Control Definition
Storage media must be managed across their entire life cycle — acquisition, use, transport, and disposal — in line with the organization's classification scheme and handling requirements.
Control Objective
To ensure that information held on storage media can only be disclosed, modified, removed, or destroyed by authorized people and processes.
What This Really Means
A USB drive is a network egress point that fits in a pocket. Your proxy, DLP, and firewall logs see every byte that leaves over the wire — and none of the two terabytes that walk out the door on a device the size of a thumbnail. A.7.10 exists because information is at its most portable and most losable when it sits on physical media, and because media failures are silent: nothing alerts when a drive goes missing.
The control asks for life-cycle discipline rather than a single safeguard. Decide your stance first: for most organizations today the right default is removable media disabled at the port, with a governed exception path that issues encrypted drives for the workflows that genuinely need them. From there the life cycle runs: register and label media that carries sensitive information, encrypt removable media by default, store it according to its classification and the manufacturer's environmental specs, transport it under chain of custody — sealed tamper-evident packaging, reliable couriers, signatures at both ends — sanitize it before any reuse, and destroy it at end of life with evidence.
Physical media is dying, but it is not dead, and the residue is exactly what audits find: backup tapes in third-party vaults, drives couriered by vendors for bulk data transfers, SD cards in cameras and drones, media embedded in multifunction printers, and every laptop SSD in the company — which is storage media on its way to a disposal decision eventually. The control covers what you forgot you have, not just what you issue.
What auditors treat as the heart of A.7.10 is end-to-end accountability. Expect them to pick one sensitive item — a backup tape, an issued encrypted drive — and trace it from issuance to current location, or from retirement to destruction certificate. And expect a live test: plug an unauthorized USB device into a standard corporate laptop and see whether the port-control policy on paper matches the machine.
Why It Matters
Media incidents are quiet incidents. A compromised server generates logs, alerts, and a timeline; a missing tape generates nothing until the next restore attempt or audit — sometimes months later, sometimes never. By then the exposure window is unknowable, which is precisely what makes regulators and customers assume the worst. The density problem makes it worse every year: a single misplaced drive can now hold a complete database, a full mailbox export, or years of backups.
The risk runs in both directions. Outbound, unmanaged media is the simplest exfiltration channel there is — no malware, no command-and-control, just a pocket. Inbound, untrusted USB devices remain a standard malware delivery vector and the classic way threats jump into otherwise segmented environments. And the accumulation effect matters: dozens of individually minor, unclassified media items can collectively hold a fairly complete picture of the business, so the aggregate deserves protection even when no single item seems to.
- •One lost drive can equal your whole database – modern media density means a single unencrypted device can carry what would once have filled a server room, and lose it all in one event.
- •Silent loss defeats detection – no log fires when a tape vanishes from a vault or a drive from a drawer; discovery typically happens at the next restore, audit, or reconciliation, when the response window has long closed.
- •A quick format leaks history – formatting does not erase data; reissued or resold media routinely carries recoverable files from its previous life.
- •Inbound media carries malware – unmanaged USB remains a proven infection path, including into environments your network controls otherwise isolate.
- •Transport is the weakest leg – couriered media changes hands repeatedly; without sealed packaging, custody records, and encryption, a lost shipment is both unexplainable and indefensible.
Regional Compliance Context
In India, the DPDP Act 2023 makes a lost media item carrying personal data a potential personal data breach, with intimation duties to the Data Protection Board and affected individuals — encryption of media contents is what keeps a courier mishap from becoming a notifiable event. RBI-regulated entities should also expect supervisory scrutiny of how media holding customer data is moved, stored, and destroyed, with records to match; offsite tape vaulting through third parties is still common in Indian banking and makes the chain-of-custody discipline genuinely load-bearing.
The Saudi PDPL and UAE federal PDPL raise the same breach considerations for organizations in the Gulf. In every one of these regimes the practical equation is identical: encrypted media plus a documented custody and destruction trail turns a physical loss into a closed incident rather than a regulatory filing.
Implementation Guidance
Set your removable-media stance in policy
Write a topic-specific policy that covers the full life cycle — acquisition, registration, use, transport, reuse, disposal — and takes an explicit position on removable media. For most organizations the defensible default is deny-by-default with a governed exception process. Align handling rules to your classification scheme so the policy says what each class of information may and may not live on.
Enforce port control on endpoints
Implement the policy technically through your MDM or endpoint protection platform: block USB mass storage by default, allowlist only issued encrypted devices, and log mount events. Make exceptions time-bound with a recorded approval and an expiry date, and review the exception list quarterly — an exception list that only ever grows is a finding waiting to happen.
Register and label sensitive media
Maintain a media register for issued and sensitive media: serial or asset ID, classification, custodian, location, and issue and return dates. Label items in line with your A.5.13 labelling conventions so handling rules travel with the object. Keep the registered estate deliberately small — default-deny port control is what makes registration feasible instead of fictional.
Encrypt removable media by default
Issue hardware-encrypted drives, or enforce OS-level removable-media encryption, for anything that will carry non-public information. Manage recovery keys centrally rather than leaving them with individual users. Treat any unencrypted media use as a documented, risk-accepted exception with a named owner and an end date.
Control physical transport with chain of custody
For media moving between sites or to vaulting and disposal vendors, use vetted couriers under contract, tamper-evident numbered packaging, and a custody record capturing what moved (by reference ID), who sent and received it, and when, with signatures at both ends. Encrypt contents regardless, so a transport loss is an inconvenience rather than a disclosure. Confirm receipt as a closing step, not an assumption.
Sanitize before reuse, destroy with evidence
Define sanitization methods per media type — cryptographic erase or vendor secure-erase for SSDs and flash, overwriting or degaussing for magnetic media, physical destruction where assurance demands it — and verify the result before any reissue. At end of life, use a disposal vendor that issues itemized certificates of destruction, and keep a disposal log tying each retired item to its certificate. This is the seam between A.7.10, A.7.14, and A.8.10.
Reconcile and test the life cycle periodically
On a quarterly or semiannual cycle, reconcile the media register against physical holdings, sample endpoint port-control configurations, and review the exception list for expiry. Once a year, pull a retired item's trail end to end — issuance to destruction certificate — and try mounting an unauthorized USB device on a standard build. Fix what the test finds and record both.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.7.10:
Documentation
- Storage media policy covering acquisition, registration, use, transport, reuse, and disposal
- Media register showing classification, custodian, location, and issue and return dates for sensitive media
- Chain-of-custody records and courier agreements for media transported between sites or to vendors
- Sanitization and disposal log with itemized certificates of destruction from disposal vendors
- Port-control configuration evidence plus the removable-media exception list with approvals and expiry dates
Interviews
- IT administrator about how media is issued and encrypted and how USB port restrictions are enforced
- Backup or operations staff about media rotation, offsite vaulting, and transport handoffs
- An employee holding a removable-media exception about the rules and approvals they operate under
Observations
- A live attempt to mount an unauthorized USB storage device on a standard corporate endpoint
- Inspection of media storage conditions — safes, fireproof cabinets, labeling — against the register
- Tracing one sampled register entry to the physical item in hand or to its destruction certificate
Practitioner Insights
Findings against this control rarely come from the managed media — they come from the drawer. Almost every office has one: USB sticks from old events, retired laptops with disks still inside, SD cards from a camera nobody remembers buying. Do a physical media sweep before your audit — collect, wipe or destroy, and record what you did — and check the multifunction printers while you are at it, because many contain hard disks that hold copies of everything they ever scanned. An hour of housekeeping with a one-page record beats explaining a box of mystery drives to an auditor.
I do not start this control at the policy. I pick one sensitive item from the register — usually a backup tape or an issued encrypted drive — and ask the team to walk me through its life: who issued it, where it is right now, and what will happen when it retires. The chain almost always breaks at disposal: media went to a vendor at some point and nobody can produce a certificate of destruction. Remember the accumulation argument as well — a pile of individually harmless unclassified media can collectively reconstruct the business, so govern the aggregate, not just the items stamped confidential.
Common Challenges & Solutions
Challenge
A blanket USB ban breaks legitimate workflows — OT engineers, AV teams, client data deliveries — so people route around it.
Solution
Keep deny-by-default but build a real exception path: issued hardware-encrypted drives, time-bound approvals, and logging of mount events. Then remove the demand by providing a sanctioned alternative for large transfers, such as a managed file-transfer service, so the USB stick stops being the path of least resistance. A ban people obey beats a stricter one they bypass.
Challenge
The media register exists, but it drifted from reality within months of being created.
Solution
Shrink the problem before managing it — port control and fewer issued devices mean fewer register rows. Tie issuance and return to a ticket so the register updates as a side effect of process, not as a memory exercise, and reconcile against physical holdings quarterly. A register of 30 accurate entries is worth more than one of 300 stale ones.
Challenge
Embedded media leaves the building unnoticed — disks inside printers, copiers, and leased or returned equipment.
Solution
Add embedded storage to the disposal and lease-return checklist so no equipment leaves without a media decision. Put it in vendor contracts: leased multifunction devices are returned only after certified disk sanitization or with the disk removed and retained. This is the A.7.14 boundary — one verified sanitization step covers both controls.
Challenge
Backup tapes travel to an offsite vault with a third party, and nobody can evidence custody in between.
Solution
Contract the courier and vault with explicit security terms, use sealed numbered containers, and capture signatures at both ends of every movement. Encrypt tape contents so a transit loss is not a disclosure, and audit the vault inventory against your rotation schedule at least annually. If the vendor cannot support custody records, that is your answer about the vendor.
Challenge
Retired media accumulates for years because nobody is authorized — or willing — to destroy it.
Solution
Create a destruction calendar driven by your retention schedule and name an owner with explicit authority to execute it. Run periodic destruction events with a certified vendor — witnessed shredding or degaussing with itemized certificates — and log each item against its certificate. Storage of dead media is not caution; it is unmanaged risk with a floor space cost.
