Iso Iec 27040 Pdf 2021 -

The ISO/IEC 27040:2024 standard, titled "Information technology — Security techniques — Storage security," provides a comprehensive technical framework for securing data storage systems throughout their entire lifecycle. It was officially updated in early 2024, replacing the previous 2015 version with more stringent requirements, particularly regarding media sanitization and cloud storage security. Executive Summary: ISO/IEC 27040:2024

Key concepts and principles

  • Storage security lifecycle: Plan → Design → Deploy → Operate → Decommission. Controls and risk assessments should be applied at each stage.
  • Defense in depth: Layered controls (physical, network, host, storage system, application, and administrative) to reduce risk of data compromise.
  • Separation of duties and least privilege: Limit access to storage management and data to reduce insider and configuration risks.
  • Data classification and handling: Classify stored information by sensitivity and apply proportional protections (encryption, access controls, retention limits).
  • Integrity and availability alongside confidentiality: Ensure mechanisms for integrity verification, versioning, immutability (where appropriate), and resilience/availability (replication, snapshots, backup/restore, continuity planning).

Three immediate actions after reading this article: iso iec 27040 pdf

5. Secure Media Sanitization

  • Principle: Deleting a file does not delete the data.
  • ISO 27040 Guidance: Use cryptographic erasure (destroying the encryption key) for SSDs. For HDDs, overwriting (e.g., three passes) or degaussing. For cloud storage, use provider’s secure wipe API.
  • Example: Before decommissioning a NetApp shelf, run "sanitize" procedures (Clause 9.2.3) and log the cryptographic key destruction.

Detailed Implementation: Providing specific technical guidance that expands upon the general security controls found in ISO/IEC 27002. Storage security lifecycle: Plan → Design → Deploy

The standard is comprehensive, offering actionable advice across multiple domains: Storage Security Management Three immediate actions after reading this article: 5