How do you implement A.7.10 in Microsoft 365?

A.7.10 Storage Media can be implemented in Microsoft 365 using Microsoft Intune admin center (intune.microsoft.com) > Endpoint security > Disk encryption; Microsoft Defender portal > Device control. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.7.10?

Auditors verify that A.7.10 Storage Media is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.7.10: Storage Media — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001 control A.7.10 Storage Media requires organisations to manage removable storage media throughout its lifecycle according to classification and handling requirements. This control addresses data exfiltration and malware risks from USB drives, external hard drives, and portable storage devices that can bypass network security controls. For Microsoft 365 environments, protection is implemented through BitLocker To Go encryption enforcement (denying write access to unencrypted removable drives) and Microsoft Defender for Endpoint Device Control policies that block or restrict USB storage device access at the hardware level.

How to implement in Microsoft 365

Implement A.7.10 by configuring Intune Endpoint Security Disk Encryption policies with BitLocker removable drive settings: enable Deny write access to removable drives not protected by BitLocker and Deny write access to devices configured in another organisation. This forces users to encrypt USB drives with BitLocker To Go before writing data, with recovery keys escrowed to Azure AD. Deploy Microsoft Defender for Endpoint Device Control policies to block removable USB storage by default per CIS WCP 7.3, with an allowlist process for business-approved exceptions by serial number or vendor ID.

Establish media handling procedures including labelling, chain of custody, and secure disposal methods appropriate to data classification (physical destruction for Highly Confidential).

What an auditor looks for

Auditors will verify that an Intune Endpoint Protection policy exists with BitLocker removable drive settings configured to deny write access to unencrypted drives. They will check for Device Control policies blocking USB storage with appropriate exception handling. Auditors will review the encrypted media register to confirm approved devices are tracked with encryption status and custodian assignment.

They will examine disposal certificates and logs to verify secure destruction methods appropriate to data classification. Auditors will check incident records for any lost or stolen media reports and confirm timely investigation.

[A.8.24 (Use of cryptography - BitLocker)](/controls/a-8-24 (use of cryptography - bitlocker)/)
[A.7.7 (Clear desk - media storage)](/controls/a-7-7 (clear desk - media storage)/)
[A.7.14 (Secure disposal - media destruction)](/controls/a-7-14 (secure disposal - media destruction)/)
[A.6.3 (Awareness training)](/controls/a-6-3 (awareness training)/)

M365 capabilities that implement this control

Microsoft-managed media storage, sanitization, and disposal procedures

What is this control?

How to implement in Microsoft 365

What an auditor looks for

Related controls

M365 capabilities that implement this control