Remove Identifying Labels from IT Equipment Before Disposal
Before throwing away IT equipment, remove any labels that show ownership or use.
Plain language
This control is about making sure you remove any labels on IT equipment, like computers or phones, before getting rid of them. These labels can contain sensitive information about who owned the equipment or what it was used for. If you don't do this, someone could potentially trace back sensitive information, which could lead to privacy breaches or data leaks.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Section
IT equipment disposalTopic
Disposal of It EquipmentOfficial control statement
Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate IT equipment with its prior use are removed prior to its disposal.
Why it matters
Failure to remove labels can expose sensitive ownership or usage data, risking privacy breaches and unintended information disclosure.
Operational notes
Before disposal, remove or obscure all asset tags and classification markings; also remove adhesive residue to prevent traceability.
Implementation tips
- Office managers should designate a responsible person to oversee the removal of labels from IT equipment before disposal. They can ensure that all computers, printers, and other devices have their labels removed as part of the decommissioning process. This involves physically checking each item and using a simple scraper or alcohol solution to remove sticky residues.
- IT teams should create a checklist for equipment disposal that includes steps for removing any identifying information. This checklist should be shared with all staff involved in equipment decommissioning to follow easily. By having this checklist, everyone can understand the exact steps and ensure nothing is left with identifying labels.
- Procurement officers should include label removal as a requirement in any disposal contracts with third-party providers. This means they need to ensure that any company hired to take away old equipment is contractually obligated to remove all labels. They can do this by updating the terms covered in disposal agreements.
- HR departments should train employees on the importance of label removal when equipment is broken or replaced. They can provide a simple handout or part of an IT policy manual outlining what information labels may contain and why their removal is crucial. This ensures that anyone handling equipment understands their role in protecting sensitive information.
- Executives need to allocate the necessary resources and support for IT equipment disposal processes. This includes budgeting for proper disposal materials like solvents for label removal or hiring services to ensure compliance. By doing this, they facilitate proper procedures and prevent shortcuts that could compromise data security.
Audit / evidence tips
-
Askthe equipment disposal checklist: Request the checklist used by staff for decommissioning IT equipment. Look to see if label removal is included as a specific step
Goodis a checklist clearly listing label removal and showing who is responsible for the task
-
Askto see agreements with third-party disposal companies: Request a copy of the contract or agreement where label removal is mentioned. Look to ensure that there is a clause specifying that all identifying labels must be removed before disposal
Goodexample has this clause included and signed off by both parties
-
Asktraining records: Request evidence of training sessions or materials where equipment disposal and label removal practices are covered
Goodincludes dated records showing who was trained and when
-
Aska sample of recently disposed equipment: Request a demonstration of the label removal process on equipment ready to be disposed. Look to see if no labels indicating ownership or use remain on the equipment
Goodshows clean equipment with no identifying information left visible
-
Askincident reports related to disposal: Request any reports or logs where disposal practices were not followed properly
Goodis the absence of any incidents or a clear record that shows prompt action was taken to address them
Cross-framework mappings
How ISM-1217 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.10 | Annex A 7.10 requires organisations to manage storage media (and associated handling requirements) securely through to disposal | |
| Annex A 7.14 | ISM-1217 requires labels and markings that could identify the owner, sensitivity or classification of IT equipment to be removed before d... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.