Annex A 7.10 verified ISO/IEC 27001:2022
Secure Management of Storage Media
Manage storage media safely from purchase to disposal based on your risk policies.
record_voice_over
Plain language
This control is about making sure any storage media, like USB drives or paper documents, are handled safely from the moment you buy them until you throw them out. If you don't do this, sensitive information can end up in the wrong hands, leading to data breaches or financial and reputational damage for your organisation.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Physical controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.
verified ISO/IEC 27001:2022 Annex A 7.10
priority_high
Why it matters
Poor storage media lifecycle controls can cause data leakage or unauthorised access in transit or disposal, damaging reputation and compliance.
settings
Operational notes
Classify and label media, record chain-of-custody for transport, encrypt where possible, and securely sanitise or shred media before disposal.
02 — Implement
build
Implementation tips
- The IT manager should develop a clear policy specifically for managing removable storage media. This policy should include rules on how to store, use, and dispose of these items securely and must be communicated to all staff handling such media. Refer to ISO 27002:2022 for guidance on information classification and storage practices.
- Procurement staff should ensure that all storage media are acquired from reputable suppliers who follow security standards. This involves checking supplier credentials and reading through their security procedures to decide if they meet your organisation's requirements.
- Office managers should ensure that storage media, such as USB sticks or external hard drives, are kept in secure locations when not in use. This means using lockable cabinets or safes, and organising storage based on the sensitivity of the information they contain, as per Australian Privacy Act requirements.
- An IT staff member should oversee the use of cryptographic techniques on storage media containing sensitive data. This can be done by setting up encryption software and ensuring it is correctly applied before the media leaves the organisation, protecting against unauthorised access.
- HR should train all employees on secure storage media handling practices, including proper disposal methods. This training should cover how to securely delete or destroy media containing confidential information, following ISO 27001, ensuring staff understand the importance of these actions to prevent data breaches.
03 — Audit
fact_check
Audit / evidence tips
-
AskRequest the organisation's policy on storage media management.
GoodThe policy should be comprehensive, updated regularly, and be well-known by employees who handle storage media.
-
AskRequest a log of removed media and their current status.
GoodThere should be a clear audit trail showing all movements of media up till disposal, including authorised sign-offs.
-
AskAsk for training records and materials related to secure handling of storage media.
GoodTraining should be mandatory, with records showing up-to-date training completion for relevant staff.
-
AskRequest specific examples of encrypted storage media.
GoodEncryption should be consistently applied to all sensitive media, with no unencrypted sensitive information stored on removable devices.
-
AskRequest evidence of secure disposal procedures, such as certificates from disposal companies.
GoodDisposal records should show compliance with policies and confirm destruction through secure methods, with certificates from reputable providers.
04 — Mappings
link
Cross-framework mappings
How Annex A 7.10 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (47) expand_less | ||
| ISM-0307 | ISM-0307 requires sanitising IT equipment and associated media before maintenance or repairs when work is performed by a technician who i... | |
| ISM-0312 | ISM-0312 mandates a specific handling outcome for overseas storage-bearing equipment that handled AUSTEO or AGAO data and cannot be sanit... | |
| ISM-0316 | ISM-0316 requires a formal administrative decision to release IT equipment into the public domain after sanitisation, destruction or decl... | |
| ISM-0317 | ISM-0317 requires a specific sanitisation action for printer cartridges and MFD drums by printing three full pages of random text to elim... | |
| ISM-0318 | ISM-0318 requires organisations to destroy printer cartridges or MFD print drums when they cannot be sanitised, treating them as electros... | |
| ISM-0321 | ISM-0321 requires that when disposing of IT equipment designed or modified to meet emanation security standards, the organisation contact... | |
| ISM-0325 | ISM-0325 requires reclassifying media to the higher sensitivity/classification when it is connected to a more sensitive system, with an e... | |
| ISM-0330 | ISM-0330 requires that before media is reclassified to a lower sensitivity or classification, it is sanitised or destroyed and a formal a... | |
| ISM-0350 | ISM-0350 requires organisations to destroy storage media that cannot be sanitised, including types like microfiche, microfilm, optical di... | |
| ISM-0351 | ISM-0351 requires volatile media to be sanitised by removing power for at least 10 minutes to clear residual data | |
| ISM-0352 | ISM-0352 requires SECRET and TOP SECRET volatile media to be sanitised by overwriting the entire medium at least once with a random patte... | |
| ISM-0354 | ISM-0354 requires non-volatile magnetic media to be sanitised by overwriting the entire medium with a random pattern (with specified pass... | |
| ISM-0356 | ISM-0356 requires organisations to continue treating sanitised SECRET and TOP SECRET non-volatile magnetic media as retaining its origina... | |
| ISM-0357 | ISM-0357 requires a precise EPROM sanitisation procedure to ensure data is irrecoverable, including verification by read back | |
| ISM-0358 | ISM-0358 requires that after any sanitisation attempt, SECRET and TOP SECRET non-volatile EPROM/EEPROM media must still be handled as ret... | |
| ISM-0359 | ISM-0359 mandates a specific sanitisation technique for non-volatile flash memory (double random overwrite plus read-back verification) | |
| ISM-0361 | ISM-0361 requires magnetic media to be destroyed using a degausser with suitable magnetic field strength and correct magnetic orientation | |
| ISM-0362 | ISM-0362 specifies adherence to manufacturer directions for degaussing magnetic media as a sanitisation measure | |
| ISM-0363 | ISM-0363 requires organisations to establish and maintain media destruction processes and procedures to securely dispose of data-bearing ... | |
| ISM-0368 | ISM-0368 requires media destruction to a defined particle size (≤9 mm) as an anti-recovery measure | |
| ISM-0371 | ISM-0371 requires organisations to supervise media destruction end-to-end, ensuring the media is controlled to the point of destruction a... | |
| ISM-0374 | ISM-0374 requires organisations to develop, implement and maintain procedures for securely disposing of media | |
| ISM-0375 | ISM-0375 requires a formal administrative decision to release storage media or its waste into the public domain following sanitisation, d... | |
| ISM-0378 | ISM-0378 requires organisations to remove identifying labels and markings from media prior to disposal to prevent traceability and inadve... | |
| ISM-0836 | ISM-0836 requires sanitising EEPROM by fully overwriting it with a random pattern and verifying the overwrite via read back | |
| ISM-0839 | ISM-0839 requires that destruction of media storing accountable material is not outsourced, keeping media destruction under the organisat... | |
| ISM-0947 | ISM-0947 requires sanitising rewritable media after each manual transfer of data between different security domains | |
| ISM-1059 | ISM-1059 mandates encryption of all data stored on media as a fundamental security measure | |
| ISM-1065 | ISM-1065 requires resetting HPA and DCO on non-volatile magnetic hard drives prior to sanitisation to prevent hidden storage areas persis... | |
| ISM-1084 | ISM-1084 requires that when mobile devices cannot be carried or stored in a secured state, they must be physically transported using a se... | |
| ISM-1157 | ISM-1157 addresses secure destruction of media by mandating the use of NSA-evaluated degaussers to reliably render magnetic media unreadable | |
| ISM-1160 | ISM-1160 specifies an approved standard for degaussing equipment when degaussing is used to destroy storage media | |
| ISM-1222 | ISM-1222 requires televisions and computer monitors that cannot be sanitised to be destroyed to eliminate any residual data risk | |
| ISM-1361 | ISM-1361 requires that when destroying media, organisations use SC&E Committee-approved or ASIO-approved destruction equipment | |
| ISM-1550 | ISM-1550 requires organisations to develop, implement and maintain procedures for disposing of IT equipment | |
| ISM-1600 | ISM-1600 requires media to be sanitised before it is used for the first time to prevent introduction of unwanted or residual data | |
| ISM-1641 | ISM-1641 mandates a specific end-of-life handling step for magnetic media: once degaussed, it must be physically damaged to defeat recovery | |
| ISM-1722 | ISM-1722 requires electrostatic memory devices to be physically destroyed using specific methods (e.g | |
| ISM-1723 | ISM-1723 mandates secure end-of-life handling for one specific removable medium type by specifying acceptable destruction methods for mag... | |
| ISM-1724 | ISM-1724 requires magnetic hard disks to be destroyed using specific approved destruction methods (e.g., incineration, grinding or degaus... | |
| ISM-1725 | ISM-1725 requires magnetic tapes to be destroyed using approved physical or magnetic destruction methods (e.g | |
| ISM-1726 | ISM-1726 requires secure end-of-life handling by physically destroying optical disks using approved destruction methods | |
| ISM-1727 | ISM-1727 addresses secure end-of-life handling by mandating specific physical destruction methods for semiconductor memory | |
| ISM-1728 | ISM-1728 requires organisations to store and handle destroyed SECRET media waste at downgraded classifications based on the resulting par... | |
| ISM-1729 | ISM-1729 requires organisations to store and handle TOP SECRET media destruction waste at a downgraded classification based on particle s... | |
| ISM-1735 | ISM-1735 requires that media which cannot be successfully sanitised is physically destroyed before disposal | |
| ISM-2072 | ISM-2072 requires AI models to be stored in a non-executable file format that prevents arbitrary code execution | |
| sync_alt Partially overlaps (12) expand_less | ||
| ISM-0311 | Annex A 7.10 requires storage media to be managed securely across its lifecycle, including secure disposal consistent with classification... | |
| ISM-0313 | ISM-0313 requires organisations to develop, implement and maintain IT equipment sanitisation processes and procedures | |
| ISM-0315 | ISM-0315 requires physical destruction of high assurance IT equipment before disposal to prevent residual data exposure | |
| ISM-0343 | ISM-0343 requires organisations to disable write functionality to removable media unless there is a clear business requirement, reducing ... | |
| ISM-0348 | ISM-0348 requires organisations to develop, implement, and maintain media sanitisation processes and supporting procedures | |
| ISM-0360 | ISM-0360 requires that after sanitisation, SECRET and TOP SECRET non-volatile flash memory media retains its classification and must cont... | |
| ISM-0462 | ISM-0462 requires that authenticating to encryption does not reduce the sensitivity/classification of IT equipment or media while the use... | |
| ISM-0835 | ISM-0835 addresses the requirement that sanitised TOP SECRET volatile media can still be treated as TOP SECRET based on storage duration ... | |
| ISM-0840 | ISM-0840 addresses secure disposal by requiring a certified outsourced destruction service for media holding non-accountable material | |
| ISM-1217 | Annex A 7.10 requires organisations to manage storage media (and associated handling requirements) securely through to disposal | |
| ISM-1300 | ISM-1300 requires that after overseas travel, mobile devices and any removable media are sanitised and reset, and any credentials that le... | |
| ISM-1418 | ISM-1418 requires organisations to disable reading from removable media and devices where there is no business requirement, using device ... | |
| handshake Supports (3) expand_less | ||
| ISM-0323 | ISM-0323 requires media to be classified to the highest sensitivity/classification of the data it stores | |
| ISM-1067 | ISM-1067 addresses secure erasure of non-volatile magnetic hard drives by mandating ATA Secure Erase plus block overwriting to cover hidd... | |
| ISM-1299 | ISM-1299 instructs personnel to handle mobile devices and removable media securely (e.g | |
| link Related (2) expand_less | ||
| ISM-0337 | ISM-0337 requires media to only be used with systems authorised for its classification | |
| ISM-0831 | ISM-0831 requires media to be handled in a manner suitable for its sensitivity or classification | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.