A.7.10 — Storage Media · Cenedril Wiki

An old server is decommissioned and donated to a local charity. Nobody wipes the hard drives. Six months later, a journalist contacts the organization: customer records, internal emails and access credentials from the donated drives are circulating online. A.7.10 requires that storage media are managed throughout their entire lifecycle — from procurement to destruction — and that disposal is as controlled as any other phase.

The control requires organizations to ensure that only authorized disclosure, modification, removal or destruction of information on storage media occurs. This covers the full lifecycle: acquisition, use, transport, storage and disposal.

What does the standard require?

The core requirements span the media lifecycle:

Classification-based handling. Storage media must be handled according to the organization’s information-classification scheme. Media containing confidential information requires stronger controls than media with public information.
Secure storage. Media must be stored in a secure environment — protected from fire, water, electromagnetic interference and unauthorized access. Encryption should be applied where appropriate.
Controlled transport. When media is moved between locations, it must be protected against interception, theft and damage. Use encrypted media, sealed containers or secure courier services.
Access control. Define who may use removable storage media, what data may be copied to them and how transfers are monitored.
Secure disposal. Before disposal or reuse, all sensitive data must be securely erased or the media must be physically destroyed. The method must make data recovery infeasible. Document every disposal action.

In practice

Maintain a media inventory. Track all removable storage media: USB drives, backup tapes, external drives. Record the owner, classification level, location and status (active, in transit, decommissioned).

Restrict removable media. Use endpoint-management tools to control USB port access. Options range from full block to whitelist-only (approved encrypted devices). Monitor file transfers to removable media through DLP (Data Loss Prevention) tools.

Encrypt by default. All removable media that may carry sensitive data should be encrypted. Issue company-approved encrypted USB drives and disable unencrypted devices at the endpoint level.

Establish a disposal process. Define disposal methods by classification level: public data — standard deletion is sufficient; internal — secure erase; confidential — certified destruction with a destruction certificate. Engage a certified disposal vendor for physical destruction and retain certificates as audit evidence.

Handle paper media. Paper documents are storage media too. Provide cross-cut shredders (DIN 66399 P-4 or higher for confidential documents) in every department and establish a clear rule: confidential paper goes into the shredder, never into the recycling bin.

Typical audit evidence

Auditors typically expect the following evidence for A.7.10:

Media management policy — documented rules for media handling, transport and disposal (link to Physical Security Policy in the Starter Kit)
Media inventory — register of removable storage media with classification and status
USB/device control configuration — endpoint settings showing USB restrictions
Destruction certificates — certificates from certified disposal vendors
Secure-erase logs — records of data-wiping operations with method and verification
Transport records — documentation of media shipments with chain of custody

KPI

% of storage media managed according to classification and disposal policy

Measured as a percentage: how many of your tracked storage media items are handled, stored and (when decommissioned) disposed of according to policy? Target: 100%. The usual gap is in ad-hoc removable media — personal USB drives that are not in the inventory.

Supplementary KPIs:

% of decommissioned media with documented destruction or secure erasure
Number of unauthorized removable-media usage attempts blocked per quarter
% of endpoints with USB-control policies enforced
Time between decommissioning decision and actual destruction

BSI IT-Grundschutz

A.7.10 maps to BSI modules covering data carriers and disposal:

SYS.4.5 (Removable data carriers) — the primary module: policy for removable media, encryption requirements, usage restrictions (A5), secure handling and monitoring (A13).
CON.6 (Deletion and destruction of data) — comprehensive requirements for data erasure and physical destruction: methods (A2), documentation (A13), outsourced destruction (A14).
CON.3.A12 (Cryptographic protection of data carriers) — encryption requirements for data carriers during transport and storage.
CON.7.A10 / CON.7.A13 (Business trips) — data-carrier security during travel: minimization, encryption, border-crossing considerations.

A.7.10 connects media handling to the information lifecycle:

A.7.8 — Equipment siting and protection: Physical protection of devices that contain storage media.
A.7.9 — Security of assets off-premises: Media taken off-site needs the same controls.
A.7.11 — Supporting utilities: Environmental protection for stored media.
A.7.12 — Cabling security: Network cables are the conduit through which data reaches storage media.

Additional connections: A.5.10 (Acceptable use), A.5.12 (Classification), A.5.13 (Labelling), A.7.14 (Secure disposal or re-use of equipment) and A.8.10 (Information deletion).

Sources

ISO/IEC 27001:2022 Annex A, Control A.7.10 — Storage media
ISO/IEC 27002:2022 Section 7.10 — Implementation guidance for storage media
BSI IT-Grundschutz, CON.6 — Deletion and destruction of data

Frequently asked questions

What counts as storage media?

Everything that stores information: USB drives, external hard drives, SD cards, optical discs (CD/DVD/Blu-ray), backup tapes, SSDs, and paper documents. Internal hard drives in laptops and servers are also storage media — particularly relevant at disposal time.

Can I allow USB drives in the organization?

Many organizations restrict or ban personal USB drives due to the dual risk of data exfiltration and malware introduction. If you allow them, require encryption, restrict usage to approved devices (whitelisting) and monitor file transfers. Some organizations issue company-approved encrypted USB drives as a controlled alternative.

What is the difference between data wiping and physical destruction?

Data wiping (secure erase) overwrites data so it cannot be recovered, allowing the media to be reused. Physical destruction (shredding, degaussing, incineration) renders the media unusable. Use wiping for media you want to reuse; use destruction for media at end-of-life or when wiping cannot be verified (e.g. damaged drives).

Responsible	Head of IT
Accountable	Information Security Officer / (C)ISO
Consulted	Asset Owner, Department Head, Facility Manager, Head of IT, IT Security Officer, Legal Counsel, Risk Owner, Supply Chain Manager
Informed	All Employees, Asset Owner, Department Head, Facility Manager, Internal Auditor, Top Management