The purpose of this ISO27001 control is to focus our attention on the safe storage of data, using storage media.  We use storage media as a convenient method of transferring data, but due to its ease of purchase and use, it also presents a risk that we need to manage.

For the purposes of ISO27001, storage media you should consider the following;

• Mobile devices

• Flash drives (i.e USB devices)

• Memory cards (often used in cameras)

• Hard drives (internal or external)

• NAS (Network-Attached Storage) Drives

• DVD or CDs

• Tape (yes, still used in certain places!)

• Microfiche

Dependent upon the use of paper files, you might also consider paper files as storage media too.

Many organisations still rely on physical media, such as drawings (in architecture) and legal documents (in the legal or medical sectors). These contain significant information which needs to be protected. You need to manage this type of media differently because it presents a different risk.

What does the standard require?

The standard states that “Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organisations classification scheme and handling requirements.” (A7.10 – Storage media).

Note that there are four elements to this control that need to be considered.

Acquisition

What kind storage media are you buying, and why? Do you need encrypted thumb drives? Are DVDs and CDs still the best media to use?

Use

Are they used across your organisation? Does everyone use them, or just a specific department? For example, if you need to take a lot of photos using a professional camera, then you might use memory cards (e.g. Secure Digital (SD) cards). Some organisations use external hard drives to back-up their data, which is then taken home each evening by the business owner. Is this ok?

Transportation

How are you transporting the storage media? Is it in the CEO’s briefcase? If you need to send a thumb-drive to a supplier, do you use registered post and a reputable courier to ensure it’s delivered safely?

Disposal

How do you dispose of media? When you scan and store paper files digitally, how do you destroy the original documents? What is your process for disposing of old storage media, such as thumb-drives, NAS or hard drives? Are they destroyed by a specialist, or do you give them away to employees?

Why is this required?

Without consideration for this ISO27001 control, data can quickly become vulnerable to loss, theft or unauthorised access, leading to data breaches, compliance issues and reputation damage.

Working with a law firm, we discovered that the department that dealt with personal injury claims, would routinely send medical records to medical experts on thumb-drives.  Looking at the different aspects of this control, we quickly identified a number of risks, including;

• Thumb-drives were not encrypted

• Transportation of the thumb-drives was through standard mail, and therefore prone to loss

• No records or instructions on how to dispose of the thumb-drives in place

Data no longer lives safely in Cloud environments or in server rooms, it lives on devices which sit in your hand, or in your pocket.

What the auditor is looking for

Because of the nature of storage media, the auditor will be looking for evidence of a range of security measures that take the different type into consideration. These measures typically include;

• Media Management policy (A5.1 – Information Security Policies)

• Destruction of media processes (A7.14 - Secure disposal or re-use of equipment)

• Classification Scheme (A5.12 - Classification of information)

• Secure storage of storage media (A7.3 - Securing offices, rooms and facilities)

• Encryption is enabled on applicable devices (A8.24 - Use of cryptography)

• Supplier Agreements (A5.20 - Addressing information security within supplier agreements)

• Awareness, Education and Training for personnel

• Risk Register

• Audit reports

• Incident Logs

What do you need to do?

First, identify the storage media that your business uses. Consider using the list provided at the top of this post for inspiration and ideas. Once you know what you have, you can develop a policy that specifically outlines your expectations for the acquisition, use, transport and destruction of the media.

Meet with your Management Review Team (MRT) to discuss each of these points and identify any risks associated to each step. You will then decide on any further mitigating controls and actions you would need to implement (e.g. purchasing encrypted thumb-drives or using a specific courier for safe transportation).

Once you have a workable policy, and any supporting processes you need, communicate these to your team and interested parties so that they know what is required of them.

If you are sharing storage media externally with clients, suppliers and other interested parties then you should review any contracts and agreements in place, to ensure there is some appreciation of what security means to them. This is covered in ISO27001 Annex A Control A5.20 (Addressing information security within supplier agreements).

Finally, ensure you conduct regular audits and reviews of these policies and processes. Of course this is important for all controls, but because of the diverse nature of storage media, your approach here might be to go a little deeper (e.g. checking a log of thumb-drives, and then counting how many are still in storage).

Q & A

Can I use personal storage devices at work?

This depends on your company policy, but we would suggest avoiding this idea as controlling the media, once data is placed upon it, would be difficult.  Yes, you can control this through contracts and policies, but it is far better to restrict the use of storage media to company-owned devices.

Difficulty rating

We rate this a 2.5 out of 5 difficulty rating. This ISO27001 control can become a little more technical than other controls. However, you still need to assess the risk to your business based on how you use storage media.

You will need to communicate why this is important, and what you expect, so that you bring everyone along on the journey.  Remember that you might change the way the business has operated for a long time (without an issue), and therefore, you may experience some resistance if you try to make a radical change.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.