• (0)

    ISO 27001 & ISO 22301 Blog

    5 practical tips for media disposal according to ISO 27001

    Today, media devices are less common than they were some years ago, because the current trend is the cloud, although there are still a lot of people using pen drives, external hard drives, etc. And, of course, all the information in the cloud is ultimately stored on a server, i.e., its hard disk, which is also a media device. As you will see later in the article, media devices need to be disposed of securely.

    ISO 27001 is an international standard for the protection of information, and we will see how this standard can help us with the disposal of media devices.

    First, let’s identify what media we need to take care of, as well as why and how we can securely dispose of them.

    What are media?

    Taking into consideration that, in ISO 27001, the most important thing is the information, we need to take care of the media that we are using to store the information. But, what do I mean by “media”?

    Generally, in this context, a medium is a device that is used for storing information, so media would include hard drives, USB pen drives, external hard drives, CDs, DVDs, etc.

    Confidential information

    A lot of companies have a method for the classification of their information, because not all media have the same information, and not all of the information has the same value for the business. For example, there is a big difference between a USB pen drive containing a PDF file with a presentation of the business (which can be considered as public information), and a USB pen drive containing the company’s database of clients (which can be considered as confidential).

    So, we need to classify the information, and in Annex A of ISO 27001 we have the control A.8.2.1 Classification of information, which can help us for this purpose. You can find more information about this here: Information classification according to ISO 27001.

    Obviously, if the information is public, we can share it in the public domain, because there is not a risk of confidential information leakage.

    But, if the information is not public (confidential, restricted, internal, etc.), we need to store and dispose of it in a secure way, because it can carry a risk of confidential information leakage, which can destroy the business, as well as showing noncompliance with legal regulations (like the GDPR).

    5 tips for disposing of media

    If you have a media device storing information classified as confidential (or any other critical level for the business), as we have seen previously, there are risks related to it. The good news is that you can manage this risk, using a risk assessment and treatment methodology. This article might be interesting for you: ISO 27001 risk assessment & treatment – 6 basic steps.

    Let’s see an easy example about how to treat this risk. You have an asset, which is, for example, a hard drive containing confidential information about the business. This hard drive was installed on an information system (a server), but you decided to move information to another information system, e.g., to another server or to the cloud. This original hard drive will be used for another purpose and, after copying all data, you need to take care of the original information, which should not be accessed by unauthorized people.

    For the treatment of this risk, you can reduce it by implementing ISO 27001 control A.8.3.2 Disposal of media security control, and here are some common ways to implement this security control:

    1. Physically destroy the media. You can do this, for example, by incineration or shredding, etc. This physical destruction is also applicable to damaged devices. But, be careful, because a damaged media device can also have sensitive information that could be restored, so to avoid this, you should destroy it physically.
    2. Securely delete the information. There are software tools that you can use to overwrite the information, or to delete it in a secure way.
    3. Select an external party. There are a lot of companies providing the service of destruction of your media, but here you need to take care with the selection of the provider by defining a non-disclosure agreement.
    4. Avoid the aggregation effect. It is better if you avoid having a lot of media containing non-sensitive information, because something within the group could become sensitive information.
    5. Register the disposal: Registering the disposal provides you with useful information for audit trails (what media has been destroyed, or what media is reusable, etc.).

    My preferred method

    I have left the best for the end, because now you know the common ways for the disposal of media, but now I will tell you about my favorite method.

    As Lead Auditor, I have audited a lot of companies around the world, and I have seen companies deleting information and disposing of information using private software solutions, which, in some cases, are expensive. In other cases, some companies are selecting external providers that are experts in the service of disposal, but this also has a cost.

    My preferred method is easy and free:

    1. Encrypt the entire hard disk, using a strong algorithm and using a lengthy password.
    2. Delete all the information in a secure way, using software solutions (there are a lot of free solutions).
    3. Physically destroy the media device (incineration or shredding, etc.).

    In reality, this method would only be applicable to the most critical and sensitive data, and for data with less criticality, only one of these methods will be enough.

    Keep calm and sleep well

    If you perform all of these steps adequately, it would be impossible to recover the information – so you can keep calm and sleep well.

    ISO 27001 can be a good tool for the secure disposal of media containing confidential information, because it can help you identify the risks, treat them, and implement security controls to dispose of the media in a secure way. So, if you want to keep calm, use ISO 27001 as a tool, and remember my preferred method for the disposal!

    Use this free online training ISO 27001:2013 Foundations Course to learn more about Annex A controls about asset management and physical security.

    Advisera Antonio Jose Segovia
    Antonio Jose Segovia
    Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.