ISO/IEC 27040:2015
Information technology — Security techniques — Storage security
ISO/IEC 27040:2015 provides detailed technical guidance on how organizations can define an appropriate level of risk mitigation by employing a well-proven and consistent approach to the planning, design, documentation, and implementation of data storage security. Storage security applies to the protection (security) of information where it is stored and to the security of the information being transferred across the communication links associated with storage. Storage security includes the security of devices and media, the security of management activities related to the devices and media, the security of applications and services, and security relevant to end-users during the lifetime of devices and media and after end of use.
Storage security is relevant to anyone involved in owning, operating, or using data storage devices, media, and networks. This includes senior managers, acquirers of storage product and service, and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information security or storage security, storage operation, or who are responsible for an organization's overall security program and security policy development. It is also relevant to anyone involved in the planning, design, and implementation of the architectural aspects of storage network security.
ISO/IEC 27040:2015 provides an overview of storage security concepts and related definitions. It includes guidance on the threat, design, and control aspects associated with typical storage scenarios and storage technology areas. In addition, it provides references to other International Standards and technical reports that address existing practices and techniques that can be applied to storage security.
| Get this standard | Prices exclude GST | |
|---|---|---|
| PDF ( Single user document) |
$118.26 NZD
|
|
| HardCopy |
$152.17 NZD
|
|
| Networkable PDF |
Price varies
|
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Symbols and abbreviated terms
5 Overview and concepts
5.1 General
5.2 Storage concepts
5.3 Introduction to storage security
5.4 Storage security risks
5.4.1 Background
5.4.2 Data breaches
5.4.3 Data corruption or destruction
5.4.4 Temporary or permanent loss of access/availability
5.4.5 Failure to meet statutory, regulatory, or legal requirements
6 Supporting controls
6.1 General
6.2 Direct Attached Storage (DAS)
6.3 Storage networking
6.3.1 Background
6.3.2 Storage Area Networks (SAN)
6.3.3 Network Attached Storage (NAS)
6.4 Storage management
6.4.1 Background
6.4.2 Authentication and authorization
6.4.3 Secure the management interfaces
6.4.4 Security auditing, accounting, and monitoring
6.4.5 System hardening
6.5 Block-based storage
6.5.1 Fibre Channel (FC) storage
6.5.2 IP storage
6.6 File-based storage
6.6.1 NFS-based NAS
6.6.2 SMB/CIFS-based NAS
6.6.3 Parallel NFS-based NAS
6.7 Object-based storage
6.7.1 Cloud computing storage
6.7.2 Object-based Storage Device (OSD)
6.7.3 Content Addressable Storage (CAS)
6.8 Storage security services
6.8.1 Data sanitization
6.8.2 Data confidentiality
6.8.3 Data reductions
7 Guidelines for the design and implementation of storage security
7.1 General
7.2 Storage security design principles
7.2.1 Defence in depth
7.2.2 Security domains
7.2.3 Design resilience
7.2.4 Secure initialization
7.3 Data reliability, availability, and resilience
7.3.1 Reliability
7.3.2 Availability
7.3.3 Backups and replication
7.3.4 Disaster Recovery and Business Continuity
7.3.5 Resilience
7.4 Data retention
7.4.1 Long-term retention
7.4.2 Short to medium-term retention
7.5 Data confidentiality and integrity
7.6 Virtualization
7.6.1 Storage virtualization
7.6.2 Storage for virtualized systems
7.7 Design and implementation considerations
7.7.1 Encryption and key management issues
7.7.2 Align storage and policy
7.7.3 Compliance
7.7.4 Secure multi-tenancy
7.7.5 Secure autonomous data movement
Annex A (normative) Media sanitization
Annex B (informative) Selecting appropriate storage security controls
Annex C (informative) Important security concepts
Bibliography
Keep me up-to-date
Sign up to receive updates when there are changes to this standard
Related Information
Similar Standards
-
AS/NZS ISO/IEC 27001:2023
Information security, cybersecurity and privacy protection – Information security management systems – Requirements
-
AS/NZS ISO/IEC 27001:2023 A1
Information security, cybersecurity and privacy protection - Privacy enhancing data de-identification framework
-
AS/NZS ISO/IEC 27002:2022
Information security, cybersecurity and privacy protection — Information security controls
-
AS/NZS ISO/IEC 27011:2025
Information security, cybersecurity and privacy protection – Information security controls based on ISO/IEC 27002 for telecommunications organizations
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Symbols and abbreviated terms
5 Overview and concepts
5.1 General
5.2 Storage concepts
5.3 Introduction to storage security
5.4 Storage security risks
5.4.1 Background
5.4.2 Data breaches
5.4.3 Data corruption or destruction
5.4.4 Temporary or permanent loss of access/availability
5.4.5 Failure to meet statutory, regulatory, or legal requirements
6 Supporting controls
6.1 General
6.2 Direct Attached Storage (DAS)
6.3 Storage networking
6.3.1 Background
6.3.2 Storage Area Networks (SAN)
6.3.3 Network Attached Storage (NAS)
6.4 Storage management
6.4.1 Background
6.4.2 Authentication and authorization
6.4.3 Secure the management interfaces
6.4.4 Security auditing, accounting, and monitoring
6.4.5 System hardening
6.5 Block-based storage
6.5.1 Fibre Channel (FC) storage
6.5.2 IP storage
6.6 File-based storage
6.6.1 NFS-based NAS
6.6.2 SMB/CIFS-based NAS
6.6.3 Parallel NFS-based NAS
6.7 Object-based storage
6.7.1 Cloud computing storage
6.7.2 Object-based Storage Device (OSD)
6.7.3 Content Addressable Storage (CAS)
6.8 Storage security services
6.8.1 Data sanitization
6.8.2 Data confidentiality
6.8.3 Data reductions
7 Guidelines for the design and implementation of storage security
7.1 General
7.2 Storage security design principles
7.2.1 Defence in depth
7.2.2 Security domains
7.2.3 Design resilience
7.2.4 Secure initialization
7.3 Data reliability, availability, and resilience
7.3.1 Reliability
7.3.2 Availability
7.3.3 Backups and replication
7.3.4 Disaster Recovery and Business Continuity
7.3.5 Resilience
7.4 Data retention
7.4.1 Long-term retention
7.4.2 Short to medium-term retention
7.5 Data confidentiality and integrity
7.6 Virtualization
7.6.1 Storage virtualization
7.6.2 Storage for virtualized systems
7.7 Design and implementation considerations
7.7.1 Encryption and key management issues
7.7.2 Align storage and policy
7.7.3 Compliance
7.7.4 Secure multi-tenancy
7.7.5 Secure autonomous data movement
Annex A (normative) Media sanitization
Annex B (informative) Selecting appropriate storage security controls
Annex C (informative) Important security concepts
Bibliography