An improperly disposed hard drive surfaces at a resale market with thousands of customer records still intact. A USB drive containing unencrypted financial data disappears somewhere between an office and a courier van. Most organizations have a media handling policy on paper, but the gap between that document and operational reality is where data breaches happen. ISO 27001 Control 7.10 exists to close that gap by forcing lifecycle discipline onto every piece of storage media your organization touches.
What 7.10 requires
ISO/IEC 27001:2022 Annex A 7.10 is a physical security control that prevents unauthorized disclosure, modification, or loss of information stored on removable and physical media by requiring organizations to manage that media across its full lifecycle. The official control objective mandates that organizations “manage the lifecycle of removable storage media including classification, handling, transportation, and final disposal.”
In practice, this means tracking media from the moment it enters your environment to the moment it’s destroyed. Acquisition, classification, day-to-day handling, secure transportation between sites, and verified final disposal all fall under 7.10’s scope. The control covers digital media like USB drives, Solid-State Drives (SSDs), backup tapes, and optical discs alongside physical media such as paper files and printed records.
Handling requirements must align with your organization’s data classification scheme. A USB drive carrying public marketing materials doesn’t need the same controls as one holding personally identifiable information. This classification-driven approach means you need clearly defined tiers of handling procedures, not a single blanket policy applied uniformly across all media types.
The operational challenge most organizations face isn’t writing the policy. It’s maintaining a living inventory of issued media, enforcing handling procedures consistently, and proving that disposal actually happened according to the documented standard. Without lifecycle tracking, media drifts into unmanaged territory where the risk of exposure grows with every unaccounted device.
What separates compliant organizations from those that merely have a policy document is the evidence trail. Every stage of the media lifecycle should produce a record. Acquisition logs, classification labels, handling acknowledgments, transport receipts, and destruction certificates form the documentation backbone that auditors expect to see during a certification assessment.
Why 7.10 matters
An organization decommissions a data center. Hundreds of drives are pulled from racks and palletized for disposal. A logistics vendor picks them up, but no chain-of-custody log is maintained, and no sanitization occurs before transport. Three months later, a security researcher purchases several of those drives from an electronics resale shop and recovers customer databases, employee records, and authentication credentials. The organization faces regulatory penalties, mandatory customer notification, and reputational damage that no incident response plan can undo.
This scenario isn’t a sophisticated cyber attack. It’s a physical media control failure, and it’s one of the most overlooked risk vectors in enterprise security. As the complete guide to data breaches illustrates, the consequences of uncontrolled exposure extend well beyond the initial incident. Organizations invest heavily in network defenses, endpoint detection, and Security Information and Event Management (SIEM) tooling while leaving storage media disposal to informal processes with no verification. The consequences mirror those of a network breach. Regulatory fines under frameworks like the General Data Protection Regulation (GDPR), contractual liability with customers, and loss of trust that takes years to rebuild all follow from a single uncontrolled disposal event.
The risk compounds in organizations with distributed operations. Remote offices, field teams, and third-party processors all handle media with varying levels of discipline. Without centralized oversight, each location becomes a potential point of failure where a single untracked drive can trigger a reportable incident.
Data breach via physical media is categorically different from a network intrusion in one important respect. There’s often no detection mechanism. A compromised firewall triggers alerts. A stolen drive sitting in someone’s desk drawer generates nothing. By the time the exposure is discovered, the data has already been accessed, copied, or sold, and the window for containment has closed. This makes prevention through rigorous lifecycle controls the only viable strategy.
What attackers exploit
Storage media failures follow predictable patterns that adversaries and opportunists actively target:
- Unencrypted USB drives lost or stolen during transport. Portable media moving between facilities is vulnerable to theft, misplacement, and interception, especially when encryption isn’t enforced at the endpoint level.
- Drives disposed without sanitization. A quick format removes file system pointers but leaves data fully recoverable with freely available forensic tools. Formatting is not secure erasure.
- No chain-of-custody tracking. Media “disappears” between departments or during office moves with no record of who last possessed it or where it went.
- Orphaned backup tapes in offsite storage. Tapes from retired backup systems sit in storage facilities for years with no access controls, no inventory reviews, and no disposal schedule.
- Personal devices used for data transfer without endpoint restrictions. Employees copy files to personal USB drives or external hard drives, bypassing Data Loss Prevention (DLP) controls entirely.
- Dumpster diving for improperly shredded paper records. Cross-cut shredding is often skipped in favor of strip shredding or no shredding at all, leaving reconstructable documents in waste streams.
NIST SP 800-88 Rev. 1 defines three sanitization levels (Clear, Purge, and Destroy) that provide the technical foundation for media disposal decisions referenced throughout 7.10 implementation.
How to implement 7.10
For your organization
Implementing 7.10 requires moving from policy statements to enforceable, evidence-producing procedures. The ISO 27001 implementation checklist provides a broader framework for this transition. The following steps build a defensible program.
1. Create a storage media inventory. Catalog every piece of removable media issued within your organization. This includes USB drives, external hard drives, backup tapes, optical discs, and any portable storage devices. Each item should have a unique identifier, an assigned owner, a data classification level, and a recorded issuance date. Without this register, you cannot track what exists, let alone manage its lifecycle.
2. Define handling procedures tied to your data classification scheme. Each classification tier should map to specific handling requirements. Confidential media might require encryption at rest and locked storage when not in use, while internal-only media might only need access controls. Document these procedures and make them accessible to every employee who handles media.
3. Implement technical controls. Endpoint management platforms like Microsoft Intune or Jamf can restrict USB port access, enforce mandatory encryption on removable devices, and prevent unauthorized media from connecting to corporate systems. DLP solutions add another layer by monitoring and blocking sensitive data transfers to unmanaged devices.
4. Establish transport procedures. When media moves between sites, use secure couriers with tamper-evident packaging and maintain chain-of-custody logs. Every handoff should be documented with timestamps, sender and receiver identities, and media identifiers. This documentation becomes critical audit evidence.
5. Define disposal procedures. Align your disposal process with NIST SP 800-88 Rev. 1 sanitization levels. Clear (logical overwrite) suits media that will be reused internally. Purge (cryptographic erase or degaussing) applies to media leaving your control. Destroy (physical disintegration, shredding, or incineration) is required for the highest classification levels. Require certificates of destruction from certified vendors, linked to specific asset IDs in your inventory. Even though NIST 800-88 provides a clear sanitization framework, Blancco found that only approximately 21% of organizations globally require it, which means your disposal procedures already put you ahead of most peers if you adopt this standard.
6. Assign ownership and review cadence. Designate a media custodian responsible for maintaining the inventory, enforcing procedures, and conducting periodic audits. Quarterly reviews of the media register, combined with spot checks of handling compliance, keep the program from going stale.
Evidence to produce: media inventory register, handling procedures documentation, transport and chain-of-custody logs, and certificates of destruction. Common tooling that supports these workflows includes endpoint management platforms (Microsoft Intune, Jamf), DLP solutions for monitoring data transfers, and certified destruction vendors who provide auditable certificates tied to individual asset IDs.
Common mistakes that undermine implementation:
- Treating a quick format as secure disposal when data remains fully recoverable
- Maintaining no inventory of issued removable media, making lifecycle tracking impossible
- Policies existing in document management systems but not enforced technically, with USB ports left unrestricted across the fleet
- Forgetting backup tapes and optical media sitting in offsite storage facilities
- No process for collecting and sanitizing media returned by departing employees
For your vendors
When assessing third-party compliance with 7.10, your vendor risk assessment should probe operational reality rather than accept policy documents at face value.
Questions to ask:
- “Describe your storage media disposal procedures, including the sanitization standard you follow.”
- “Do you maintain chain-of-custody documentation for media in transit?”
- “How do you track removable storage devices issued to employees?”
Evidence to request: media handling policy, certificates of destruction with asset-level detail, sanitization logs referencing specific standards, and endpoint management configuration evidence showing enforcement of encryption and port restrictions.
Red flags that indicate weak controls:
- “We format drives before disposal” without reference to a sanitization standard
- No certificates of destruction available for review
- No documented media inventory or asset tracking system
- Vague answers about encryption like “we encrypt everything” without specifying what, where, and how enforcement works
Verification methods: Request a sample certificate of destruction and verify the destruction vendor holds relevant certifications such as NAID AAA. Ask for screenshots or export reports from endpoint management platforms showing USB restriction policies. Cross-reference their media handling policy against their actual disposal records to check for consistency.
A structured third-party risk assessment process helps standardize these evaluations. The goal of third-party assessment isn’t to find a vendor with a perfect score. It’s to understand whether they have operational controls that produce evidence and whether those controls align with your own classification requirements. A vendor that can produce a certificate of destruction for every drive they’ve retired in the past 12 months demonstrates stronger controls than one that can only point to a policy document. Evaluate the gap between their documented procedures and the artifacts they can actually provide on request.
Audit evidence for 7.10
Auditors assessing 7.10 look for documented proof that your media handling program is operational, not aspirational. They typically start with the media inventory register and work outward, checking that each stage of the lifecycle has corresponding documentation. Gaps between the inventory and disposal records are the most common finding, often indicating media that was issued but never formally retired.
Prepare the following evidence types before your audit engagement.
| Evidence type | Example artifact |
|---|---|
| Policy documentation | Removable Media Policy defining approved media types, encryption requirements, and disposal procedures |
| Media inventory | Register of all company-issued removable storage devices with assigned owners and data classification |
| Transport records | Chain-of-custody logs for media moved between sites, courier receipts, and tamper-evident seals |
| Disposal certificates | Certificates of destruction from certified vendors, linked to specific asset IDs |
| Technical controls evidence | Endpoint management configuration showing USB port restrictions and encryption enforcement |
| Sanitization records | Logs of sanitization activities referencing NIST 800-88 levels applied per media type |
| Training records | Staff acknowledgment of media handling procedures |
| Review records | Minutes from periodic reviews of media handling procedures and inventory audits |
Cross-framework mapping
Control 7.10 overlaps with multiple external frameworks, particularly in the NIST 800-53 media protection (MP) family. Mapping these relationships helps organizations pursuing multi-framework compliance identify where existing controls satisfy overlapping requirements and where additional work is needed to cover gaps. The NIST MP controls provide the most granular alignment, while SOC 2 and CIS Controls offer partial coverage focused on specific aspects of media handling.
| Framework | Equivalent control(s) | Coverage |
|---|---|---|
| NIST 800-53 | MA-02 | Partial (maintenance records overlap but broader scope) |
| NIST 800-53 | MP-02 | Full |
| NIST 800-53 | MP-04 | Full |
| NIST 800-53 | MP-05 | Full |
| NIST 800-53 | MP-06 | Full |
| NIST 800-53 | MP-07 | Full |
| NIST 800-53 | PE-16 | Partial (physical entry/exit of components, broader than media) |
| SOC 2 | CC6.5 (Logical and Physical Access Controls — Disposal) | Partial |
| CIS Controls v8.1 | 3.9 (Encrypt Data on Removable Media) | Partial |
| NIST CSF 2.0 | PR.DS-01 (Data-at-Rest Protection) | Partial |
| DORA (EU) | Article 11 (ICT third-party risk — data handling) | Partial |
Related ISO 27001 controls
Control 7.10 doesn’t operate in isolation. Several adjacent controls create the broader governance structure that makes media management effective.
| Control ID | Control name | Relationship |
|---|---|---|
| 5.9 | Inventory of information and other associated assets | Media must appear in the asset inventory |
| 5.10 | Acceptable use of information and other associated assets | Governs how media may be used |
| 5.12 | Classification of information | Classification drives media handling requirements |
| 5.13 | Labelling of information | Labels indicate handling level for media |
| 7.7 | Clear desk and clear screen | Physical media left unattended on desks |
| 7.8 | Equipment siting and protection | Physical security of storage devices |
| 7.9 | Security of assets off-premises | Media transported outside facilities |
| 7.14 | Secure disposal or re-use of equipment | Broader disposal control that includes media |
| 8.10 | Information deletion | Logical deletion complements physical media disposal |
| 8.24 | Use of cryptography | Encryption applied to media contents |
Frequently asked questions
What is ISO 27001 7.10?
ISO 27001 7.10 is a physical security control requiring organizations to manage storage media across its full lifecycle. It covers acquisition, classification, handling, transportation, and final disposal of both digital and physical media to prevent unauthorized disclosure, modification, or loss of information.
What happens if 7.10 is not implemented?
Without 7.10, organizations face uncontrolled data exposure from improperly disposed or lost media. The consequences include regulatory penalties, certification audit failures, mandatory breach notifications, and reputational damage that erodes customer trust.
How do you audit 7.10?
Auditors verify 7.10 by reviewing the media inventory, disposal certificates, transport logs, and technical controls like endpoint management configurations. They may also conduct spot checks to confirm that documented procedures match actual practice on the ground.
How UpGuard helps
Managing storage media compliance across your own organization and your vendor ecosystem requires continuous visibility into controls, evidence, and risk posture. The UpGuard platform helps security teams maintain that visibility across both first-party and third-party environments.
- Vendor Risk: Centralizes vendor questionnaire responses, continuously monitors security posture changes, and flags gaps in media handling controls before they become audit findings.
- Breach Risk: Monitors your external attack surface for exposed assets and misconfigurations that could indicate uncontrolled media or data leakage.
Continuous monitoring ensures that compliance status is always current rather than limited to point-in-time assessments. Learn more about the UpGuard platform.