Saying goodbye to your old equipment is what this ISO27001 Annex control is all about, because let’s face it, nothing lasts forever. Ensuring you have a process for either the secure disposal or re-use of equipment is becoming increasingly important as technology ages quickly, and new versions are introduced almost on an annual basis.
What does the standard require?
The standard states that “Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.” (A7.14 – Secure disposal or re-use of equipment).
Ultimately, this control ensures that confidential or sensitive information is not leaked because of improper disposal or repurposing of equipment.
Why is this required?
Imagine how you would feel if you discovered that an old laptop, containing your payroll or banking details had been sold on e-bay, without being cleared of data first. Would that make you feel uncomfortable? Although this practice doesn’t happen too often these days, it is certainly something we’ve heard of in the past.
Without controlling what happens to equipment at the end-of-life, you run the risk of a data breach, which could lead to reputational damage and regulatory or compliance fines or enforcement action.
What the auditor is looking for
The ISO27001 auditor will typically look for evidence which could include the following measures.
Asset Register (A5.9 - Inventory of information and other associated assets)
Return of Assets Process (A5.11 - Return of assets)
Procedures to deal with end-of-life equipment.
Procedures for the re-use of equipment.
Destruction certificates.
Awareness, education and training has taken place.
Audit reports.
Incident Logs.
What do you need to do?
First, establish what currently happens with equipment in your business, and identify any gaps or risks. You should note these on your risk register and assess their impact on your business. Armed with this information, you can decide how you want to treat the risk.
Create a simple process for your teams to follow that ensures they wipe off data from equipment before reusing it or destroying it. In technical terms, we call this 'sanitisation', and it is important to exercise caution in order to ensure that you employ suitable techniques to achieve effective completion of this task.
This could include using data-shredder software, or physically removing hard drives and destroying them manually. Your process should also ensure that you reset the equipment back to factory settings, removing any user accounts and access controls.
If you are destroying equipment by registered suppliers who will remove devices and destroy them by throwing them into a physical shredding machine, ensure your process includes gathering certificates of destruction.
Finally, if you are returning equipment, donating it to a charity, or selling it on e-bay, ensure that you also strip the equipment of any company identifiers such as ID Tags or labels.
As a point of note, don’t forget to look beyond the obvious equipment, such as laptops and mobile devices. Look at your asset register and identify any other equipment listed there that needs including within the process for disposal or re-use. For example, printers are network devices which contain hard drives. Larger, multi-functional devices (MFDs) often are under licence with suppliers, but what happens when they reach end-of-life? Do you follow a process to reset and wipe the memory before taking them back to the supplier or for reuse?
Q & A
What data wiping software does ISO27001 recommend?
ISO27001 doesn’t suggest any specific software for the destruction of data. There are plenty of tools online, and we would recommend searching for ‘Best data shredders software’, and research tools that meet your specific needs.
Isn’t it ok for me to simply delete files and empty the ‘trash can’?
In a word, no.
But of course, it all depends on you and your business, but hitting ‘delete’ on a file doesn’t remove the file and that could be an issue for you. Hitting delete simply removes the header data of the file, indicating to the system that that part of the hard drive can be reused. This means that someone can recover it using specific software and techniques.
Of course, this risk could be significant or not to you. It depends on who you are and what you do. It also depends if there is any data stored on that device. If you only use Cloud services, then you might be ok, as no data lives on that equipment. But remember that some Cloud systems download an off-line copy for you to access locally. Therefore, the data you're accessing is not stored on the Cloud; instead, it is accessed locally (on your device) and uploaded each time the Cloud is available.
Difficulty rating
We rate this a 2 out of 5 difficulty rating. This ISO27001 control is not technical but does require you to understand the various techniques available for destruction of data. You will need to develop appropriate processes, so be sure to understand what the current process is, and work from there.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.
Comments