This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.7.14 Secure disposal or re-use of equipment.
ISO 27001: 2022 Control Description
Items of equipment containing storage media shall be verified to en sure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
Purpose
To prevent the leakage of information from equipment that is being disposed of or reused.
Guidance on implementation
Follow these steps to ensure that sensitive data and licensed software are properly handled before disposing of or reusing equipment:
- Check for Storage Media: Verify if the equipment contains any storage media before disposal or reuse.
- Handle Confidential Information: If the storage media holds confidential or copyrighted information:
- Physically destroy the media, or
- Use methods to destroy, delete, or overwrite the information so that it is non-retrievable. Avoid simply using the standard delete function. For detailed guidance, refer to Control A.7.10 Storage media and Control A.8.10 Information deletion.
- Remove Labels and Markings: Before disposing of, reselling, or donating equipment, remove any labels or markings that identify the organisation or indicate the classification, owner, system, or network.
- Consider Security Control Removal: Evaluate whether to remove security controls, such as access controls or surveillance equipment, at the end of a lease or when moving out of premises. This depends on:
- The lease agreement, which may require returning the facility to its original condition,
- The risk of leaving sensitive information on systems for the next tenant (e.g., user access lists, video or image files),
- The potential for reusing the controls at the new location.
Additional Information
- Risk Assessment for Damaged Equipment: Conduct a risk assessment on damaged equipment with storage media to decide if it should be physically destroyed instead of repaired or discarded.
- Encryption for Added Security: Besides secure disk deletion, full-disk encryption can help reduce the risk of disclosing confidential information when equipment is disposed of or redeployed, provided:
- The encryption is strong and covers the entire disk, including slack space and swap files,
- Cryptographic keys are long enough to withstand brute force attacks,
- Cryptographic keys are kept confidential and not stored on the same disk.
- Secure Overwriting Techniques: Techniques for securely overwriting storage media vary by technology and information classification level. Ensure that overwriting tools are suitable for the technology used in the storage media.
.