When an organisation upgrades its IT hardware, the old equipment doesn’t just disappear. Whether you are donating old laptops to charity, returning leased servers, or sending decommissioned hard drives to a recycler, you are handling a potential “data goldmine” for attackers. This is where ISO 27001 comes in to ensure that your “trash” doesn’t become a “breach.”
In the transition from the 2013 version to the 2022 update, the control for Secure Disposal or Re-use of Equipment has been refined. Formerly known as Control 11.2.7, it is now officially Annex A 7.14. While the core mission remains the same, keeping data from leaking out of old hardware, the 2022 version introduces a more modern, structured approach to managing these physical assets.
Table of contents
The Structural Shift: From 11.2.7 to 7.14
The first thing you will notice is the new numbering. In the ISO 27001:2013 standard, this control was part of the “Physical and Environmental Security” domain. In the 2022 version, the standard consolidated 114 controls into 93 and grouped them into four simple themes. Annex A 7.14 now sits within the Physical theme.
This isn’t just a cosmetic change. By moving to the Physical theme, the standard emphasises that the “end-of-life” phase of an asset is just as critical as its active life. According to Hightable.io, many organisations treat disposal as an afterthought, but the 2022 structure forces security teams to view it as a primary physical safeguard.
What Exactly is Annex A 7.14?
The goal of Annex A 7.14 is simple: to prevent the leakage of information from equipment that is being disposed of or re-used. If a device contains storage media (like a hard drive, SSD, or even a sophisticated printer with internal memory), it must be verified to ensure that all sensitive data and licensed software have been removed or securely overwritten before that device leaves your control.
The 2022 update clarifies that this applies not just to “throwing things away” (disposal) but also to “moving things around” (re-use). If you take a laptop from a departing manager and hand it to a new intern without a proper wipe, you may be in violation of this control.
Key Changes and New Requirements in the 2022 Version
While the 2013 version laid the groundwork, the 2022 version adds more specific “General Guidance” that reflects today’s security landscape. Here are the most significant updates:
- Removal of Branding and Identification: The 2022 version explicitly suggests that organisations should remove all signs, tags, and labels that identify the organisation, its network, or the classification level of the information previously held on the device. You don’t want a discarded drive in a bin with a sticker that says “Confidential Finance Data – Company X.”
- Facility Departure: A new nuance in the 2022 guidance suggests that when an organisation leaves a facility (like moving offices), they should consider removing any security controls they had established there. This prevents a “skeleton” of your security architecture from being visible to the next tenant.
- Attribute Mapping: Like all 2022 controls, A 7.14 now uses attributes. It is categorised as a “Preventative” control with the security property of “Confidentiality.” This helps you map the control directly to your risk assessment.
Practical Compliance Steps
To align with the 2022 requirements, your processes need to be “audit-ready.” Hightable.io points out that auditors are no longer satisfied with just a verbal “we wipe the drives.” They want to see a documented chain of custody.
To meet the standard, you should implement the following:
- Verification of Erasure: Use specialised software to overwrite data multiple times. For highly sensitive data, physical destruction (shredding or degaussing) is often the only way to be 100% sure.
- Third-Party Disposal: If you use a vendor for IT Asset Disposition (ITAD), ensure your contract requires them to provide a “Certificate of Destruction” for every serial number.
- Licensed Software: Don’t forget the software. The 2022 update reminds us that licensed software must also be removed to prevent legal and compliance risks when equipment is re-used or sold.
- Damaged Equipment: If a device is broken and cannot be wiped, the risk is even higher. You should assess whether the data sensitivity warrants destroying the device rather than sending it for a repair where a technician might see the data.
Why Does the 2022 Update Matter?
In 2013, we were mostly worried about hard drives. In 2022 and beyond, we have “smart” everything, IoT devices, advanced office equipment, and sophisticated mobile devices. Annex A 7.14 recognises that data lives in more places than just a desktop PC. By following the 2022 guidance, you are closing a physical “backdoor” that many cyber-attackers use to gather intelligence on an organisation’s internal network structure and data types.
Final Thoughts on the Transition
Transitioning from the 2013 version’s Control 11.2.7 to the 2022 version’s Annex A 7.14 is a relatively straightforward task, but it requires diligence. Focus on the new requirements regarding label removal and facility departure, and ensure your asset register tracks the disposal phase as rigorously as the procurement phase. As highlighted by Hightable.io, the key is evidence, if you can’t prove a device was securely wiped, in the eyes of an ISO auditor, it never happened.