ISO 27001 Control 7.10: Storage Media Management
Storage media is a direct pathway to your most sensitive data—if it's not managed properly across its entire lifecycle, you're exposed. Control 7.10 requires organizations to establish and enforce procedures for acquiring, using, transporting, and safely disposing of storage media according to classification levels. This control bridges the gap between data handling policy and real-world protection.
What this means
Storage media encompasses all physical devices that hold data: hard drives, USB drives, tape backups, SD cards, and optical media. ISO 27001 7.10 mandates that your organization treat these assets with the same rigor as classified documents. You must define how different media types are classified based on data sensitivity, establish handling requirements for each classification level, track media throughout its lifecycle, and ensure secure disposal that prevents data recovery. This applies to media owned by your organization, media used by third parties, and media in transit.
How to comply
- 1.Classify all storage media types used in your organization based on data sensitivity (e.g., public, internal, confidential, restricted)
- 2.Document handling requirements for each classification level, including access controls, encryption standards, and physical security measures
- 3.Implement inventory tracking for all storage media from acquisition through disposal
- 4.Establish secure transportation protocols for media movement between locations, including secure packaging and chain-of-custody procedures
- 5.Define secure disposal procedures that prevent data recovery, with evidence of proper destruction (certificates of destruction)
- 6.Assign clear ownership and accountability for media handling at each lifecycle stage
- 7.Conduct periodic audits to verify compliance with media handling procedures
Evidence auditors look for
- Storage media classification policy document
- Media handling procedures manual with classification-specific requirements
- Asset inventory system showing acquisition date, classification, location, and status
- Secure transportation guidelines and signed chain-of-custody forms
- Certificates of destruction from approved disposal vendors
- Encryption standards documentation for different media classifications
- Media handling training records and acknowledgments
- Audit logs showing media lifecycle transitions and accountability
- Third-party media handling agreements with specified requirements
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates storage media lifecycle tracking, classification enforcement, and disposal documentation—eliminating manual spreadsheets and providing real-time visibility into where sensitive data lives.
See how GRCWatch handles this control automatically
Start free trial