search account download cart
static-aside-menu-toggler

Secure Disposal or Re-use of Equipment - ISO 27001 Annex A Control

ISO 27001 Annex A 7.14

Equipment leaving the building must not take recoverable data with it.

ISO 27001 Annex A 7.14 - Secure Disposal or Re-use of Equipment

Disposal is where many organisations have historically leaked data. A laptop sold on or recycled with the original drive still contains everything it ever held. A printer with a hard disk passes its print history on to whoever receives it next. Even equipment that staff "wiped" themselves often contains recoverable data because operating-system delete functions do not actually erase the underlying storage.

The control closes this gap. Before equipment leaves the organisation - through disposal, sale, donation, return to lease company, or warranty replacement - any storage media in it needs to be either removed or securely sanitised. The verification needs to be evidenced so the organisation can demonstrate the disposal was handled properly.

The same logic applies to internal re-use. A laptop being reissued from one staff member to another should be properly sanitised first, not just have its files deleted. This protects against accidental disclosure between staff and ensures the new user starts from a clean baseline rather than inheriting the previous user's settings, history and residual data.

The audit test is straightforward - I will ask for the disposal records for a sample of recently disposed equipment. The records should show what was disposed, when, by whom, and what method was used to sanitise the storage. Certificates from a destruction supplier are the strongest evidence. "We wiped it ourselves" without records is the weakest. Without evidence, the audit cannot conclude the control is operating.

For us the disposal process goes through a single approved supplier who provides on-site destruction or witnessed off-site destruction with certificates per device. The certificates name the device serial number, the destruction method, and the date. We retain the certificates against the equipment register entries so the audit trail is complete from acquisition to disposal.

Practical Compliance Guidance

Disposal arrangements are described in the IMS1 Manual in Section 8.3 on IT equipment alongside the Physical Security Policy. The equipment register tracks disposal events and the supporting certificates.

alphaZ document How to use it
ISO 27001 Toolkit The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Either physical destruction (shredding for hard drives and SSDs, degaussing for magnetic media) or certified sanitisation following a recognised standard. Hard drives can be wiped or shredded; SSDs and flash media typically need cryptographic erase or physical destruction because standard overwrite is unreliable on solid-state. The chosen method should be documented in the policy and matched to the media type.
For most organisations, yes. A certified supplier provides destruction certificates per device, handles WEEE compliance, and offers the option of on-site or witnessed destruction for the most sensitive equipment. The cost is generally modest compared with the assurance gained. Internal disposal is workable for low-volume situations but the evidence trail tends to be weaker.
The lease return is still a disposal from a data perspective. The equipment will leave the organisation and the storage may be reused. Sanitisation should happen before return, ideally with evidence retained. Some lease arrangements include a sanitisation service - if so, the contractual arrangements should be clear about the standard applied and the certificate provided.

UK Legislation

Equipment disposal in the UK has both information security and environmental dimensions. Relevant references include:

Further Resources

payment logos