ISO 27001 Annex A 7.14 is a simple rule. You must safely get rid of old equipment. If you reuse equipment, you must wipe all data first. Make sure the data cannot be brought back. This rule focuses on how you get rid of or reuse your hardware. You must protect the data on the device. This stops data from leaking out.
Table of contents
What is ISO 27001 Annex A 7.14?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Secure Disposal or Re-Use of Equipment”.
What is the ISO 27001 Annex A 7.14 control objective?
The formal definition and control objective in the standard is: “Information should be classified according to the information security needs of the organisation based on confidentiality, integrity, availability and relevant interested party requirements.“
What is the purpose of ISO 27001 Annex A 7.14?
The purpose of ISO 27001 Annex A 7.14 is “to ensure the identification and understanding of the protection needs of information in accordance with its importance to the organisation.“
Is ISO 27001 Annex A 7.14 Mandatory?
ISO 27001 Annex A control 7.14 (Secure Disposal or Re-Use of Equipment in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 7.14 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
You will encounter equipment that has a limited life. While some items last a short time and others last a long time, all equipment will eventually be reassigned, reused, or thrown away.
This rule focuses on equipment that holds data. You may want to look back at the rules for storage media in ISO 27001 Annex A 5.10.
Your worst situation is when private and sensitive data falls into the wrong hands or becomes public. The results can range from simple embarrassment to legal issues, financial problems, and even life-threatening danger in the worst cases.
Deletion
Simply hitting “delete” is not enough. You do not want a discarded item ending up on an online sale site where a clever tech person can recover the data you thought you erased. You know today that hitting delete, or emptying the trash bin, does not fully remove data from a system.
Encryption
Encryption is a helpful extra security step. Encrypting the entire hard drive as part of your standard setup is a good idea. Even with encryption, the best practice is to fully remove all data from a storage item before you use it again. When the device is no longer needed, it is best to have it professionally destroyed by a certified company. They will provide all the necessary documents, receipts, and proof you require.
Asset Tags and Labels
You should also think about asset tags or labels on your equipment. It is best to remove these identifying marks.
Records and Audit Trails
This is a key part of your asset management plan, so be sure to keep all detailed records and audit trails.
