ISO27001 Management of Removable Computer Media

The standard requires the organization to control removable computer media, such as tapes, disks, cassettes and printed reports, so as to prevent damage, theft or unauthorized access. ISO27002 recommends that documented procedures should be included in the ISMS as follows:

1. It should be required that the previous contents of any reusable media that are to be removed from the organization should be erased. The erasure must operate across the totality of the media, not simply across what appears to be the existing content, as otherwise there is a danger that information may leak to the outside world.

2. Authorization should be required for all media that are to be removed from the building, and an audit trail should be retained. Some media, such as back-up tapes, are removed on a daily basis, and the authorization for such standard removals should be documented in the ISMS. Other media, such as USB sticks, are more easily portable, and the organization’s overall policy on these will need to be determined.

3. All media should be securely and safely stored in line with the manufacturer’s recommendations. Media safes that have an appropriate fire resistance should be installed. Library procedures should be considered to ensure that media are properly tracked and controlled.

4. Information that is likely to be required at some point beyond the media lifetime (check the manufacturer’s statement about media longevity) will need to have appropriate arrangements made to ensure its future availability including alternative storage, so as to avoid the impact of media degradation.