Follow Us:

ISO 27017

Home ISO 27040

Quick Contact

    Need Help?

    Please Feel Free To Contact Us. We Will Get Back To You With 1-2 Business Days.

    info@cybersecuritycentre.com.au

    ISO/IEC 27040:2024 - storage devices and media

    • What it is: An international standard focused on storage security (protecting data where it is stored and how it moves through storage environments).
    • Current edition: ISO/IEC 27040:2024 (Edition 2), published January 2024.
    • What it covers: Security of storage devices and media, management activities, applications/services, and monitoring/control of user activity across the full lifecycle (including end-of-use/end-of-life).
    • What it helps you do: Use a proven approach to plan, design, document, and implement storage security controls to reduce risk.
    • Who it’s for: Senior leaders, procurement/acquirers, storage and security managers/admins, and architects responsible for storage network security design.
    • How it fits with ISO 27001: It complements an ISO/IEC 27001 ISMS by going deeper on storage-specific requirements and guidance (and the 2nd edition aligns its structure to ISO/IEC 27001:2022 themes).

    The prerequisites required by the Cyber Security Centre include an up to date (within 3 months) ISO 27001 certification or surveillance. This forms a foundation component for successful attestation.

    CSC - Color Set ORG 000

    ISO/IEC 27040:2024 Attestation

    What is ISO/IEC 27040?

    ISO/IEC 27040:2024 is the international standard for storage security—helping organisations protect information while it is stored in ICT systems and while it moves across storage-related communication links (for example, between hosts, storage, backups, and storage networks).

    It provides requirements and practical guidance for a consistent approach to the planning, design, documentation, and implementation of storage security—so protection is built in, measurable, and easier to audit.

    It focuses on storage security across the full lifecycle, including:

    • Storage devices and media (handling, protection, and control)
    • Storage management activities (secure administration and operations)
    • Applications and services that interact with storage
    • Monitoring and control of user activity, including after end-of-use / end-of-life

    If your organization stores sensitive data on-premises or in the cloud, ISO/IEC 27040:2024 helps you strengthen security where breaches often occur: data at rest, backups, storage administration, and storage connectivity.

    How will a organizations benefit from ISO 27040 Attestation?

    • Builds trust — provides clear assurance that stored information is protected with recognised good practice.
    • Strengthens procurement — supports security requirements in tenders and supplier due diligence.
    • Reduces breach impact — improves storage hardening, monitoring, and control of privileged access.
    • Supports compliance — reinforces governance over retained data, backups, and end-of-life disposal.
    • Improves resilience — strengthens recoverability, including protection of backup and archive repositories.

    Who ISO/IEC 27040 is for?

    ISO/IEC 27040 is relevant to anyone owning, operating, or using storage devices, media, and storage networks—including senior managers, procurement teams, security leaders, storage administrators, and solution architects. It is especially valuable where storage is complex (multiple platforms, shared environments, outsourced services, or high regulatory expectations) and responsibilities must be clearly defined.

    How Cyber Security Centre can help

    As a cyber security research organization, Cyber Security Centre provides evidence-based guidance grounded in current research and industry practice. Our team holds postgraduate qualifications (Masters level and above), with staff undertaking PhD research, enabling us to deliver clear, practical advice that supports governance, implementation, and assurance activities.