You're six weeks from your SOC 2 Type II audit. Your auditor sends a preliminary questionnaire, and buried between access management and incident response is a line item you didn't expect: "Describe controls for removable media and portable storage devices."
If your answer is "we tell people not to use USB drives," you have a problem. SOC 2 and ISO 27001 don't accept trust as a control. They require documented policies, technical enforcement, and evidence that both are operating effectively. Here's exactly what auditors expect and how to deliver it.
Why USB Controls Matter for Compliance
Removable media represents a unique risk that auditors evaluate differently from network-based threats. A USB device bypasses firewalls, DLP gateways, and network monitoring entirely. It operates at the physical layer, which means your perimeter security stack is irrelevant the moment someone plugs in a flash drive.
Both SOC 2 and ISO 27001 recognize this. They don't prescribe specific USB tools, but they require that you've identified the risk, implemented proportional controls, and can prove those controls work over time. The gap between "we have a policy" and "we have enforced, auditable controls" is where most organizations fail.
SOC 2 Trust Services Criteria: USB Control Mapping
SOC 2 is organized around Trust Services Criteria (TSC). USB device control maps to multiple criteria across the Common Criteria and the Security category:
| TSC Control | Requirement | USB Implementation |
|---|---|---|
| CC6.1 | Logical and physical access controls | Technical enforcement blocking unauthorized USB devices. Default-deny policy with device whitelisting for approved hardware. |
| CC6.4 | Restrict physical access to assets | Policy governing which USB ports are active, physical port blocking on shared or public-facing machines. |
| CC6.5 | Dispose of, destroy, and manage assets | Documented procedures for sanitizing USB devices, tracking encrypted drives, revoking access when devices are decommissioned. |
| CC6.7 | Restrict transmission and movement of data | Controls preventing data exfiltration via USB. Read-only modes, transfer logging, and encryption enforcement for any approved data movement. |
| CC7.1 | Monitor for anomalies and events | USB event logging: device connections, file transfers, policy violations. Integration with SIEM for alerting. |
| CC7.2 | Monitor system components for anomalies | Alerting on unauthorized device types (BadUSB, HID spoofing), unusual connection patterns, and after-hours USB activity. |
| CC8.1 | Manage changes to infrastructure | Change control for USB policy updates — who approved the change, when, and what was modified. |
The key insight: SOC 2 auditors aren't looking for a specific tool. They're evaluating whether you have a control, whether it's designed effectively, and whether it's operating effectively over the audit period. A 12-month Type II audit means you need 12 months of evidence, not a policy document created last week.
ISO 27001 Annex A: USB Control Mapping
ISO 27001:2022 restructured Annex A into four themes. USB controls span several:
| Annex A Control | Title | USB Implementation |
|---|---|---|
| A.7.10 | Storage media | This is the primary control. Requires management of removable media throughout its lifecycle: acquisition, use, transport, storage, and disposal. Demands classification labeling and encryption for sensitive data. |
| A.7.9 | Security of assets off-premises | Controls for USB devices taken outside the organization. Encryption, tracking, and remote wipe capability for encrypted portable storage. |
| A.8.10 | Information deletion | Procedures for secure deletion of data on USB devices before reuse or disposal. Documented sanitization processes. |
| A.8.12 | Data leakage prevention | Technical controls preventing unauthorized data transfers to removable media. Overlaps heavily with USB DLP requirements. |
| A.8.1 | User endpoint devices | USB control as part of endpoint security configuration. Default device restrictions applied via endpoint management. |
| A.5.10 | Acceptable use of information | Policy defining acceptable use of removable media, approved device types, and consequences for violations. |
ISO 27001 auditors (certification bodies) verify that your Statement of Applicability (SoA) addresses A.7.10 and that your risk treatment plan includes proportional controls. If you declared A.7.10 applicable but have no technical enforcement, that's a nonconformity.
What Auditors Actually Ask
Having sat through hundreds of audit cycles across organizations, the questions auditors ask about USB controls follow a predictable pattern. Here's what to prepare for:
Policy Questions
- "Show me your removable media policy." — They want a formally approved document, not a wiki page. It should include scope, approved device types, encryption requirements, exception procedures, and violation consequences.
- "When was it last reviewed?" — Both frameworks expect annual review at minimum. The policy should have a version history showing review and approval dates.
- "How do employees acknowledge it?" — Evidence that users have read and accepted the policy, typically through onboarding or annual security awareness training.
Technical Questions
- "Show me the technical control that enforces this policy." — This is where endpoint USB port control matters. Auditors want to see that the policy isn't just words — it's technically enforced.
- "What happens if someone plugs in an unauthorized device?" — They expect a clear answer: the device is blocked, an alert fires, and an event is logged. Not "we hope they follow policy."
- "Can you show me this working on a live system?" — Be prepared for a walkthrough. Plug in a random USB drive during the audit and show it being blocked in real time.
Evidence Questions
- "Show me USB event logs from the past 90 days." — They want continuous evidence, not a snapshot. Logs should show device connections, policy enforcement actions, and any exceptions that were granted.
- "Show me an example of an exception being approved." — If your policy allows exceptions, auditors want to see the approval workflow: who requested it, who approved it, what was the justification, and was it time-limited?
- "How often do you review USB access logs?" — Regular review (weekly or monthly) with documented evidence of that review happening.
The Evidence Package: What You Need Ready
Compile this before your auditor walks in the door:
| Evidence Item | SOC 2 | ISO 27001 | Details |
|---|---|---|---|
| Removable media policy | CC6.1, CC6.7 | A.5.10, A.7.10 | Formally approved, dated, with version history and annual review evidence |
| Device whitelist configuration | CC6.1 | A.7.10, A.8.1 | Current list of approved USB device classes/models with business justification for each |
| Enforcement screenshots/reports | CC6.1, CC6.4 | A.7.10, A.8.12 | Dashboard or report showing controls active across all endpoints |
| USB event logs (full audit period) | CC7.1, CC7.2 | A.7.10 | Connection events, blocked devices, file transfer records — covering the complete audit window |
| Exception request records | CC6.1 | A.7.10 | Approval workflows with requester, approver, justification, and expiration date |
| Log review evidence | CC7.1 | A.7.10 | Meeting minutes, tickets, or reports showing regular review of USB activity |
| Training completion records | CC1.4 | A.6.3 | Evidence that users completed removable media awareness training |
| Change management records | CC8.1 | A.8.32 | Change tickets for any USB policy modifications during the audit period |
The most common audit finding isn't "you don't have USB controls." It's "you have a policy but no technical enforcement" or "you have enforcement but no logs proving it operated continuously." Close both gaps.
Common Audit Findings and How to Avoid Them
| Finding | Root Cause | Prevention |
|---|---|---|
| Policy exists but no enforcement | Policy was written for the audit but never implemented technically | Deploy default-deny USB controls as the baseline, whitelist from there |
| Gaps in logging coverage | Agent not deployed to all endpoints, or log retention too short | Ensure 100% endpoint coverage and retain logs for the full audit period plus 90 days |
| Exceptions without approval records | IT grants USB access informally via email or chat | Implement a formal exception workflow with ticketing integration |
| No regular log review | Logs exist but nobody looks at them | Schedule monthly USB activity reviews and document findings, even if findings are "no anomalies" |
| Policy not reviewed annually | Policy was created during initial certification and forgotten | Add removable media policy to your annual review calendar alongside all other ISMS documents |
| Incomplete asset coverage | USB controls only on corporate laptops, not desktops or servers | Extend USB enforcement to all endpoints that can accept removable media, including servers and shared workstations |
Building an Audit-Ready USB Policy
Your removable media policy should include these sections at minimum:
- Purpose and scope — State the business reason for the policy and define which systems and users it covers. Be explicit: "All company-owned endpoints including laptops, desktops, servers, and virtual machines."
- Default posture — "All USB mass storage devices are blocked by default. Keyboards, mice, and other HID devices are permitted." Define your whitelist approach here.
- Approved device types — List specific approved device classes or models. Require hardware encryption for any approved storage device. Specify vendor/model restrictions.
- Exception process — Document the workflow: who can request exceptions, who approves them, maximum duration, required justification, and how exceptions are technically implemented and revoked.
- Monitoring and enforcement — State that USB activity is logged, that logs are reviewed on a defined schedule, and that policy violations trigger defined incident response procedures.
- Sanctions — Define consequences for policy violations, aligned with your HR disciplinary framework.
- Review schedule — Annual review at minimum, with additional reviews triggered by security incidents, organizational changes, or regulatory updates.
Implementation Timeline for Audit Readiness
If you're starting from zero and need to be audit-ready, here's a realistic 8-week timeline:
Weeks 1–2: Policy and planning. Draft the removable media policy. Get formal approval from leadership. Inventory all endpoints that need USB controls. Define your device blocking strategy.
Weeks 3–4: Deploy in audit mode. Roll out USB monitoring to all endpoints without blocking. Collect baseline data on USB device usage. Identify which devices are business-critical and need whitelisting. This data informs your whitelist and prevents Day 1 disruptions.
Weeks 5–6: Enable enforcement. Switch from audit mode to default-deny enforcement. Apply your approved device whitelist. Set up alerting for blocked devices and policy violations. Train end users on the new policy and exception process.
Weeks 7–8: Validate and document. Verify 100% endpoint coverage. Test the exception workflow end to end. Confirm logs are flowing to your SIEM or central log store. Run a mock audit walkthrough — plug in an unauthorized device and trace the full chain from block to alert to log entry. Compile your evidence package.
Start building your evidence trail as early as possible. A SOC 2 Type II audit evaluates controls over 6–12 months. The sooner your controls are operating, the stronger your evidence.
SOC 2 vs. ISO 27001: Key Differences for USB Controls
While both frameworks require USB security, they evaluate it differently:
- SOC 2 is attestation-based. Your auditor (CPA firm) evaluates whether controls are designed and operating effectively. You define the controls; they test them. There's flexibility in implementation, but you need evidence of continuous operation throughout the audit period.
- ISO 27001 is certification-based. A certification body verifies that your ISMS meets the standard's requirements. Annex A controls are more prescriptive (A.7.10 specifically addresses storage media), and you must address them in your Statement of Applicability even if you declare them not applicable — with justification.
- Evidence expectations differ. SOC 2 auditors typically sample — they'll pick 25 random days and ask for USB logs from those dates. ISO 27001 auditors may do broader reviews but focus more on the management system (processes, reviews, continuous improvement) than individual log entries.
- Scope matters. SOC 2 scope is defined by the services you provide to customers. ISO 27001 scope is defined by your ISMS boundaries. Ensure USB controls cover the full scope of whichever audit you're pursuing.
Audit-Ready USB Controls in Under an Hour
PortGuard deploys in minutes and delivers the enforcement, logging, and reporting that SOC 2 and ISO 27001 auditors expect. Default-deny policies, device whitelisting, and exportable audit logs — out of the box.
Start Free — Up to 5 DevicesBeyond the Audit: Making USB Controls Sustainable
Passing the audit is the first milestone, not the finish line. Sustainable USB security requires ongoing attention:
- Monthly log reviews: Schedule a 30-minute monthly review of USB activity. Document it even when there's nothing to report — "no anomalies detected" is valid evidence that the review happened.
- Quarterly whitelist review: Are all approved devices still in use? Has anyone left the company with an approved encrypted drive? Prune your whitelist regularly.
- Annual policy review: Update the policy to reflect changes in technology, business processes, and regulatory requirements. Document the review and any changes made.
- Continuous coverage monitoring: As new endpoints join your environment, ensure they receive USB controls automatically. A single unmanaged laptop is an audit finding waiting to happen.
The organizations that find compliance easy are the ones that built security into their operations — not the ones that scramble before each audit cycle. USB device control is a small but critical piece of that foundation. Get it right once, maintain it continuously, and it becomes one of the easiest sections of your audit to pass.
Further Reading
- USB Security Policy Best Practices for 2026
- USB Device Whitelisting: How to Allow Only Approved Devices
- USB DLP: Why Data Loss Prevention Starts at the Port
- 7 USB Attack Vectors Every IT Admin Should Know
- USB Security in Healthcare: A HIPAA Compliance Guide
- USB Security for Manufacturing and OT/ICS Environments