What the auditor wants to verify
Audit objective
Verify that equipment containing storage media is checked before disposal or reuse so sensitive data and licensed software are removed or securely overwritten.
Evidence to request
| Evidence | Purpose |
|---|---|
| Secure disposal/reuse procedure | Shows the process is defined |
| Equipment disposal/reuse register | Shows traceability by asset |
| Sanitization logs/certificates | Shows data removal occurred |
| Destruction certificates | Shows media destruction is evidenced |
| Contractor due diligence | Shows disposal provider is trusted |
| Repair dispatch records | Shows repair data risk is controlled |
| Asset inventory updates | Shows lifecycle closure |
| Verification records | Shows removal was checked |
Strong evidence
- Records identify asset, storage media, classification, method, verifier, and date.
- Sanitization method matches media type and sensitivity.
- Contractor records are asset-specific and traceable.
- Printers, CCTV devices, and embedded storage are considered.
- Repair dispatch includes media removal, sanitization, or risk decision.
Weak evidence
- Staff only delete files.
- Disposal certificates are generic.
- SSDs are handled like magnetic disks without validation.
- Printers/CCTV/network devices are ignored.
- Repair shipments include storage without assessment.
Sample interview questions
- How do you identify equipment containing storage media?
- Which sanitization methods are approved?
- How do you verify data and licensed software removal?
- How are printers, CCTV, and embedded devices handled?
- What happens before equipment is sent for repair?
Common nonconformities
- No asset-level disposal traceability.
- File deletion treated as secure erasure.
- Disposal method unsuitable for media type.
- Hidden storage overlooked.
- Repair process exposes data.
- Licensed software not removed.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A7 14
Note Metadata
Aliases: A.7.14 Evidence
Source: 04 Audit Evidence Packs/A.7.14 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment
- Audit Evidence MOC
- AQ-ISO27001-A.7.14 Secure Disposal or Re-Use of Equipment
- A.7 Physical Controls Audit Guide
- ISO27001-A.7.14 Secure Disposal or Re-Use of Equipment
- A.7.14 Audit Checklist
- Equipment Disposal and Reuse Register
- Equipment Sanitization Verification Checklist
- Repair Dispatch Data Protection Checklist
- Audit Evidence Index