A.7.14 — Is equipment securely disposed of or re-used (data wiped, certificates of destruction)?
Demonstrate that the organization systematically sanitizes or destroys data-bearing assets prior to disposal or reuse, maintains documented evidence of destruction or wiping, and enforces accountability through certificates or verification records.
Description
What this control does
This control ensures that storage media and equipment containing sensitive or organizational data are sanitized, destroyed, or securely wiped before disposal, transfer, or reuse to prevent unauthorized data recovery. It includes physical destruction of media, cryptographic erasure, overwriting using approved standards, and obtaining verifiable certificates of destruction from authorized vendors. Proper implementation prevents data leakage through discarded hardware, returned lease equipment, resold assets, or equipment sent for repair.
Control objective
What auditing this proves
Demonstrate that the organization systematically sanitizes or destroys data-bearing assets prior to disposal or reuse, maintains documented evidence of destruction or wiping, and enforces accountability through certificates or verification records.
Associated risks
Risks this control addresses
- Confidential customer data, intellectual property, or credentials recovered from improperly wiped hard drives sold or disposed of in e-waste streams
- Adversaries purchasing decommissioned storage devices from resale markets or dumpster diving to extract residual sensitive data
- Compliance violations (GDPR, HIPAA, PCI DSS) resulting from failure to render regulated data irrecoverable before asset disposal
- Insider threats or malicious actors retrieving authentication keys, certificates, or cryptographic material from unwiped devices redeployed internally
- Reputation damage and legal liability following public disclosure of data breaches traced to disposed equipment
- Organizational secrets exposed through forensic recovery of data from devices sent to third-party repair or refurbishment vendors without sanitization
- Loss of encryption keys or certificate private keys embedded in firmware or TPM chips not reset before equipment reuse
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's asset disposal, decommissioning, and sanitization policy documenting approved wiping standards (NIST SP 800-88, DoD 5220.22-M), destruction methods, and certificate requirements.
- Request the complete inventory of IT assets disposed of, retired, or transferred in the past 12 months, including laptops, servers, mobile devices, network equipment, and removable media.
- Select a representative sample of 10-15 disposed assets across device categories and trace each to corresponding disposal records, certificates of destruction, or data sanitization logs.
- Review certificates of destruction from third-party vendors, verifying they include asset serial numbers, destruction method, date, vendor certifications, and authorized signatory.
- Examine sanitization logs or software reports for internally wiped devices, confirming use of approved tools (e.g., DBAN, Blancco, vendor secure erase), completion timestamps, and pass/fail status for each device.
- Interview IT asset management or disposal personnel to confirm physical verification processes, segregation of destroyed assets, and tracking of chain of custody from decommissioning to final disposal.
- Verify that devices reused internally (e.g., repurposed laptops, repurposed drives) underwent documented sanitization and validation testing before reassignment, including spot-check recovery attempts.
- Test a sample of disposed or wiped devices if still accessible to confirm data unrecoverability using forensic recovery tools or validate destruction through photographic or witness evidence in destruction certificates.