MP-6(8) / A.8.10 / CIS-13.6 NIST SP 800-53 Rev 5

Remote wipe capability tested

Demonstrate that remote wipe capabilities function as intended across all supported device types and scenarios, ensuring organizational data can be reliably erased from endpoints that are lost, stolen, or no longer authorized.

Description

What this control does

Remote wipe capability testing verifies that organizations can remotely erase all data from lost, stolen, or compromised mobile devices and endpoints to prevent unauthorized data access. This control requires documented testing procedures that simulate real-world scenarios, including testing across device types (smartphones, tablets, laptops), operating systems, and network conditions. Regular testing confirms that wipe commands successfully execute, data becomes irrecoverable, and the process completes within defined timeframes even when devices are offline or have limited connectivity.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Stolen or lost devices exposing sensitive organizational data, intellectual property, or customer information due to failed remote wipe commands
Malicious actors recovering supposedly wiped data from devices using forensic tools when wipe procedures are incomplete or ineffective
Terminated or separated employees retaining access to organizational data on personal devices after employment ends
Ransomware or malware spreading from compromised devices that cannot be reliably sanitized remotely
Regulatory penalties and breach notification obligations triggered by inability to confirm data destruction on missing devices
False confidence in data protection capabilities when remote wipe functions fail silently or do not complete fully
Delayed incident response when organizations discover remote wipe failures only during actual security incidents rather than controlled testing

Testing procedure

How an auditor verifies this control

Obtain and review the organization's remote wipe policy, procedures, and testing schedule documentation including supported device types and platforms
Request records of remote wipe testing conducted within the past 12 months, including test dates, devices tested, personnel involved, and outcomes
Select a representative sample of device types from the organizational inventory (minimum three platforms such as iOS, Android, Windows) for validation testing
Verify that test procedures include both immediate wipe scenarios (device online) and delayed scenarios (device offline then reconnected)
Review evidence that test wipes were validated through forensic verification or data recovery attempts to confirm data unrecoverability
Interview IT or security personnel responsible for mobile device management to confirm understanding of wipe procedures and escalation paths
Examine MDM or endpoint management console logs showing successful wipe command issuance, acknowledgment, and completion status for sampled tests
Verify that testing results identified any failures, documented root causes, and triggered corrective actions with evidence of remediation

Evidence required Auditors should collect remote wipe testing reports with timestamps, device identifiers, and pass/fail outcomes; screenshots or exports from MDM/UEM console logs showing wipe commands and completion confirmations; forensic validation reports or certificates demonstrating data unrecoverability post-wipe; policy documents defining testing frequency and procedures; and change management or incident tickets documenting remediation of any identified wipe failures.

Pass criteria Remote wipe capability has been tested at least annually across all supported device platforms with documented evidence showing successful data erasure, forensic validation of unrecoverability, and remediation of any identified failures.

Where this control is tested

Audit programs including this control

MDM Coverage Audit

Mobile devices accessing corporate data should be managed. Quick audit on enrolment, posture and wipe capability.