Media & equipment disposal – what is it and how to do it in line with ISO 27001

Update 2022-4-26.

Today, hard drive and other media devices are less common than they were some years ago, because the current trend is to use the cloud, although there are still a lot of people using pen drives, external hard drives, etc. And, of course, all the information in the cloud is ultimately stored on a server, i.e., its hard disk, which is also a media device. Therefore, secure media disposal is very important to make sure sensitive data do not leak.

ISO 27001 is an international standard for the protection of information, and we will see how this standard can help us with the hard drive disposal and the disposal of other media devices.

Five tips for hard drive and other media disposal
  1. Physically destroy the media, for example, by incineration or shredding.
  2. Securely delete the information.
  3. Select an external party by defining a non-disclosure agreement.
  4. Avoid the aggregation effect.
  5. Record the disposal (what media has been destroyed, or what media are reusable, etc.).

What media need to be disposed of securely?

First, let’s identify what media we need to take care of, as well as why and how we can securely dispose of them.

Taking into consideration that, in ISO 27001, the most important thing is the information, we need to take care of the media that we are using to store sensitive information. But what do I mean by “media”?

Generally, in this context, a medium is a device that is used for storing information, so media would include hard drives, USB pen drives, external hard drives, CDs, DVDs, etc.

Think about the following scenarios:

Printed documents (e.g., budget drafts, or client’s refused proposals) are no longer needed and used as scratch paper, or accumulated in waiting areas for removal.

Defective equipment (e.g., CEO’s tablet, or project team’s notebooks) being discarded by maintenance staff, put directly in the trash, or sold as scrap.

Equipment considered obsolete (e.g., a five year old server in good condition) sold to recoup part of the investment, or donated to enhance business image.

In these situations, how would someone ensure that document/equipment recovery or reuse would not provide information that may compromise business activities or people’s privacy? In an Internet search, you can find cases where improper disposal of assets and documents was the root cause of the incident:

  • An organization’s hard drives were sold on the Internet containing thousands of confidential documents, employee names, Social Security Numbers, and confidential memos to the CEO
  • A disposed computer in a university contained names, social security numbers, and financial aid information of thousands of students
  • An organization was using recycled paper containing credit, debit card, and personal information, potentially exposing thousands of records

Fortunately, ISO 27001 can provide some orientation and guidance on how to securely dispose of media and assets in ways which minimize the risks of exposing compromising information.


Confidential information

An important input for media disposal is information classification.

A lot of companies classify their information, because not all media have the same information, and not all of the information has the same value for the business. For example, there is a big difference between a USB pen drive containing a PDF file with a presentation of the business (which can be considered public information), and a USB pen drive containing the company’s database of clients (which can be considered confidential).

So, we need to classify the information, and in Annex A of ISO 27001 we have the control A.8.2.1 Classification of information, which can help us for this purpose. You can find more information about this here: Information classification according to ISO 27001.

Obviously, if the information is public, we can share it in the public domain, because there is not a risk of confidential information leakage.

But, if the information is not public (confidential, restricted, internal, etc.), we need to store and dispose of it in a secure way, because it can carry a risk of confidential information leakage, which can destroy the business, as well as showing noncompliance with legal regulations (like the GDPR).

Why bother with secure media disposal?

Besides handling confidential information securely, there are other reasons for secure asset and media disposal. They may appear to be simple activities, since we generally only dispose of things that we deem no longer needed or not valuable. However, thinking about environmental recycling activities, you can see that what is worthless to someone can be highly valuable to someone else.

The same applies to information. Some piece of information we consider not valuable can lead a competitor to gain a business advantage, a criminal to explore an organization’s weaknesses or, worse, cause damage to a customer or person’s life by using personal or private information to commit a crime posing as those persons. No less important, in some cases clients and potential business partners ask for a hard drive destruction certificate.

ISO 27001 controls and ISO 27002 recommendations

With the objective to protect a business’ relevant information during its entire lifecycle, ISO 27001 provides two specific controls related to information disposal:

  • Whenever a media shall be discarded, the use of procedures should be considered to ensure proper information disposal (control A.8.3.2 – Disposal of media).
  • Equipment containing storage media shall be verified to ensure it is free of sensitive information prior to disposal or re-use (control A.11.2.7 – Secure disposal or reuse of equipment).

As other forms of control, secure disposal should be supported by an organizational policy.

Media disposal

Regarding media disposal, ISO 27002 recommendations can be summarized as follows:

Disposal procedures should be proportional to the information classification levelThe higher the classification, the greater assurance that information cannot be retrieved after disposal. Shredding or incineration of the media, or data overwritten, are examples of good practices.

Clear identification of Information that will require secure disposal: By the use of watermark, or colored border, it is easier for someone to identify the information that should be securely disposed.

Dispose media mixing different types: The greater the mix of different items (e.g., CD’s, HDD’s, paper, etc.) the harder is to recover a specific media, and more secure.

Control access to accumulated media for disposal: A large quantity of non-sensitive information together can make it possible to retrieve sensitive information (aggregation effect). E.g., a great number of old published market reports put together may allow someone to figure out a trend related to a sensitive market strategy. Think about defining a short accumulation period or small storage volume to execute the disposal procedures.

Keep traceability of sensitive disposed items: To ensure the items were properly disposed, you should keep log information listing, at a minimum, who performed the procedure, when, and what method was used.

Media disposal | Secure disposal of data & equipment | ISO 27001

Equipment reuse or disposal

While the control A.8.3.2 deals with the information and the media where it is stored, the control A.11.2.7 is directed to the proper handling of equipment that makes use of the media, since sometimes it requires more specialized knowledge to access media or to protect it. Here is a compilation of ISO 27002 recommendations for these controls:

Equipment verification prior to disposal or re-use: You should verify whether or not storage media is contained within the equipment (e.g., hard drive or memory chips). You could use a disposal checklist to ensure critical elements are verified.

Use of non-retrievable methods: Physical destruction (e.g., by grinding or shredding) or overwriting techniques, with specific or generic patterns, should be used to perform disposal of highly sensitive information.

Evaluation of damaged equipment: Sometimes damaged devices need to be sent to external parties to be repaired. In these situations, the device should be assessed for sensitive data to determine whether the items should be physically destroyed rather than sent for repair or discarded. ISO 31010 presents a good list of risk assessment techniques which can be used.

Use of third parties

Sometimes the volume of items, or the technical requirements for disposal, makes the use of specialized organizations a good option, but care should be taken in selecting a suitable organization. Criteria you should consider are how it manages its security, disposal methods used and experience with your industry. Be sure to include all this in the service contract. For additional recommendations, read 6-step process for handling supplier security according to ISO 27001.

5 tips for media disposal

Let’s see an easy example of how to treat the risk of compromising sensitive information on media. You have an asset, which is, for example, a hard drive containing confidential information about the business. This hard drive was installed on an information system (a server), but you decided to move the information to another information system, e.g., to another server or to the cloud.

For the treatment of this risk, you can reduce it by implementing ISO 27001 control A.8.3.2 Disposal of media, and here are some best practices to implement this security control:

  • Physically destroy the media. You can do this, for example, by incineration or shredding, etc. This physical destruction is also applicable to damaged devices. But, be careful, because a damaged media device can also have sensitive information that could be restored, so to avoid this, you should destroy it physically.
  • Securely delete the information. There are software tools that you can use to overwrite the information, or to delete it in a secure way.
  • Select an external party. There are a lot of companies providing the service of destruction of your media, but here you need to take care with the selection of the provider by defining a non-disclosure agreement.
  • Avoid the aggregation effect. It is better if you avoid having a lot of media containing non-sensitive information, because something within the group could become sensitive information.
  • Register the disposal: Registering the disposal provides you with useful information for audit trails (what media has been destroyed, or what media is reusable, etc.).

Hard drive disposal example

Finally, here is a hard drive disposal example – easy and free to perform.

  1. Encrypt the entire hard disk, using a strong algorithm and using a lengthy password.
  2. Delete all the information in a secure way, using software solutions (there are a lot of free solutions).
  3. Physically destroy the media device (incineration or shredding, etc.).

In reality, this method would only be applicable to the most critical and sensitive data, and for data with less criticality, only one of these methods will be enough.

To learn how to implement disposal and other security controls from ISO 27001 Annex A, and to get all the required policies and procedures, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Antonio Jose Segovia
Author
Antonio Jose Segovia
Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.
Advisera Rhand Leal
Contributor
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.