Skip to content
AuditFront
A.7.14 ISO 27001

ISO 27001 A.7.14: Secure disposal or re-use of equipment

What This Control Requires

Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

In Plain Language

That old server sitting in the corner waiting to be recycled? It still has client data on the drives. The multifunction printer being returned at the end of a lease? It has a hard drive full of every document anyone printed, scanned, or copied. Disposing of equipment without properly wiping it is one of the most common ways organisations accidentally leak sensitive data. Deleting files or formatting a drive does not actually remove the data - it just marks the space as available. Anyone with free recovery software can pull back deleted files in minutes. Proper sanitisation requires cryptographic erasure, degaussing, certified multi-pass overwriting, or physical destruction, depending on the media type and how sensitive the data is. This applies to disposal, sale, donation, and internal reuse. Reassigning a laptop from one employee to another without wiping it means the new user could access the previous user's files, cached credentials, and browsing history. Auditors will ask to see your disposal records and sanitisation evidence.

How to Implement

Write a secure disposal and reuse policy that defines sanitisation requirements for every equipment type. Align the requirements with information classification and follow a recognised standard like NIST SP 800-88. Define approved sanitisation methods by equipment type. For HDDs: use certified wiping software that overwrites the entire drive (multiple passes for higher-sensitivity data), degauss with certified equipment, or physically shred or crush the drive. For SSDs: use the manufacturer's secure erase function, apply cryptographic erasure (destroy the encryption key), or physically destroy - standard overwriting is unreliable on SSDs due to wear-levelling. For printers and copiers: factory reset to clear internal storage, or remove and destroy the internal hard drive. For mobile devices: ensure the device is encrypted, then factory reset and verify the reset completed properly. For network equipment: clear all configuration data including stored credentials, certificates, and VPN keys. Set up a clear disposal workflow. Raise a disposal request with the equipment identifier, reason for disposal, and data classification. Confirm all data has been backed up or migrated before sanitisation begins. Perform sanitisation using the approved method. Verify success with a verification tool - do not just trust that it worked. Document everything: method used, date, who did it, verification result. Update the asset register to reflect the disposal. For third-party disposal, choose reputable providers with certifications like ADISA or NAID. Put security requirements in the contract. Require destruction certificates for every item. Audit your disposal provider periodically. Decide whether the risk warrants on-site destruction or whether off-site processing is acceptable given the provider's controls. Do not forget software licences. Recover and reassign licences where permitted. Remove licence keys and deactivate registrations. Follow the software vendor's terms regarding transfer or disposal.

Evidence Your Auditor Will Request

  • Secure disposal and reuse policy with defined sanitization methods
  • Sanitization records for recently disposed or repurposed equipment
  • Destruction certificates from third-party disposal providers
  • Asset register updates reflecting equipment disposal
  • Verification records confirming successful data sanitization

Common Mistakes

  • Equipment is disposed of without any data sanitization
  • Simple formatting is used instead of secure data destruction methods
  • Printers and copiers are returned or sold without clearing internal storage
  • No destruction certificates obtained from third-party disposal services
  • Asset register is not updated to reflect equipment disposal

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC6.5 Equivalent
GDPR Art.5(1)(e) Related
GDPR Art.17 Partial overlap

Frequently Asked Questions

Is it better to wipe drives or physically destroy them?
If the hardware has value and you want to reuse or sell it, certified wiping is perfectly fine for most data. If the equipment is end-of-life and held highly sensitive data, physical destruction gives you the highest assurance - there is no question about whether the wipe reached every sector. For SSDs specifically, physical destruction is often the safest bet for sensitive data because wiping may not reach all storage cells due to wear-levelling. The decision comes down to data sensitivity versus hardware reuse value.
Do printers and copiers really store sensitive data?
Absolutely, and this catches a lot of organisations off guard. Most modern multifunction printers have internal hard drives that store copies of everything printed, scanned, copied, and faxed. When you return a leased printer or sell an old one, that drive goes with it. There have been real cases of journalists buying used copiers and recovering thousands of sensitive documents. Always clear internal storage before disposing of or returning any printer or copier. Most manufacturers provide secure erase utilities for their devices.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment