• Home
  • Products
    • Secure Drive Wiping SoftwareSecurely Erase Data From HDDs & SSDs in PC, Mac & Server
    • Bulk Drive Erasure Over Network Erase Loose Drives, PC, Laptop & Servers Over A Network
    • Mobile Wiping & Diagnostics Software Erase & Diagnose iOS® & Android® Simultaneously
    • File Eraser SoftwarePermanently wipe files and folders, and erase traces of apps & Internet activity.
  • Solutions
    • For Enterprise, Govt. & SMBWipe hard drives, laptops, desktops, Mac® devices, mobile phones & rackmount storage.
    • Managed Service Provider & SIGlobally trusted data wiping & diagnostic solutions to augment your managed services competences
    • ITAD & Refurbisher Bulk erase loose drives, laptops, desktops, Mac devices, rackmount storage & mobile devices with centralized control.
    • Individual & Home User Safeguard invasion of privacy at the time of disposing old PC, laptop & mobile phone
  • Resources
    • CertificationsBitRaser - Tested & certified by multiple International Bodies
    • Reports & Certficates Tamper proof erasure reports & certificates to help meet audit trails
    • Data Erasure StandardsGlobal erasure standards that help you comply to international laws & regulations
    • Technical Articles Series of articles to help understand data erasure & diagnostics
    • Product FactsheetExplore in-depth details of the features, benefits..
    • Deployment Get instructions on using BitRaser for wiping PC..
    • Case Studies Read Our Customer Case Studies Illustrating The Real-World Usage In Diverse Business Scenarios.
    • Frequently Asked Questions (FAQs) Our Top FAQs That Will Help You Get Answers To Your Questions.
    • Blog Gain Latest Insights Into Data Erasure, Data Protection, Privacy And Regulations.
  • Partners
  • Products

    CASE STUDIES

    The best way to know about our solution is to read our customer case studies illustrating the real-world usage in diverse business scenarios.

    Read All Case Studies

    • Secure Drive Wiping Software
      Securely Erase Data From HDDs & SSDs in PC, Mac & Server
    • Bulk Drive Erasure Over Network
      Erase Loose Drives, PC, Laptop & Servers Over A Network
    • Mobile Wiping & Diagnostics Software
      Erase & Diagnose iOS® & Android® Simultaneously
    • File Erasure Software
      Permanently Wipe Files & Folders, Erase Traces Of Apps & Internet Activity
  • Solutions

    BITRASER® DATA ERASURE SOFTWARE

    Efficient, Easy & Permanent Wiping Of Sensitive Data Across Storage Devices. Guaranteed Data Privacy.

    Learn More

    • For Enterprise, Govt. & SMB
      Wipe Hard Drives, Laptops, Desktops, Mac® Devices, Mobile Phones & Rackmount Storage.
    • Managed Service Provider & SI
      Globally Trusted Data Wiping & Diagnostic Solutions To Augment Your Managed Service Competences.
    • ITAD & Refurbisher
      Bulk Erase Loose Drives, Laptops, Desktops, Mac Devices, Rackmount Storage & Mobile Devices.
    • Individual & Home User
      Safeguard Invasion Of Privacy At The Time Of Disposing Old PC, Laptop & Mobile Phone.
  • Resources
    • Product Certifications
      BitRaser - Tested & certified by multiple International Bodies
    • Sample Reports & Certificates
      Tamper proof erasure reports & certificates to help meet audit trails
    • Data Erasure Standards
      Global erasure standards that help you comply to international laws & regulations
    • Technical Articles
      Series of articles to help understand data erasure & diagnostics
    • Product Factsheets
      Explore in-depth details of the features, benefits and specifications of our variants.
    • Deployment
      Get Instructions On using BitRaser for wiping PC, Mac, hard drives, mobile devices & files.
    • Case Studies
      Read our customer case studies illustrating the real-world usage in diverse business scenarios.
    • Frequently Asked Questions (FAQs)
      Our Top FAQs That Will Help You Get Answers To Your Questions.
    • Blog
      Gain latest insights into data erasure, data protection, privacy and regulations.
  • Partners
  • +1-844-775-0101
  • Submit Enquiry

ISO 27040 Media Sanitization Requirements To Maintain Data Security

  • author image

    Written By Shuja Khan linkdin

  • calender

    Updated on Jun 23, 2022

  • clock

    Min Reading 3 Min

ISO 27040 standard provides a detailed framework for data storage security controls, laying stress on data confidentiality, associated risks, compliance, and the need for media sanitization practice. This article provides an in-depth insight into the standard and explores its prescriptions on media sanitization approaches and techniques.

ISO 27040 Media Sanitization Requirements To Maintain Data Security

ISO 27040 offers comprehensive guidance to organizations in identifying acceptable levels of risk mitigation through a well-documented and robust approach toward documentation, planning, design, & implementation of data storage security. The standard outlines common risks to the security, availability, and integrity of data stored in the storage devices. It also addresses information security controls for data protection and security assurance through assessment and audits of information security measures.

History

It is the first international standard that addresses a holistic and comprehensive range of storage security perspectives. The research work on formulating the standard started in the year 2010 after the SC27 conference. The ISO/IEC 27040 standard was published on January 5th, 2015. It is a detailed standard with more than 120 pages explaining data storage security and media sanitization protocols. At present, the revised ‘Working Draft’ of the standard is at its second stage, slated to be published in 2022. 

ISO 27040 Scope & Objectives

ISO/IEC 27040:2015 provides technical guidance on the threat, design, and control aspects associated with typical data storage scenarios. It defines storage security as the protection of information at the point of storage and during transfer across communication links related to storage. The standard specifies security as an aspect that protects devices, media, applications, and services as well as the security of devices in use and when they are at rest. Storage security is important for individuals who own, operate, or use the storage devices. 

The three primary objectives of the ISO 27040 standard are:

  • Draw attention to the risks associated with data storage technologies.
  • Assist organizations in improving the security of stored information using stringent information security controls.
  • Provide a basis for auditing, designing, and reviewing storage security controls.

The standard covers a wide range of topics with respect to storage, its types, security risk, data reliability, retention, compliance, and sanitization. Under section 6.8.1, the standard defines data sanitization and mentions media-based sanitization, logical sanitization, proof, and verification of sanitization. 

Media Sanitization: A Core Requirement [Section 6.8.1]

The ISO 27040 standard specifies media sanitization as the best practice to ensure data storage security for the destruction of data held on different storage media. It is the only international standard that addresses media sanitization in such detail mentioning data wiping methods and techniques such as clear, purge and destroy. The standard defines sanitization as a process of data destruction that renders data inaccessible on devices at the end of their life or during transfer. Sanitization ensures that there is no data leakage and prevents instances of the data breach when organizations engage in reselling, donating, repurposing, or discarding storage devices. 

Media-Based Sanitization [Section 6.8.1.2]:

The standard recommends that organizations follow Annex A to sanitize the specific media type. It defines several media sanitization techniques like Clear (overwriting), Purge (block erase and cryptographic erasure), and Physical Destruction (disintegrate, incinerate, melt, pulverize, or shred), to help organizations and vendors find the most suitable option to perform media sanitization. 

Here are some of the recommendations for media sanitization specific to each media type as defined in the standard:

Media Type

Clear

Purge

Destroy

Papers and microforms

N/A

N/A

Destroy paper with cut shredders and microforms to be burnt.

Routers and Switches

Perform Manufacturer’s reset to reset the router or return back to the factory default settings.

See if the media has a Purge capability or not to perform data rewriting or block erase.

Shred, Disintegrate, Pulverize, or Incinerate in a licensed incinerator.

Mobile Device Sanitization

Select the full sanitize option for iOS and Android devices. Delete and perform factory reset for other mobile devices. Opt for an Overwrite using certified data eraser software.

Overwrite or block erase if the device supports purge capability

Same as above

Office equipment like printer, fax, or multifunction devices

Perform manufacturer reset to attain its factory default setting.

Check if the device has Purge capability or not to execute media-dependent techniques like overwriting, block erase, or cryptographic erase.

Same as above

Magnetic Media like Floppy Disks, ATA/ SCSI HDDs or SSHD

Overwrite using a certified data eraser tool.

Overwrite with dedicated sanitize commands (Overwrite EXT, Crypto Erase, SECURITY ERASE UNIT), Degauss, or Disassemble and degauss the enclosed platters.

Same as above

Peripherally Attached media – USB, Firewire, etc.

Overwrite using a certified data eraser tool.

Figure out if the media has a Purge capability or not to perform overwriting, block erase, or cryptographic erase.

Same as above

ATA SSDs

Overwrite using a certified tool. Use Security Erase Unit command, if supported.

Secure data erasure with dedicated sanitize commands (Block Erase,

Cryptographic Erase through the TCG Opal SSC or Enterprise SSC interface)

Shred, Disintegrate, Pulverize, or Incinerate in a licensed furnace.

SCSI SSDs (SCSI, SAS, Fibre Channel, USB Attached Storage, SCSI

Express)

Media Overwriting with a certified tool.

Overwrite with dedicated sanitize commands (BLOCK ERASE, CRYPTO ERASE).

Same as Above

NVM Express SSDs

Overwrite using a certified data eraser tool.

Overwrite with dedicated sanitize commands (NVM Express Format command,

Cryptographic Erase)

Shred, Disintegrate, Pulverize, or Incinerate in a licensed furnace.

Optical Media like CD, DVD, and BD

N/A

N/A

Destroy data using an optical disc grinding device. Incinerate using a licensed facility. Use an optical disk media shredder.

Flash Media – USBs, Memory Cards

Overwrite using a certified data eraser tool.

Not Supported (Refer to Manufacture for any supported commands for USBs)

Shred, Disintegrate, Pulverize, or Incinerate in a licensed furnace.

Maintain a Record or Proof of Sanitization [Section 6.8.1.4]

The international standard in line with NIST Guidelines for media sanitization specifies the importance of proof of sanitization. It specifies two forms of proof of sanitization including an audit log trail and a certificate of sanitization. It demands that organizations should maintain a record of sanitization activities to document what media were sanitized, when & how. The standard further demonstrates how these documents help reduce the risk of penalties and data breach notifications by adhering to compliance goals. A certificate of sanitization guarantees that data was destroyed with due diligence and the data cannot be recovered from the erased devices even after using an advanced forensic technique. As per the standard, the certificate of sanitization should include hardware and process details such as Manufacturer, Model, Serial Number, Media Type, and Media Source, along with Sanitization Description, Method, Tool Used, and Verification method, Validation details, etc.

Verify the media sanitization process [Section 6.8.1.5]

The standard defines that the goal of the verification process is to assure that the target data is effectively sanitized. Verification is achieved by a full reading of all accessible areas to ensure that the target location has expected sanitized value in all addressable locations. The standard specifies two types of the verification process, namely-

  •  Full Verification: Complete reading of all addressable locations on the sanitized device if time and external factor permits.
  • Representative Sampling: Reading of selective subset of the media or pseudorandom locations.

Cryptographic erasure has different verification considerations than the above procedures because the data following cryptographic erasure may not be known. The standard recommends verification of cryptographic erasure may be skipped if reading access is not possible.

Conclusion:

ISO/ICE 27040:2015 acts as a benchmark standard to guide organizations in their effort towards mitigations of risk associated with data storage, strengthening organizational efforts towards enhanced data protection and security. As storage technology evolves, data continues to grow exponentially, and cases of data breach rise, the need to comply and adopt information security controls recommended by the standard will grow in eminence. Furthermore, with media sanitization so clearly spelled out in the standard, organizations will be more aware, prepared, and confident to execute IT asset disposition in a safe, compliant and secure manner.

Certified data eraser software like BitRaser will be ideal for performing secure and permanent data wiping with NIST 800-88 and other global erasure standards. BitRaser generates certificate of sanitization and performs verification of the sanitization process as recommended in ISO/ICE 27040:2015 standard. Since the current version of ISO/IEC 27040:2015 standard aligns with NIST 800-88 data sanitization guidelines, NIST tested and compliant tool like BitRaser becomes the first preference for media sanitization for organizations looking for compliance and data security in order to mitigate risks.

FAQs

Q1: What is ISO/IEC 27040:2015 standard?
ISO 27040 offers comprehensive guidance to organizations in identifying acceptable levels of risk mitigation through a well-documented approach toward documentation, planning, design, & implementation of data storage security. The standard outlines common risks to the security, availability, and integrity of data stored in the storage devices.
What is the scope of ISO 27040?
ISO 27040 provides technical guidance on the threat, design, and control aspects associated with typical data storage scenarios. It defines storage security as the protection of information at the point of storage and during transfer across communication links related to storage.
What are the three primary objectives of ISO 27040?

The three primary objectives of the ISO 27040 standard are:

  • Draw attention to the risks associated with data storage technologies.
  • Assist organizations in improving the security of stored information.
  • Provide a basis for auditing, designing, and reviewing storage security controls.
What are the media sanitization requirements specified by ISO 27040?
The ISO 27040 standard specifies media sanitization as the best practice to ensure data storage security for the destruction of data held on different storage media. It is the only international standard that addresses media sanitization in such detail mentioning data wiping methods and techniques such as clear, purge and destroy, along with the need for proof of sanitization, verification of sanitization process, etc.
What is ‘Annex A’ as outlined in the ISO 27040 standard?
The standard recommends that organizations follow ‘Annex A’ to sanitize the specific media type. The Annex defines several media sanitization techniques like Clear (overwriting), Purge (block erase and cryptographic erasure), and Physical Destruction (disintegrate, incinerate, melt, pulverize, or shred) specific to each media type.

BitRaser is NIST Certified

See All Certifications

Related Articles

How To Wipe Hard Drives And SSDs?

June 03, 2022

Sarbanes-Oxley Act (SOX) Compliance Requirements

May 29, 2020

Everything You Need To Know To Ensure Compliance With The HIPAA Security Rule

March 20, 2020


REACH US

Stellar Data Recovery Inc.

48 Bridge Street Metuchen, New Jersey 08840, United States

Call Us

+1-844-775-0101

Email Us

sales@bitraser.com

Follow Us

linkedin youtube

Useful Links

  • About Us
  • Legal Policy
  • Privacy Policy
  • Cookies Policy
  • Sitemap

NEWS AND EVENTS

  • News & Press Release
  • Events

PARTNERS

  • Our Partnership Models
  • Reseller
  • Distributor
  • OEM
  • ITAD

RESOURCES

  • Knowledge Series
  • Technical Articles
  • Knowledge Base
  • Blogs
  • Reports & Certificates
  • Download Brochure
  • Deployment
  • Product FactSheets
  • Case Studies
  • Our Clients

BitRaser® & Stellar Data Recovery are Registered Trademarks of Stellar Information Technology Pvt. Ltd. © Copyright 2022 Stellar Information Technology Pvt. Ltd. All Trademarks Acknowledged.

ISO Certified
NAID VENDOR
ERN VENDOR

We use cookies on this website. By using this site, you agree that we may store and access cookies on your device Read More Got it!

Request Free License

Name*
Email*
Phone
Company
Country*
Number of Devices to Erase*
Details (If Any)
(*) Mandatory Fields

SUBMIT ENQUIRY

SUBMIT ENQUIRY

Usage:    Business   Personal
  • Captcha*
  • 6+5
  • =

  Yes, I would like to receive information regarding BitRaser products and I can unsubscribe any time.

  • Captcha*
  • 6+5
  • =

  Yes, I would like to receive information regarding BitRaser products and I can unsubscribe any time.

Modal body..
24 Internationally Recognized Erasure Standards
NIST Clear
NIST-ATA Purge
US Department of Defense, DoD 5220.22-M (3 passes)
US Department of Defense, DoD 5200.22-M (ECE) (7 passes)
US Department of Defense, DoD 5200.28-STD (7 passes)
Russian Standard – GOST-R-50739-95 (2 passes)
B.Schneier’s algorithm (7 passes)
German Standard VSITR (7 passes)
Peter Gutmann (35 passes)
US Army AR 380-19 (3 passes)
North Atlantic Treaty Organization-NATO Standard (7 passes)
US Air Force AFSSI 5020 (3 passes)
Pfitzner algorithm (33 passes)
Canadian RCMP TSSIT OPS-II (4 passes)
British HMG IS5 (3 passes)
Zeroes
Pseudo-random
Pseudo-random & Zeroes (2 passes)
Random Random Zero (6 passes)
British HMG IS5 Baseline standard 
NAVSO P-5239-26 (3 passes) 
NCSG-TG-025 (3 passes)  
5 Customized Algorithms & more

Listening...