When you are building your Information Security Management System (ISMS), it is easy to focus on protecting the technology you use every day. You likely have firewalls in place and strong passwords for your active accounts. However, a significant risk often arises when you stop using that technology. Annex A 7.14 of ISO 27001 deals with the secure disposal or re-use of equipment.
As a certification body, we at ISO27001.com often see organisations fail this control because they lack a formal process. You might toss an old laptop in a cupboard or sell a server without thinking about the data left inside. This guide will walk you through what this control requires and how you can implement it to satisfy an auditor.
Table of contents
Understanding the Requirement
The core purpose of Annex A 7.14 is simple. You must ensure that any equipment containing storage media is verified to be free of sensitive data before you dispose of it or re-use it. This applies to everything from hard drives and servers to mobile phones and tablets. Even photocopiers with internal hard disks fall under this rule.
If you plan to use the equipment again within your own business, you must still sanitise it. For example, if a laptop moves from the HR department to the sales team, the sensitive HR data must be removed first. If the equipment is leaving your premises entirely, the need for caution is even higher.
Identify Your Assets
You cannot secure what you do not know you have. The first step is to check your asset register. You need to identify which items contain storage media. This is where good asset management links directly to secure disposal. When you decide an item is at the end of its life, you should change its status in your register.
We recommend creating a clear policy that dictates exactly what happens to hardware when it is no longer needed. This policy does not need to be long, but it must be clear. It should state who is responsible for the disposal and what methods they must use.
The Process of Re-use
Re-using equipment is cost-effective and environmentally friendly. However, it carries risk. When you re-assign a device, you must ensure the previous user’s data is inaccessible to the new user.
Standard deletion is rarely enough. When you drag a file to the recycling bin, the data remains on the disk. You should use software that overwrites the storage media with random data. There are many standard tools available that can do this securely. Once the wipe is complete, you can safely install a new operating system and hand the device to the new user.
Secure Disposal and Destruction
If the equipment is broken or obsolete, you will likely dispose of it. You have two main options here. You can physically destroy the media, or you can use software to wipe it before sending it for recycling.
Physical destruction is often the safest bet for highly sensitive data. This might involve shredding a hard drive so that it is physically impossible to read. If you choose this route, you must ensure it is done properly. Drilling a single hole in a hard drive might not destroy all the data.
If you use a third-party company to collect and destroy your electronic waste, you must do your due diligence. You are responsible for the data until it is destroyed. At ISO27001.com, we expect to see a contract with the disposal company that includes confidentiality clauses.
What the Auditor Expects to See
When we visit you for an audit, we are looking for evidence. Saying that you wipe hard drives is not enough. We need proof that the process is working.
You should keep a log of all disposed equipment. This log should include the serial number of the item, the method of disposal, and the date it happened. If you wiped the disk yourself, save the report generated by the wiping software. This report usually confirms that the overwrite was successful.
If you used an external company, we will ask for a certificate of destruction. This is a formal document provided by the vendor that lists the items they destroyed. It serves as your legal proof that the data is gone. If you cannot produce these certificates, it will lead to a non-conformity.
Handling Loose Media and Paper
While A 7.14 focuses heavily on equipment, do not forget smaller items. USB sticks, SD cards, and backup tapes are easily lost. You should have a secure container or a shredding process for these items.
Furthermore, ensure that you remove all labels and markings from equipment before disposal. An asset tag that identifies the laptop as property of your company could cause reputational damage if the device ends up for sale online, even if the drive is empty.
Common Mistakes to Avoid
We often see companies piling up old equipment in a server room because they do not know what to do with it. This creates a risk of theft. If you are not ready to dispose of items yet, store them securely. Lock them away and update your inventory to show they are in storage.
Another common mistake is forgetting photocopiers and printers. Many modern office printers have hard drives that store scans and copies. If you return a leased printer, ensure the drive is wiped first.
Summary
Implementing Annex A 7.14 is about closing the loop on your asset management. It requires you to be just as careful when equipment leaves the business as you were when it arrived. By verifying data is removed and keeping solid records, you protect your data and pass your audit.
If you need further guidance on preparing for your certification, you can always find more resources with us at ISO27001.com. We are here to help you navigate the standards with confidence.