ISO 27001: Information Security Management System

Access Controls and Removable Media Management

Control A.11.2: Access Management

• Definition and scope: This control focuses on ensuring that access to information and information processing functions is granted only to authorized users. The standard specifies the need to implement secure and controlled access management, which includes the registration, authorization and management of user access rights to systems and services.
• Implementation: Organizations should establish, document and review access management procedures. This includes assigning access rights in accordance with the organization's access control policy and ensuring that these rights are granted only after appropriate authorization.

Control A.11.2.7: Removable Media Management

• Definition and wcope: This control deals specifically with the management of removable media. Requires organizations to implement procedures for safely handling and using removable media, such as USB flash drives, external hard drives, and DVDs. This is crucial to prevent the loss, theft or damage of information stored on these media.
• Implementation: Policies and procedures must be established that control the authorization and use of removable media. This includes measures for the secure erasure of data on removable media before disposal or reuse, ensuring that sensitive information cannot be recovered by unauthorized users.

Verification and Documentation

ISO 27001 places great emphasis on adequate documentation of the policies, procedures and controls implemented by the organization. This includes documenting the access management process and the use of removable media to ensure information security practices are followed.

It is essential to carry out periodic reviews and verifications of access rights and removable media management policies to ensure their effectiveness and compliance with ISMS requirements. This may include internal audits and security reviews to evaluate implementation and compliance with established controls.

Compliance and Audit

Internal and External Audits

ISO 27001 requires organizations to conduct regular internal audits to evaluate the effectiveness of the ISMS and specific controls such as A.11.2 and A.11.2.7. In addition, external audits, carried out by certified auditors, are crucial for the certification and maintenance of the ISMS under the ISO 27001 standard.

Demonstration of Compliance

Detailed documentation and verification records serve as evidence during audits to demonstrate the organization's compliance with ISO 27001. This includes evidence of appropriate access management and security in the use of removable media, as well as actions taken to correct any identified nonconformities.

Importance of Continuous Improvement

The ISO 27001 standard not only focuses on current compliance, but also on continuous improvement of the ISMS. Audits and periodic reviews are opportunities to identify areas for improvement and apply corrective actions to further strengthen information security.

Related Blancco Products

Other Secure Erasure Compliance Guides

• National Security Scheme (ENS)
• ISO/IEC 27040:2015: Information Storage Security
• General Data Protection Regulation (GDPR)
• National Institute of Standards and Technology (NIST 800-88)
• Payment Card Industry Data Security Standard (PCI DSS)