The ISO 27001 international standard for Information Security has been updated and is now at the 2013 version.
There are two main sections of the standard that are very much applicable when it comes to disposing of redundant IT assets, and we can help businesses comply with the ISO 27001:2013 standard in these areas.
A.8.3 – Media Handling
This section requires the secure disposal of media, so whether you are disposing of hard disk drives, CDs/DVDs or backup tapes this is applicable. The standard states:
A.8.3.2 – “Media shall be disposed of securely when no longer required, using formal procedures”.
Since we specialise in the secure disposal of media we can assist you in this area and advise on creating formal procedures for your media disposal policies. See more information on our IT disposal services for the options on secure media disposal.
A.11.1.2 – Equipment
The time that your equipment and data is most vulnerable to a data breach is when you are disposing of it and it leaves your control. The standard states:
A.11.2.7 – “All items of equipment containing storage media shall be verified to ensure that any sensitive data and licenced software has been removed or securely overwritten prior to disposal or re-use”.
This means you need reports and certificates to prove that the hard drives on the computers you dispose of have been securely sanitised as part of your disposal process. We can provide full certification to show that all hard drives have been erased or destroyed, and full Asset Reports let you know exactly which devices can be removed from your Asset Register.
Another relevant section to the standard is A.18.1.1 – Identification of applicable legislation and contractual requirements” – in the Asset Disposal arena this relates to making sure the company processing your data bearing media is working to recognised industry standards and using relevant, certified equipment and software (eg, NCSC (National Cyber Security Centre, formerly CESG) approved).
Asset Disposal is a small part of the Information Security sector, and a small part of the ISO 27001 standard, but it is the most likely time for a data breach to occur so extra care and due diligence needs to be taken when disposing of your redundant computers and IT equipment.
Feel free to contact us to see how we can help you meet and maintain the ISO 27001:2013 standard.