ISO/IEC 27040:2024 focuses on the protection of data at rest in ICT systems and while in transit across storage-related communication links, covering devices, media, management activities, applications, and services, and user controls during the lifetime of devices and media, and after the end of life. This standard is relevant to managers, storage operators, security operators, and all those who deal with data management, encryption, backups, virtualization, or any other physical or cloud environment. The 2024 edition marks a significant operational shift from the 2015 version. Where the earlier standard was primarily advisory, ISO/IEC 27040 2024 now provides more structured guidance to support the selection and implementation of storage security controls. The revised edition removes the media-specific sanitization guidance in Annexure A from the 2015 publication and instead adds details in Clause 10, recommending IEEE 2883:2022 Standard for Sanitizing Storage. It has also added a new control labelling scheme that distinguishes mandatory requirements (labelled ‘R’) from guidance (labelled ‘G’).
The ISO 27040 standard is highly comprehensive. However, to maintain relevance to the objective of this article, it focuses on select clauses related to storage risks and sanitization.
6.4: Storage Security Risks
Clause 6.4 of ISO IEC 27040 2024 identifies the major risk categories arising from an organization’s use of storage systems or infrastructure. Risk management is a vital consideration in information security that, if not addressed properly, can lead to security incidents like:
- Data breaches
- Data corruption or destruction
- Temporary or permanent loss of access and availability
- Malware attacks
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Failure to meet statutory, regulatory, or legal requirements.
- Theft or loss of storage device
- Improper sanitization or disposal
The standard defines a data breach as "a compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored, or otherwise processed." This definition is wider than many common interpretations, explicitly covering accidental destruction and alteration alongside unauthorized access.
10.6: Storage Sanitization
Clause 10.6 of ISO/IEC 27040:2024 establishes the complete framework for storage sanitization. The standard defines storage sanitization as either logical storage sanitization or media-based sanitization. The goal in both cases is to render access to target data on storage infeasible for a given level of effort.
10.6.1: General Controls for Storage Sanitization
- TC-SNTZ-G01: It states that storage sanitization should be a part of data governance, and the decision to use sanitization should be based on the organizational data classification, with primary focus on sensitive information like PII, ePHI, customer records, IP, trade secrets, etc.
- TC-SNTZ-R01: It requires sanitization to be performed on logical and media-based storage that was used to store sensitive information before it is disposed of or transferred out of organizational control. Similarly, sanitization should be performed during internal media transfers as well.
- TC-SNTZ-R02: Organizations must perform verification of the sanitization results before disposal or transfer of the storage device to ensure organizational risks are addressed effectively.
10.6.2: Selection of Sanitization Methods
Multiple sanitization methods can be used by organizations based on the type of storage, logical, or media-based. ISO 27040:2024 defines three sanitization methods, each with a different assurance level:
- Clear uses logical techniques on user-addressable storage locations to protect against simple, non-invasive data recovery through the same host interface available to the user. It provides the lowest assurance level.
- Purge uses physical or logical techniques that make recovery infeasible using state-of-the-art laboratory techniques, while preserving the storage in a potentially reusable state. Cryptographic erase is one form of the purge method.
- Destruct applies physical techniques such as disintegration, incineration, melting, pulverizing, or shredding. It provides the highest assurance level and does not apply to logical storage.
Controls for Selection of Sanitization Methods
- TC-SNTZ-R03: It specifies that the selected sanitization method shall be the minimum acceptable, and a method providing a weaker assurance level shall not be substituted.
- TC-SNTZ-G02: The selected type of sanitization should be assessed in terms of cost and environmental impact, with a decision made that best mitigates the risk to confidentiality while satisfying other considerations.
10.6.3: Media-Based Sanitization
Clause 10.6.3 addresses sanitization of physical storage media, including HDDs, SSDs, and tape. The standard also requires sanitization to be performed across storage, including Direct Attached Storage, block-based storage such as Fibre Channel and IP storage, cloud storage, Cloud Data Management Interface, object-based storage, and virtualized environments. It does not provide media-specific guidelines and defers to other resources that provide such information, like IEEE 2883 Std. The controls are as follows.
Controls for Media-Based Sanitization
- TC-SNTZ-R04: This control requires media to be sanitized in accordance with organizational policies (E.g., IEEE 2883:2022).
- TC-SNTZ-R05: Verification for media-based sanitization is required under this control. The sanitization method-specific guidance is provided in Clause 10.6.6.
10.6.4: Logical Sanitization
This Clause addresses the sanitization of virtualized storage, a domain that presents distinct technical challenges compared to physical media sanitization. In virtualized environments, it is often impossible to identify every physical storage device on which sensitive data has been recorded. A single logical unit may span multiple physical drives across multiple storage arrays. Replication for business continuity purposes may have created additional copies in locations opaque to the administrator performing sanitization.
Controls for Logical Sanitization
- TC-SNTZ-R06: For logical storage, conformance with acceptable standards is required. It permits two approaches. The first is clear by overwriting, replacing all addressable logical storage space through the provided interface with known, non-sensitive data (typically 0’s). The second is purge using cryptographic erase, applicable when encryption was used appropriately prior to data being recorded.
- TC-SNTZ-R07: Similar to the TC-SNTZ-R05 control for media-based sanitization, this control requires verification of logical sanitization operations.
- TC-SNTZ-G03: Data protection technologies, including replication and backups, are often used with logical storage. Separate sanitization operations should therefore be performed on the storage associated with these mechanisms.
10.6.5: Cryptographic Erase
This Clause defines cryptographic erase as a method of sanitization in which the encryption key for encrypted target data is sanitized, leaving only ciphertext behind, effectively sanitizing the data.
Controls for Cryptographic Erase
-
TC-SNTZ-R08: For CE to qualify as a valid purge method, the following conditions must all be met:
- All data intended for cryptographic erase shall have been encrypted prior to storing on the media.
- The strength of the cryptographic algorithm (including mode of operation) shall be at least 128 bits.
- The entropy must be at least equal to the number of bits used by the encryption key.
- All copies of the encryption keys used to encrypt the target data shall be sanitized. Where target data encryption keys were themselves encrypted with wrapping keys, sanitizing the wrapping key is acceptable.
- TC-SNTZ-G05: Organizations relying on cryptographic erase must audit their key management architecture to confirm whether destroyed encryption keys are recoverable. This control raises a practical concern: if the encryption key exists outside of the storage device, for example, in a key management server or key escrow service, there is a possibility that the key can be recovered and used to access the encrypted data.
10.6.6: Verification of Storage Sanitization
Clause 10.6.6 establishes verification as an integral component of any sanitization programme. Verification differs by method.
- For clear or purge methods, the device interface is used to check results.
- For destruct methods, physical inspection is the only option because the storage is unusable by definition.
Controls for Verification of Storage Sanitization
- TC-SNTZ-G06: For clear methods, a representative sampling of the storage medium should be performed. It refers to IEEE 2883 that provides two sampling options: random sampling of a percentage of the user-addressable area or dividing the user space into bands and then randomly sampling them.
- TC-SNTZ-G07: This control requires full verification of the storage medium for purge methods, and acknowledges that cryptographic erase may leave no verifiable basis for comparison.
- TC-SNTZ-R09: When Destruct is used, verification shall be performed through physical inspection. Outcomes shall be compared against an approved standard such as IEEE 2883. If found inadequate, the destruct process shall be repeated using an alternate method.
10.6.7: Proof of Sanitization
The standard states that organizations should maintain a record of sanitization activities, documenting which storage media were sanitized, when and how, and the final disposition of the media.
Controls for Proof of Sanitization
- TC-SNTZ-G08: This control requires producing and retaining storage sanitization records. It requires two forms of proof: an audit log trail and a certificate of sanitization. These sanitization records should be retained for compliance/legal purposes.
- TC-SNTZ-G09: It specifies the minimum information that shall be gathered for the certificate. This includes the:
- Manufacturer
- Model and serial number
- The storage media type, such as magnetic, flash, etc.
- The sanitization method (Clear, Purge, etc.) and technique (E.g., Overwrite) used
- The outcome description, including any errors
- The tool used and its version
- The verification method applied
- For both sanitization and verification, the name, position, date and time, location, contact information, and signature of the person performing the sanitization and validation.
Key Takeaway
ISO IEC 27040:2024 provides an exhaustive framework for storage security across the asset lifecycle, extending beyond access control into end-of-life risk mitigation. Media sanitization and method-specific verification form critical components of this framework, ensuring that storage devices do not retain recoverable data once transferred, reused, or disposed of. Conformance requires following organizational policies for data destruction, for example, IEEE 2883 Std. Organizations may consider using IEEE 2883-compliant data wiping tools to comply with ISO 27040:2024.
+1-844-775-0101
