Checklist of ISO/IEC 27001-A.8.3.1 Management of removable media


As technology continues to advance, the use of removable media devices such as USB sticks, CDs/DVDs, tapes, and removable disk packs has become increasingly popular. 

These devices provide an easy and convenient way to transfer and store information. However, they also pose significant information security risks if not managed appropriately. 

The A.8.3.1 management of removable media control objective in the ISO/IEC 27001:2013 standard provides guidelines for managing removable media to ensure that information is protected against potential risks.

To comply with this control objective, it is essential to review relevant policies, procedures, standards, and practices related to removable media management. 

This article provides a checklist of critical factors that organizations should consider when reviewing their removable media management practices.

Sample Checklist:

Asset Register

  • Is there an up-to-date and complete asset register for all removable media devices used within the organization?
  • Are removable media devices appropriately labeled with classification and serial numbers, where required, and accounted for in the asset register?
  • Archival Media
  • Are archival media duplicated and verified before deleting the source data?
  • Are archive tapes periodically verified and re-tensioned as per the manufacturer’s specifications, typically annually?

Data Confidentiality

Are appropriate controls in place to maintain the confidentiality of stored data, such as encryption where required, limited access to tapes and drives, and secure courier arrangements to transport high-risk media?

Storage Environment

  • Are all removable media devices stored in a safe and secure environment, as per the manufacturer’s specifications?
  • Are there controls in place to prevent unauthorized access to the storage environment, such as physical security measures and access controls?
  • Authorization and Accountability
  • Are all media movements authorized, with appropriate records kept at each stage?
  • Are removable media devices accounted for when moved from one location to another?
See also  Checklist of ISO/IEC 27001-A.9.4.2 Secure log-on procedures


Managing removable media devices is essential to ensure the security and confidentiality of sensitive information. 

Organizations must review their policies, procedures, and practices related to removable media management regularly. 

The checklist provided in this article covers critical factors that organizations should consider when reviewing their removable media management practices. 

By following these guidelines, organizations can minimize the potential risks associated with the use of removable media devices and protect their valuable information assets.

Leave a comment

Your email address will not be published. Required fields are marked *