Skip to main content
← All controls
A.7.10 / MP-7 / CIS-10.2 ISO/IEC 27001:2022 Annex A ISO 27001

A.7.10 — Is removable media (USB, portable drives) controlled, encrypted and tracked?

Demonstrate that removable media usage is restricted to authorized devices, all media containing organizational data is encrypted, and a complete inventory with lifecycle tracking is maintained.

Description

What this control does

This control ensures that removable media devices such as USB flash drives, external hard drives, and portable storage are inventoried, authorized before use, encrypted to protect data at rest, and tracked throughout their lifecycle. Organizations implement technical controls (device control software, mandatory encryption) and administrative processes (media registers, approval workflows) to prevent unauthorized data exfiltration, malware introduction, and data loss from lost or stolen devices. The control applies to both organization-owned and personal removable media used in corporate environments.

Control objective

What auditing this proves

Demonstrate that removable media usage is restricted to authorized devices, all media containing organizational data is encrypted, and a complete inventory with lifecycle tracking is maintained.

Associated risks

Risks this control addresses

  • Unauthorized data exfiltration by insiders copying sensitive files to unencrypted USB drives
  • Malware introduction through infected removable media bypassing network security controls
  • Data breach resulting from loss or theft of unencrypted portable drives containing customer or business data
  • Shadow IT proliferation through untracked personal storage devices accessing corporate systems
  • Intellectual property theft via unauthorized copying to untraceable removable media
  • Compliance violations when regulated data is stored on unencrypted, untracked devices
  • Forensic investigation failure due to inability to identify which devices accessed specific systems or data

Testing procedure

How an auditor verifies this control

  1. Obtain and review the removable media policy including authorization procedures, encryption requirements, and acceptable use restrictions
  2. Request the current removable media inventory register and verify it includes device identifiers, assigned owners, approval records, and encryption status
  3. Review endpoint protection or device control system configurations to confirm technical enforcement of removable media restrictions
  4. Select a sample of 10-15 endpoints across different departments and verify device control policies are actively deployed and preventing unauthorized media
  5. Attempt to connect an unauthorized USB device to a sample workstation to validate technical controls block or log the connection
  6. Examine encryption validation records for a sample of registered removable media devices to confirm mandatory encryption is applied
  7. Review access logs or security event data for removable media usage over the past 90 days to identify any unauthorized device connections or policy violations
  8. Interview IT support staff to verify processes for approving new removable media requests and decommissioning returned or lost devices
Evidence required Collect removable media policy documents, current inventory register with device serial numbers and encryption status, endpoint device control configuration exports showing USB restriction rules, encryption validation reports or screenshots, security event logs showing blocked or approved media connections for the audit period, and approval workflow records for at least five recent media authorization requests.
Pass criteria All endpoints enforce device control restrictions, all removable media in the inventory is encrypted and assigned to authorized users, unauthorized media connection attempts are blocked or logged, and no unauthorized devices accessed organizational systems during the review period.