ISO-27001-Annex - A.8.3-Media-Handling

ISO 27001 Annex : A.8.3 Media Handling

ISO 27001 Annex : A.8.3 Media Handling Its objective is to Stop unauthorized release, alteration, deletion, or destruction of information contained in the media.

A.8.3.1 Management of Removable Media

Control- Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

Implementation Guidance- The following guidelines should be considered for the management of removable media:

  1. If not needed, the contents of any reusable media that are to be removed from the organization should be made unrecoverable;
  2. Where applicable and practicable, authorization should be needed for the removal of media from the company and a record of these removals should be maintained in order to preserve the audit trail;
  3. In compliance with manufacturers’ standards, all media should be kept in a secure and safe environment;
  4. Where confidentiality or integrity of data is important, cryptographic techniques for securing data on removable media must be used;
  5. In order to minimize the possibility of media loss when storage data is still needed, the data should be moved to fresh media before being unreadable;
  6. Multiple copies of important data should be stored in different media to further reduce the possibility of accidental data damage or loss;
  7. Registration of removable media should be taken into account to limit the possibility of data loss;
  8. Removable media drives should only be allowed if there is a business purpose to do so;
  9. Where there is a requirement for the use of disposable media, the movement of data to such media will be supervised.

Where there is a need to use disposable media, the transition of data to such devices will be monitored. Procedures and levels of approval will be reported.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

A.8.3.2 Disposal of Media

Control- When not required by specific protocols, media should be disposed of securely.

Implementation Guidance- Formal protocols for the secure disposal of media should be established to reduce the possibility of leakage of sensitive information to unauthorized persons. The protocols for the secure processing of sensitive information media should be proportionate to the sensitivity of that material.

Following should be taken into account:-

  1. Confidential media should be processed and disposed of safely through, e.g. by incineration or shredding, or data erasure for use by another application within an organization.
  2. Procedures should be in place to identify the items that could need safe disposal
  3. Instead of trying to isolate important objects, it could be better to plan to safely collect and dispose of all media items;
  4. Many organizations offer media collection and disposal services; care must be taken to select a suitable external party with adequate controls and experience;
  5. In order to maintain an audit trail, the disposal of confidential items will be logged.

The aggregation effect should be taken into account when collecting media for disposal, and a large number of sensitive information can become vulnerable.

For a healthy business, identifying the assets, making an inventory of the assets, and then secure disposal. At Infosavvy we have our trainers as our assets who are skilled and well-trained in various courses in the field of information security and we are also eligible for one of the most important certificates in the area of information security. i.e. IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification) . Our trainers can empower you to do better asset management by providing you with in-depth information and numerous examples for the same, helping the applicant to improve their skills and do well.

Other Information- Damaged devices containing sensitive data can require a risk assessment to evaluate the physical loss of objects instead of being sent to them for repair or discharge.

Also Read : ISO 27001 Annex : A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets

A.8.3.3 Physical Media Transfer

Control- Information media should be protected from unauthorized access, misuse or corruption during transportation.

Implementation Guidance- For the safety of media containing information transported, the following guidelines should be considered:

  1. Reliable transport or the use of couriers;
  2. Management should agree on a list of authorized couriers;
  3. procedures should be established for verifying courier identification;
  4. Packaging should probably be sufficient to safeguard the content from any physical damage likely to occur during transit and to protect the content against environmental factors such as exposure to heat, humidity, or electromagnetic fields which could reduce media recovering efficiency.
  5. Logs should be maintained, the content of the media should be established, the security applied, and times of transfer to custodians and reception should be reported at the destination.

Other Information- Information may be vulnerable to unauthorized access, misuse or corruption during physical transport, e.g. when sending the media by mail or courier. The media include paper documents in this control. When confidential information on the media is not encrypted, additional physical protection of the media should be considered.

Questions related to this topic
  1. What is controls of ISO 27001 Annex : A.8.3 Media Handling?
  2. Explain A.8.3.1 Management of Removable Media?
  3. Explain Disposal of Media?
  4. How can explain A.8.3.3 Physical Media Transfer?
  5. What is ISO 27001 Annex : A.8.3 Media Handling?

ISO 27001 Requirements


Clause 4.2 Understanding the needs and expectations of interested parties 
Clause 4.4 Information security management system
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities 
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.2 Information security risk assessment process
Clause 6.1.3 Information security risk treatment
Clause 6.2 Information security objectives & planning
Clause 7.1 Resources
Clause 7.2 Competence
Clause 7.3 Awareness
Clause 7.4 Communication
Clause 7.5 Documented information Implementation Guideline
Clause 8.1 Operational planning & control
Clause 8.2 Information security risk assessment
Clause 8.3 Information security risk treatment
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.2 Internal audit
Clause 9.3 Management review
Clause 10.1 Non conformity and corrective action
Clause 10.2 Continual Improvement 

ISO 27001 Annex A Controls


Annex A.5 Information Security Policies
Annex A.6 Organization of Information Security
Annex A.6.2 Mobile Devices and Teleworking
Annex A.7 Human Resource Security
Annex A.7.2 During Employment
Annex A.7.3 Termination and Change of Employment
Annex A.8 Asset Management
Annex A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets
Annex A.8.2 Information Classification
Annex A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets
Annex A.8.3 Media Handling
Annex A.9 Access Control
Annex A.9.1.2 Access to Networks and Network Services
Annex A.9.2 User Access Management
Annex A.9.2.3 Management of Privileged Access Rights  
Annex A.9.2.4 Management of Secret Authentication Information of Users
Annex A.9.2.5 Review of User Access Rights 
Annex A.9.2.6 Removal or Adjustment of Access Rights
Annex A.9.3 User Responsibilities
Annex A.9.4 System and Application Access Control
Annex A.9.4.4 Use of Privileged Utility Programs 
Annex A.9.4.5 Access Control to Program Source Code
Annex A.10 Cryptography
Annex A.11 Physical and Environmental Security
Annex A.11.2 Equipment
Annex A.11.1.3 Securing Offices, Rooms and Facilities
Annex A.11.1.4 Protecting Against External and Environmental Threats
Annex A.11.1.5 Working in Secure Areas
Annex A.11.1.6 Delivery and Loading Areas
Annex A.11.2.4 Equipment Maintenance
Annex A.11.2.5 Removal of Assets
Annex A.11.2.6 Security of Kit and Assets Off-Premises
Annex A.11.2.7 Secure Disposal or Re-use of Equipment
Annex A.11.2.8 Unattended User Equipment
Annex A.11.2.9 Clear Desk and Clear Screen Policy
Annex A.12 Operations Security
Annex A.12.2 Protection from Malware
Annex A.12.3 Backup
Annex A.12.4 Logging and Monitoring
Annex A.12.5 Control of Operational Software
Annex A.12.6 Technical Vulnerability Management
Annex A.12.7 Information Systems Audit Considerations
Annex A.13 Communications Security
Annex A.13.2 Information Transfer
Annex A.13.2.3 Electronic Messaging
Annex A.13.2.4 Confidentiality or Non-Disclosure Agreements
Annex 14 System Acquisition, Development and Maintenance
Annex A.14.1.2 Securing Application Services on Public Networks
Annex A.14.1.3 Protecting Application Services Transactions
Annex A.14.2 Security in Development and Support Processes
Annex A.14.2.3 Technical Review of Applications after Operating Platform Changes
Annex A.14.2.4 Restrictions on Changes to Software Packages
Annex A.14.2.5 Secure System Engineering Principles
Annex A.14.2.6 Secure Development Environment
Annex A.14.2.7 Outsourced Development
Annex A.14.2.8 System Security Testing
Annex A.14.2.9 System Acceptance Testing
Annex A.14.3 Test data
Annex A.15 Supplier Relationships
Annex A.15.1.2 Addressing Security Within Supplier Agreements
Annex A.15.1.3 Information and Communication Technology Supply Chain
Annex A.15.2 Supplier Service Delivery Management
Annex A.16 Information Security Incident Management
Annex A.16.1.2 Reporting Information Security Events
Annex A.16.1.3 Reporting Information Security Weaknesses
Annex A.16.1.4 Assessment of and Decision on Information Security Events
Annex A.16.1.5 Response to Information Security Incidents
Annex A.16.1.6 Learning from Information Security Incidents
Annex A.16.1.7 Collection of Evidence
Annex A.17 Information Security Aspects of Business Continuity Management
Annex A.17.1.3 Verify, Review and Evaluate Information Security Continuity
Annex A.18 Compliance
Annex A.18.1.3 Protection of Records
Annex A.18.1.4 Privacy and Protection of Personally Identifiable Information
Annex A.18.1.5 Regulation of Cryptographic Controls
Annex 18.2 Information Security Reviews

About ISO 27002



This Blog Article is posted by
Infosavvy
, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment