In this ultimate how to implement guide to ISO 27001 Annex A 7.9 Physical Asset Disposal or Re-use, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Establish a Verified Disposal Inventory
- 2. Execute Physical Removal of Storage Media
- 3. Perform Forensic-Level Data Sanitisation
- 4. Mandate Physical Destruction for Failed Media
- 5. Verify Removal of Proprietary Markings
- 6. Perform a Factory Reset on Embedded Systems
- 7. Secure the Chain of Custody for Transit
- 8. Collect Third-Party Certificates of Destruction
- 9. Review Licensed Software Removal
- 10. Conduct Annual Disposal Process Audits
- ISO 27001 Annex A 7.9 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 7.9 Physical Asset Disposal or Re-use is a critical security protocol requiring forensic media sanitisation and physical destruction. The Primary Implementation Requirement mandates verifying that all storage media is unrecoverable, ensuring the Business Benefit of preventing data leaks during decommissioning.
ISO 27001 Annex A Physical Asset Disposal or Re-use Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 7.9. This control demands a rigorous, evidence-based process for ensuring that all physical assets containing storage media are rendered unrecoverable before they leave your organisation’s control, whether for scrap, resale, or donation.
1. Establish a Verified Disposal Inventory
Control Requirement: Items of equipment containing storage media must be verified to ensure that any sensitive data and licensed software have been removed or securely overwritten prior to disposal or re-use. Required Implementation Step: Physically tag every asset destined for disposal with a unique ID and log it in a “Disposal Queue” register. Do not rely on a GRC dashboard; walk the server room and storage cupboards to reconcile serial numbers against your master asset register to ensure no device is “lost” in the process.
Minimum Requirement: A serial-matched list of all hardware currently pending disposal or re-use.
2. Execute Physical Removal of Storage Media
Control Requirement: Storage media must be handled separately from the chassis if the chassis is being re-used or sold. Required Implementation Step: Open the chassis of every laptop, server, or photocopier and physically remove the HDDs, SSDs, or NVMe drives. If the equipment is being re-used internally for a lower-security role, the media must still be removed and replaced with a fresh, blank drive to ensure no data residue remains.
Minimum Requirement: Documented verification that the storage medium was physically detached from the host device.
3. Perform Forensic-Level Data Sanitisation
Control Requirement: Data must be made unrecoverable using recognised sanitisation standards. Required Implementation Step: Use a hardware-based “wiper” or certified software (e.g. Blancco or WhiteCanyon) to perform a multi-pass overwrite (NIST 800-88 Purge) of the media. Standard OS “formatting” is insufficient; you must generate a technical log proving every sector was overwritten.
Minimum Requirement: A software-generated sanitisation report for every drive, matched to its serial number.
