Requirement
Requirement lens
This control asks whether equipment containing storage media is checked before disposal or reuse so sensitive data and licensed software are removed or securely overwritten.
“Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.”
Plain-language meaning
Before equipment is reused, sold, returned, repaired, donated, recycled, or discarded, the organization should verify that sensitive information and licensed software are no longer recoverable.
This includes obvious equipment such as laptops and servers, and less obvious equipment such as printers, scanners, CCTV devices, and any device with internal storage or buffers.
Why this matters
Deleting files is not the same as secure erasure. Data may remain recoverable from disks, SSDs, printers, cameras, and other devices. Poor disposal can create confidentiality breaches, privacy incidents, intellectual property leakage, and software licensing problems.
Implementation guidance
Implementer focus
Disposal and reuse need proof, not assumptions. Identify storage, sanitize or destroy it, verify the result, and keep records.
1. Identify equipment containing storage media
Examples include:
- laptops and desktops;
- servers and storage arrays;
- mobile devices;
- removable drives;
- printers and multifunction devices;
- CCTV cameras and recorders;
- network devices with logs/configurations;
- industrial or embedded systems with local storage.
2. Choose sanitization or destruction based on risk
Possible methods include:
- secure overwrite where suitable;
- cryptographic erase where keys are controlled;
- degaussing for suitable magnetic media;
- physical destruction;
- certified disposal by approved contractor.
Different media behave differently. SSDs and embedded storage may not be reliably sanitized by basic overwrite tools.
3. Verify before disposal or reuse
Verification should confirm:
- sensitive data is removed or overwritten;
- licensed software is removed where required;
- device configuration, logs, credentials, and cached data are removed;
- sanitization/destruction method matches sensitivity;
- evidence is retained.
4. Handle repair scenarios
Equipment sent for repair can expose information. Consider removing, sanitizing, encrypting, or destroying storage before dispatch. If that is not possible, record a risk decision and controls.
Audit guidance
Auditor focus
Do not accept “we deleted the files.” Check the sanitization method, verification evidence, device type, contractor assurance, and repair handling.
Auditors should verify:
- secure disposal/reuse procedure exists;
- equipment containing storage media is identified;
- sanitization method matches media type and sensitivity;
- sensitive data and licensed software are removed before disposal or reuse;
- encryption is appropriate to the lifetime sensitivity of data;
- destruction records are traceable;
- repair processes protect data;
- users understand disposal risks.
Evidence examples
Evidence quality
Strong evidence proves equipment was identified, sanitized or destroyed, verified, and removed from inventory with traceable records.
| Evidence | What it proves |
|---|---|
| Secure disposal/reuse procedure | Process is defined |
| Equipment disposal register | Disposal/reuse is traceable |
| Sanitization certificates/logs | Data removal was performed |
| Destruction certificates | Media destruction is evidenced |
| Contractor due diligence | Disposal provider is trusted |
| Repair dispatch records | Repair risk is controlled |
| Asset inventory update | Equipment lifecycle is closed |
| Verification record | Data/software removal was checked |
Strong evidence
- Disposal records identify device, storage media, classification, method, verifier, and date.
- Sanitization method matches media type and data sensitivity.
- Contractor disposal records are traceable.
- Printers, CCTV devices, and embedded storage are considered.
- Repair processes include media removal, sanitization, or risk decision.
- Asset inventory is updated after disposal/reuse.
Weak evidence
- Staff delete files manually.
- Disposal certificates are generic and not tied to asset IDs.
- SSDs are treated like magnetic disks without validation.
- Printers and cameras are ignored.
- Repair shipments include storage media without assessment.
- Encryption is assumed sufficient without considering key handling or data lifetime.
Common failures
Implementation watchouts
A.7.14 fails when equipment disposal is treated as waste management instead of information security.
| Failure | Why it matters |
|---|---|
| Deleted files treated as erased data | Recoverable data may remain |
| Hidden storage ignored | Printers, CCTV, and network devices may retain data |
| No asset-level traceability | Disposal cannot be proven |
| Wrong sanitization method | Data can remain on SSDs or embedded storage |
| Repair process uncontrolled | Third parties may access data |
| Software not removed | Licensing and copyright exposure |
Exam traps
Exam focus
A.7.14 is about equipment containing storage media. It overlaps with A.7.10 but focuses on equipment disposal or reuse.
| Trap | Correct interpretation |
|---|---|
| Deleting files is secure disposal | Deleted files may be recoverable |
| Only computers contain storage | Printers, CCTV, network devices, and embedded systems can store data |
| Encryption always solves disposal risk | Key handling, encryption strength, and data sensitivity lifetime matter |
| Contractor certificate is enough | The record should be traceable to specific assets/media |
| A.7.14 is the same as A.7.10 | A.7.10 covers media lifecycle; A.7.14 covers equipment disposal/reuse containing media |
Related controls and concepts
- A.7 Physical Controls MOC
- A.7.10 Storage Media
- A.7.13 Equipment Maintenance
- A.5.9 Inventory of Information and Other Associated Assets
- A.5.11 Return of Assets
- A.5.32 Intellectual Property Rights
- A.5.33 Protection of Records
- A.5.34 Privacy and Protection of PII
- Risk Assessment
- Equipment Disposal and Reuse Register
- Equipment Sanitization Verification Checklist
- Repair Dispatch Data Protection Checklist
- A.7.14 Audit Evidence Pack
- A.7.14 Audit Checklist
KB-ready summary
Mentor takeaway
A.7.14 requires verified removal or secure overwriting of sensitive data and licensed software before equipment leaves control, is reused, repaired, sold, donated, recycled, or discarded.
- Identify equipment with storage.
- Choose sanitization/destruction based on media type and sensitivity.
- Verify data and licensed software removal.
- Include printers, CCTV, network devices, and embedded storage.
- Keep asset-level disposal or reuse records.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Physical controls
- Equipment disposal
- Media sanitization
- Audit
Note Metadata
Aliases: A.7.14, Secure Disposal or Re-Use of Equipment, Secure Disposal or Reuse of Equipment
Source: 04 Annex A Physical Controls/A.7.14 Secure Disposal or Re-Use of Equipment.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.32 - Intellectual Property Rights
- ISO 27001 A.5.33 - Protection of Records
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.13 - Equipment Maintenance
- A.7 Physical Controls MOC
- A.7.14 Audit Evidence Pack
- AQ-ISO27001-A.7.14 Secure Disposal or Re-Use of Equipment
- ISO 27001 A.8.10 - Information Deletion
- A.7 Physical Controls Implementation Guide
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.14 Secure Disposal or Re-Use of Equipment
- A.7 Physical Controls Implementation Audit Risk Mapping
- EXAM-026 - Cabling, Maintenance, and Equipment Disposal
- ISO 27002 Annex A Control Interpretation Map
- A.7.14 Audit Checklist
- Equipment Disposal and Reuse Register
- Equipment Sanitization Verification Checklist
- Information Deletion and Destruction Register
- Repair Dispatch Data Protection Checklist
- Annex A Controls MOC