UnixTime

Research Note

A.7.14 Audit Evidence Pack

- Records identify asset, storage media, classification, method, verifier, and date. - Sanitization method matches media type and sensitivity. - Contractor records are asset-spe...

On this page

What the auditor wants to verify

Audit objective

Verify that equipment containing storage media is checked before disposal or reuse so sensitive data and licensed software are removed or securely overwritten.

Evidence to request

Evidence Purpose
Secure disposal/reuse procedure Shows the process is defined
Equipment disposal/reuse register Shows traceability by asset
Sanitization logs/certificates Shows data removal occurred
Destruction certificates Shows media destruction is evidenced
Contractor due diligence Shows disposal provider is trusted
Repair dispatch records Shows repair data risk is controlled
Asset inventory updates Shows lifecycle closure
Verification records Shows removal was checked

Strong evidence

  • Records identify asset, storage media, classification, method, verifier, and date.
  • Sanitization method matches media type and sensitivity.
  • Contractor records are asset-specific and traceable.
  • Printers, CCTV devices, and embedded storage are considered.
  • Repair dispatch includes media removal, sanitization, or risk decision.

Weak evidence

  • Staff only delete files.
  • Disposal certificates are generic.
  • SSDs are handled like magnetic disks without validation.
  • Printers/CCTV/network devices are ignored.
  • Repair shipments include storage without assessment.

Sample interview questions

  • How do you identify equipment containing storage media?
  • Which sanitization methods are approved?
  • How do you verify data and licensed software removal?
  • How are printers, CCTV, and embedded devices handled?
  • What happens before equipment is sent for repair?

Common nonconformities

  • No asset-level disposal traceability.
  • File deletion treated as secure erasure.
  • Disposal method unsuitable for media type.
  • Hidden storage overlooked.
  • Repair process exposes data.
  • Licensed software not removed.