ISO/IEC 27040:2015 and Data Erasure
The ISO/IEC 27040:2015 standard provides a detailed framework on security techniques applicable to information storage. Establishes guidelines and principles to implement, maintain and improve storage security, covering the confidentiality, integrity and availability of stored data.
Key Requirements of the Standard
Storage Security Management
- Definition and Scope: This aspect covers the need for effective storage security management, including the identification of storage assets and data classification. It emphasizes the importance of protecting data at rest, in transit and during elimination processes.
- Implementation: Organizations must develop and implement policies and procedures that ensure the protection of stored information, from data encryption to physical and logical access control.
Information Sanitization and Secure Erasure
- Definition and Scope: ISO/IEC 27040:2015 specifies the requirements for information sanitization, ensuring that data is erased in a way that it cannot be recovered or reconstructed.
- Implementation: Secure erasure and media destruction methods must be established that comply with international sanitization standards, ensuring that sensitive information is irretrievable once its elimination is decided.
Verification, Documentation and Compliance
Security Audits and Assessments
- The standard requires conducting regular audits and security assessments to verify the effective implementation of storage security policies and controls.
- These reviews must be properly documented, providing records that demonstrate compliance with storage security procedures and the effectiveness of data sanitization measures.
Demonstration of Compliance
- Documentation and audit records serve as key evidence during compliance and certification assessments. This includes evidence of proper handling and secure erasure of stored information, as well as the implementation of access controls and encryption.
- Maintaining detailed and up-to-date documentation is essential to demonstrate compliance with ISO/IEC 27040:2015 and to support the continuous improvement of storage security practices.
