Topic-specific policies
ISO/IEC 27040

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27040:2015 — Information technology — Security techniques — Storage security



“ISO/IEC 27040:2015 provides detailed technical guidance on how  organisations can define an appropriate level of risk mitigation by  employing a well-proven and consistent approach to the planning, design, documentation, and implementation of data storage security. Storage  security applies to the protection (security) of information where it is stored and to the security of the information being transferred across  the communication links associated with storage. Storage security  includes the security of devices and media, the security of management  activities related to the devices and media, the security of  applications and services, and security relevant to end-users during the lifetime of devices and media and after end of use. Storage security is relevant to anyone involved in owning, operating, or using data storage devices, media, and networks. This includes  senior managers, acquirers of storage product and service, and other  non-technical managers or users, in addition to managers and  administrators who have specific responsibilities for information  security or storage security, storage operation, or who are responsible  for an organisation's overall security program and security policy  development. It is also relevant to anyone involved in the planning,  design, and implementation of the architectural aspects of storage  network security. ISO/IEC 27040:2015 provides an overview of storage security concepts  and related definitions. It includes guidance on the threat, design, and control aspects associated with typical storage scenarios and storage  technology areas. In addition, it provides references to other  International Standards and technical reports that address existing  practices and techniques that can be applied to storage security.”
[Source: ISO/IEC 27040:2015]


The proposers of this standard felt that the information security aspects of data storage systems and infrastructures have been neglected due to misconceptions and limited familiarity with the storage technology, or in the case of [some] storage managers and administrators, a limited understanding of the inherent risks or basic security concepts.

As the New Work Item Proposal put it:

”Storage has matured in an environment where security has been a secondary concern due to its historical reliance on isolated connectivity, exotic technologies, and physical security of the data centers.  Even as storage connectivity evolved to use technologies like the Internet Small Computer Systems Interface (iSCSI) protocol over TCP/IP, few users took advantage of either the inherent security mechanisms or the recommend security measures (e.g., using IPsec to secure the communications). Consequently stored information is needlessly placed at risk.”


Scope and purpose

The standard is intended to help the purchasers and users of computer storage technologies determine and treat the associated information risks (although unfortunately it doesn’t use that  term as such). The scope covers the security of devices and media, security of management activities related to the devices and media, applications/services, and end-users, in addition to security of the information being transferred across the communication links associated with storage.

The standard describes information risks associated with data storage, and controls to mitigate the risks. It aims to:

  • Draw attention to common risks associated with the confidentiality, integrity and availability of information on various data storage technologies;
  • Encourage organisations to improve their protection of stored information using suitable information security controls; and
  • Improve assurance, for example by facilitating reviews or audits of the information security controls protecting stored data.

The information security issues associated with backup/disaster recovery locations and cloud storage are covered, as well as those associated with primary/local storage on a variety of data storage technologies, media and subsystems (e.g. DAS, SAN, NAS, CAS, FC and OSD).

Media sanitization (destruction of data stored on various types of storage media) is also covered.

The standard is unusually detailed.  It mentions a number of specific storage technologies which is also unusual for the ISO27k standards that are mostly generic and hence timeless.


Status of the standard

The standard was published in 2015.

A revision project was launched in 2020 with the following aims:

  • Draw attention to the information risks in this area;
  • Help organisations improve security of stored data by enhancing/extending the guidance in ISO/IEC 27002;
  • Support those designing, reviewing and auditing [data] storage security.

Numerous changes have been made, taking the page count up to ~100.

April status update The second edition has reached Draft International Standard stage, and remains on-track for publication towards the end of this year.


Personal comments

Resilience is covered in the standard - an important information security concept that (in my considered opinion) deserves much more emphasis throughout ISO27k. After all, information security involves protecting/ensuring the availability of important information and information services, right?



< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.