The basics
ISO 27001 control A.7.14 Secure disposal or re-use of equipment requires companies to ensure sensitive data stored in such devices is removed or is made impossible to recover prior to their disposal or re-use.
Documentation
ISO 27001 control A.7.14 Secure disposal or re-use of equipment can be documented by writing:
- For small companies: through a Security Procedures for IT Department.
- For mid-size and large companies: by using a Disposal and Destruction Policy.
These documents are not mandatory but are recommended.
Implementation
In order to comply with control A.7.14 Secure disposal or re-use of equipment you might implement the following:
- Technology — the technology to enable the secure disposal or re-use of equipment in most cases will be already available in the company. Companies of all sizes will probably be able to securely dispose or re-use equipment by using wiping software to overwrite data, or by using drills to physically destroy equipment storage/memory chips.
- Organization/processes — you should set up a process for deleting data on media, destroying media and equipment that will no longer be used, as well as preparing media and equipment that will be used again. You can document those processes through a Security Procedures for IT Department or a Disposal and Destruction Policy.
- People — make employees aware of why deletion of data from assets before they are destroyed or re-used is needed, and train them on how to ensure information is properly deleted from their devices intended for disposal or re-use.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.7.14 Secure disposal or re-use of equipment: if sensitive data was permanently deleted prior to equipment disposal or re-use.
