Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
physical Preventive Protect High Priority

A.7.10 Storage Media

M365 Admin Path: Microsoft Intune admin center (intune.microsoft.com) > Endpoint security > Disk encryption; Microsoft Defender portal > Device control

Evidence Source: Microsoft Graph - Intune Configuration Policies (BitLocker, Device Control, ASR), Manual verification

What is A.7.10 Storage Media?

ISO 27001 control A.7.10 Storage Media requires organisations to manage removable storage media throughout its lifecycle according to classification and handling requirements. This control addresses data exfiltration and malware risks from USB drives, external hard drives, and portable storage devices that can bypass network security controls. For Microsoft 365 environments, protection is implemented through BitLocker To Go encryption enforcement (denying write access to unencrypted removable drives) and Microsoft Defender for Endpoint Device Control policies that block or restrict USB storage device access at the hardware level.

How to implement A.7.10 in Microsoft 365

Implement A.7.10 by configuring Intune Endpoint Security Disk Encryption policies with BitLocker removable drive settings: enable Deny write access to removable drives not protected by BitLocker and Deny write access to devices configured in another organisation. This forces users to encrypt USB drives with BitLocker To Go before writing data, with recovery keys escrowed to Azure AD. Deploy Microsoft Defender for Endpoint Device Control policies to block removable USB storage by default per CIS WCP 7.3, with an allowlist process for business-approved exceptions by serial number or vendor ID.

Establish media handling procedures including labelling, chain of custody, and secure disposal methods appropriate to data classification (physical destruction for Highly Confidential).

What an auditor checks for A.7.10

  • Auditors will verify that an Intune Endpoint Protection policy exists with BitLocker removable drive settings configured to deny write access to unencrypted drives.
  • They will check for Device Control policies blocking USB storage with appropriate exception handling.
  • Auditors will review the encrypted media register to confirm approved devices are tracked with encryption status and custodian assignment.
  • They will examine disposal certificates and logs to verify secure destruction methods appropriate to data classification.
  • Auditors will check incident records for any lost or stolen media reports and confirm timely investigation.

What your auditor expects for A.7.10

  • Control: A.7.10 (Storage Media) - ISMS Sections 2
  • 4\nRelated Controls: A.8.24 (Encryption)
  • A.7.7 (Clear Desk)
  • A.7.14 (Disposal)\nEvidence Tabs:\n• R1: BitLocker Removable Policy (deny write to unencrypted)\n• R2: Device Control Policies (USB audit)\n• R3: ASR USB Rules (block untrusted processes)\n• M1: Encrypted Media Management\n• M2: Media Disposal Procedures\n• M3: Lost Media Incidents
  • [A.8.24 (Use of cryptography - BitLocker)](/controls/a-8-24 (use of cryptography - bitlocker)/)
  • [A.7.7 (Clear desk - media storage)](/controls/a-7-7 (clear desk - media storage)/)
  • [A.7.14 (Secure disposal - media destruction)](/controls/a-7-14 (secure disposal - media destruction)/)
  • [A.6.3 (Awareness training)](/controls/a-6-3 (awareness training)/)

See how your organisation scores against A.7.10 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Microsoft Media Handling Foundation

Microsoft-managed media storage, sanitization, and disposal procedures