top of page

ISO 27001 Control 7.10: Storage Media

Writer's picture: Alan ParkerAlan Parker

Managing Storage Media Throughout the Lifecycle


Introduction

The management of storage media is a critical component of an organisation’s information security strategy. By implementing robust policies and practices for the acquisition, use, transportation, and disposal of storage media, organisations can safeguard sensitive information and maintain the integrity, confidentiality, and availability of their data.


Purpose of Storage Media Management

The primary objective of managing storage media is to ensure that information is disclosed, modified, removed, or destroyed only by authorised individuals and processes. Effective lifecycle management minimises risks associated with unauthorised access, data loss, or damage.


Guidelines for Managing Removable Storage Media

  1. Establishing a Policy

    • Develop a topic-specific policy for managing removable storage media and communicate it to all relevant personnel.

  2. Authorisation and Audit Trails

    • Require authorisation for the removal of storage media from the organisation and maintain a record of such removals to ensure accountability.

  3. Secure Storage

    • Store storage media in a safe and secure environment in accordance with their classification and manufacturer’s specifications. Protect against environmental threats such as heat, moisture, humidity, and ageing.

  4. Cryptographic Protection

    • Use cryptographic techniques to protect sensitive information on removable storage media, especially when confidentiality or integrity is a concern.

  5. Refreshing Stored Information

    • Transfer data to fresh storage media before degradation makes it unreadable. This ensures long-term accessibility of critical information.

  6. Multiple Copies

    • Store multiple copies of valuable information on separate storage media to mitigate the risk of simultaneous damage or loss.

  7. Media Registration

    • Consider registering removable storage media to reduce the risk of information loss.

  8. Controlled Use of Ports

    • Only enable ports for removable storage media, such as USB or SD card slots, if there is a clear organisational need.

  9. Monitoring Transfers

    • Monitor the transfer of information to removable storage media to prevent unauthorised actions.

  10. Secure Transportation

    • Protect storage media during physical transport to prevent unauthorised access, misuse, or corruption. Follow applicable security measures, especially when using postal or courier services.


Secure Reuse or Disposal of Storage Media

To minimise the risk of confidential information leakage, establish procedures for the secure reuse or disposal of storage media. These procedures should be proportional to the sensitivity of the data involved.

  1. Secure Reuse

    • When reusing storage media within the organisation, securely delete or format the data beforehand.

  2. Secure Disposal

    • Dispose of storage media containing sensitive information by:

      • Destroying or shredding it physically.

      • Using secure deletion methods to remove data permanently.

    • Identify items requiring secure disposal and follow defined procedures.

  3. External Disposal Services

    • Select reliable external suppliers for collection and disposal services. Verify that they have adequate controls and experience.

  4. Audit Trails

    • Log the disposal of sensitive items to maintain a complete audit trail.

  5. Aggregation Effect

    • Consider the aggregation effect when accumulating storage media for disposal. Large volumes of non-sensitive data can become sensitive collectively.

  6. Damaged Devices

    • Perform risk assessments on damaged devices containing sensitive data to determine whether they should be physically destroyed instead of being repaired or discarded.


Additional Security Measures

  • If confidential information on storage media is not encrypted, consider additional physical protections for the storage media.

  • Ensure all procedures align with risk assessments to address specific threats effectively.


Key Concepts and Domains

  • Control Type: Preventive

  • Security Properties: Confidentiality, Integrity, Availability

  • Cybersecurity Concepts: Protection

  • Operational Capabilities: Physical Security, Asset Management


Conclusion

Effective management of storage media throughout its lifecycle is essential to protecting organisational information and assets. By implementing clear policies, robust security measures, and regular audits, organisations can reduce the risks of data breaches, loss, or unauthorised access.


A proactive approach to storage media management ensures that sensitive information remains secure, supporting organisational resilience and compliance with regulatory standards.

Comments

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page