfers where feasible
    – Use endpoint/host-based controls to monitor or restrict copying to USB.
    – Trigger alerts or blocks for large or unusual transfers.
  • Control ports and interfaces
    – Enable USB ports, SD slots, etc. only where needed.
    – Differentiate between keyboards/mice and storage devices if your tooling supports it.

This helps you show that ISO 27001 Control 7.10 isn’t just a written policy – you’re actually controlling how removable storage media is used.

Step 3 – Store and Handle Storage Media Securely

Storage media is vulnerable not just to theft but also to heat, moisture, dust, and ageing. ISO 27001 Control 7.10 expects you to protect it physically and environmentally.

Key practices include:

  • Secure storage based on classification
    – Keep media containing confidential or sensitive data in locked cabinets, safes, or secure rooms.
    – Restrict access to authorised staff only.
  • Environmental protection
    – Store media within manufacturer-recommended ranges for temperature and humidity.
    – Protect against dust, static electricity, moisture, and physical shocks.
  • Multiple copies of critical data
    – Keep more than one copy of important information on separate media and, ideally, in separate locations.
    – Use backups and replicas rather than relying on a single device.
  • Refreshing or migrating data
    – Move data from older or degrading media to newer media before it becomes unreadable.
    – Incorporate this into backup and archival strategies.
  • Secure transportation
    – Use tamper-evident packaging or locked containers where appropriate.
    – Apply equivalent levels of security when using postal or courier services (e.g. tracked delivery, named recipients, encryption).

These measures support confidentiality, integrity, and availability – exactly what ISO 27001 Control 7.10 is there to protect.

Step 4 – Encrypt Sensitive Information on Storage Media

Where storage media can be lost, stolen, or accessed by others, encryption is often your strongest control.

For ISO 27001 Control 7.10, you should:

  • Encrypt sensitive data on removable media by default
    – Use centrally managed encryption tools where possible.
    – Avoid ad-hoc, unmanaged tools users pick themselves.
  • Align encryption strength with risk
    – Strong, modern algorithms and key lengths.
    – Clear guidance on password length and complexity for user-managed encryption (if you allow it).
  • Manage keys appropriately
    – Ensure the organisation can recover data if a user leaves or forgets a passphrase.
    – Avoid writing down decryption information in the same place as the media.
  • Combine encryption with physical control
    – Don’t rely solely on physical security if media is moved offsite.
    – Assume that any medium can be lost; encryption should make the data useless to whoever finds it.

If you’re not encrypting sensitive data on removable media, you’ll need strong justification in your risk assessment to satisfy ISO 27001 Control 7.10.

Step 5 – Manage the Full Lifecycle: Reuse and Disposal

ISO 27001 Control 7.10 places a lot of emphasis on secure reuse and disposal, because that’s where many organisations leak information.

Secure reuse

When reusing storage media internally:

  • Securely erase previous data
    – Use approved secure deletion tools or full reinitialisation for drives and devices.
    – Format alone is often not enough for higher-sensitivity data.
  • Reassign ownership and update records
    – Update asset registers when devices or media are reallocated.
    – Ensure the new owner understands their responsibilities.

Secure disposal

When media reaches end-of-life, choose a disposal method proportionate to the sensitivity of the data:

  • Logical erasure
    – For lower-sensitivity data, certified secure wipe tools may be sufficient.
    – Obtain verification or logs where possible.
  • Physical destruction
    – Shredding, crushing, or degaussing for drives, tapes, and other media.
    – Make media unreadable and irrecoverable.
  • Damaged devices
    – If devices are damaged and cannot be securely wiped, treat them as high-risk.
    – Often the safest option is physical destruction rather than repair or resale.
  • Using external disposal providers
    – Vet suppliers for competence and security practices.
    – Have contracts that reflect your confidentiality expectations.
    – Request certificates of destruction or equivalent evidence.
  • Audit trails
    – Log the disposal of storage media that held sensitive information.
    – Keep enough detail to prove that disposal was controlled and intentional.

Remember the aggregation effect – a large pile of “low sensitivity” items can become sensitive when aggregated (e.g. many devices with fragments of personal data). ISO 27001 Control 7.10 expects you to recognise and manage that risk.

Step 6 – Support Storage Media Management with Technical and Process Controls

To make all of this workable day-to-day, combine policy with practical controls:

  • Endpoint and device management
    – Enforce encryption, port control, and secure wipe from a central tool where possible.
    – Apply standard builds and security baselines for devices that use storage media.
  • Asset management and labelling
    – Tag or label media and devices so they can be identified and tracked.
    – Record ownership, status (in use, in storage, for disposal), and location.
  • Monitoring and alerts
    – Monitor unusual transfers to storage media where feasible.
    – Integrate this into security monitoring and incident response processes.
  • Incident reporting
    – Have a clear process for reporting lost or stolen storage media.
    – Treat these as potential information security incidents and investigate accordingly.

These supporting mechanisms help demonstrate that ISO 27001 Control 7.10 is embedded in operational practice, not just written in a policy.

Step 7 – Train Staff and Clarify Responsibilities

People need to understand why storage media is risky and what they must do.

For ISO 27001 Control 7.10, ensure:

  • Staff awareness training covers:
    – Why USB sticks and removable drives are high risk.
    – When they are allowed to use storage media, and when they are not.
    – How to handle and transport media safely.
    – What to do if media is lost, stolen, or damaged.
  • IT and security teams are trained on:
    – Applying technical controls (encryption, port control, secure erase).
    – Managing asset registers and disposal processes.
    – Handling incidents that involve storage media.
  • Managers and process owners know:
    – How to authorise storage media use and removal.
    – How to check that procedures are being followed in their teams.

The goal is to make proper handling of storage media just part of how people work, not an occasional exception.

Quick Implementation Checklist for ISO 27001 Control 7.10

Use this checklist to review your approach to storage media:

  • ISO 27001 Control 7.10 (Storage media) is covered in your ISMS documentation and policies.
  • A storage media / removable media policy defines what is allowed, prohibited, and controlled.
  • Use of removable storage media is restricted to clear business needs and, where possible, technically enforced.
  • Removable media taken offsite is authorised, logged, and tracked.
  • Sensitive data on storage media (especially removable) is encrypted by default.
  • Storage media is kept and transported in physically secure, environmentally appropriate conditions.
  • Critical data has multiple copies on separate media and/or locations.
  • There are documented procedures for secure reuse, including proper erasure before reallocation.
  • There are documented procedures for secure disposal, including physical destruction where needed.
  • External destruction / disposal providers are vetted, contracted appropriately, and provide evidence of destruction.
  • Disposal of media holding sensitive data is logged to maintain an audit trail.
  • The aggregation effect of stored or discarded media has been considered in risk assessments.
  • Staff receive training on safe use, reporting lost media, and following storage media rules.

Bringing It All Together

ISO 27001 Control 7.10 – Storage media – is about treating anything that can store your information as an asset that needs deliberate, controlled management.

If you:

  • Set clear rules for how storage media is used,
  • Encrypt and protect it based on the sensitivity of the data, and
  • Securely reuse and dispose of it with proper records,

you’ll greatly reduce the risk of information leaking out via forgotten disks, USB sticks, or discarded hardware – and you’ll be able to show an auditor that storage media is being managed as part of a mature, preventive information security programme.

Explore the ISO 27001 Control Group Purposes

Organisational Controls
People Controls
Physical Controls
Technological Controls

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG