Implementing ISO 27001 Annex A 7.9 Physical Asset Disposal or Re-use is a critical security protocol requiring forensic media sanitisation and physical destruction. The Primary Implementation Requirement mandates verifying that all storage media is unrecoverable, ensuring the Business Benefit of preventing data leaks during decommissioning.
ISO 27001 Annex A Physical Asset Disposal or Re-use Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.9. This control demands a rigorous, evidence-based process for ensuring that all physical assets containing storage media are rendered unrecoverable before they leave your organisation’s control, whether for scrap, resale, or donation.
1. Establish a Verified Disposal Inventory
Control Requirement: Items of equipment containing storage media must be verified to ensure that any sensitive data and licensed software have been removed or securely overwritten prior to disposal or re-use. Required Implementation Step: Physically tag every asset destined for disposal with a unique ID and log it in a “Disposal Queue” register. Do not rely on a GRC dashboard; walk the server room and storage cupboards to reconcile serial numbers against your master asset register to ensure no device is “lost” in the process.
Minimum Requirement: A serial-matched list of all hardware currently pending disposal or re-use.
2. Execute Physical Removal of Storage Media
Control Requirement: Storage media must be handled separately from the chassis if the chassis is being re-used or sold. Required Implementation Step: Open the chassis of every laptop, server, or photocopier and physically remove the HDDs, SSDs, or NVMe drives. If the equipment is being re-used internally for a lower-security role, the media must still be removed and replaced with a fresh, blank drive to ensure no data residue remains.
Minimum Requirement: Documented verification that the storage medium was physically detached from the host device.
3. Perform Forensic-Level Data Sanitisation
Control Requirement: Data must be made unrecoverable using recognised sanitisation standards. Required Implementation Step: Use a hardware-based “wiper” or certified software (e.g. Blancco or WhiteCanyon) to perform a multi-pass overwrite (NIST 800-88 Purge) of the media. Standard OS “formatting” is insufficient; you must generate a technical log proving every sector was overwritten.
Minimum Requirement: A software-generated sanitisation report for every drive, matched to its serial number.
4. Mandate Physical Destruction for Failed Media
Control Requirement: Media that cannot be successfully overwritten must be physically destroyed. Required Implementation Step: If a drive fails the sanitisation process due to bad sectors or controller failure, it must be physically destroyed. Use an on-site industrial shredder or a hydraulic punch to ensure the platters or NAND chips are rendered into fragments smaller than 2mm.
Minimum Requirement: Physical evidence (photographs or witness logs) of destroyed media that failed software wiping.
5. Verify Removal of Proprietary Markings
Control Requirement: Organisational identifiers must be removed from the hardware. Required Implementation Step: Physically scrape off all asset tags, company stickers, and permanent marker notations from the exterior of the equipment. If the device is sold or donated, it must not be traceable back to your organisation through physical aesthetics, reducing the risk of targeted social engineering if the device is later recovered by a third party.
Minimum Requirement: Visual inspection of the chassis to ensure zero corporate branding remains.
6. Perform a Factory Reset on Embedded Systems
Control Requirement: Configuration data and credentials in non-volatile memory must be cleared. Required Implementation Step: For networking gear (routers, switches, firewalls) and IoT devices, execute a full “factory default” reset via the CLI. Manually verify that local usernames, VPN certificates, and pre-shared keys are purged from the NVRAM before the device leaves the rack.
Minimum Requirement: A console output log showing the ‘write erase’ or ‘factory-reset’ command execution.
7. Secure the Chain of Custody for Transit
Control Requirement: Assets must be protected during transit to a disposal site. Required Implementation Step: Place all decommissioned assets in a locked, tamper-evident container or a dedicated secure “caged” area while awaiting collection. If using a third-party disposal firm, require a signed “Transfer of Liability” document at the point of physical handover, listing every serial number being collected.
Minimum Requirement: A signed manifest from the courier or disposal agent matching the disposal inventory serial numbers.
8. Collect Third-Party Certificates of Destruction
Control Requirement: Verification of disposal must be obtained from external service providers. Required Implementation Step: Do not just take the vendor’s word. For every batch of equipment sent for scrap, demand an individual “Certificate of Destruction” (CoD) that explicitly lists the serial numbers of the drives processed. Reconcile this CoD against your initial disposal inventory to close the loop.
Minimum Requirement: A legally binding CoD from an ADISA or similarly accredited disposal partner.
9. Review Licensed Software Removal
Control Requirement: Licensed software must be uninstalled to prevent unauthorised re-use. Required Implementation Step: Before an asset is cleared for re-use or disposal, verify that all proprietary software licenses have been deactivated and uninstalled. This prevents legal liability and ensures that subscription-based agents (e.g. EDR, MDM) do not continue to report “active” for a device that is no longer in your possession.
Minimum Requirement: A “Clean” status in your software asset management (SAM) tool for the decommissioned asset.
10. Conduct Annual Disposal Process Audits
Control Requirement: The disposal process must be periodically reviewed for effectiveness. Required Implementation Step: Perform a “dumpster dive” audit once a year. Randomly inspect your scrap bins or the “pending disposal” pile to ensure no un-wiped drives or sensitive documents have been accidentally discarded. Document the findings and update the staff training if lapses are found.
Minimum Requirement: An internal audit report verifying that the physical disposal reality matches the written procedure.
ISO 27001 Annex A 7.9 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Media Sanitisation | Ticking “Yes” to “Are drives wiped?”. | A “Yes” doesn’t prove anything. You need the NIST-compliant overwrite log for that specific serial number. |
| Physical Verification | Assuming the asset is gone because it was deleted in the GRC tool. | Assets often sit in “disposal piles” for months. If that pile isn’t in a locked room, you have a live breach risk. |
| Chain of Custody | Uploading a generic contract with a disposal firm. | The contract is a promise; the signed manifest is the proof. GRC tools rarely track individual shipment manifests. |
| Embedded Data | Ignoring printers, switches, and UPS management cards. | These devices store credentials. GRC asset lists often only focus on “Laptops” and “Servers,” leaving network secrets exposed. |
| Destruction Evidence | Storing a single CoD for a batch of “100 items”. | If 99 were crushed and 1 was stolen, a “batch” certificate is a lie. You need serial-level verification to be 27001 compliant. |
| Marking Removal | Recording that “Assets are de-branded”. | An asset tag with your company name is a gift to a social engineer. Physical scraping of labels is a manual task no software can do. |
| Internal Re-use | Assuming internal transfer doesn’t need a wipe. | Moving a PC from HR to Marketing without a wipe is an internal data leak. The GRC “status” change doesn’t clear the disk. |
About the author
