Remove Identifying Labels from IT Equipment Before Disposal
Before throwing away IT equipment, remove any labels that show ownership or use.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Section
IT equipment disposalTopic
Disposal of It EquipmentLabels and markings indicating the owner, sensitivity, classification or any other marking that can associate IT equipment with its prior use are removed prior to its disposal.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure you remove any labels on IT equipment, like computers or phones, before getting rid of them. These labels can contain sensitive information about who owned the equipment or what it was used for. If you don't do this, someone could potentially trace back sensitive information, which could lead to privacy breaches or data leaks.
Why it matters
Failure to remove labels can expose sensitive ownership or usage data, risking privacy breaches and unintended information disclosure.
Operational notes
Before disposal, remove or obscure all asset tags and classification markings; also remove adhesive residue to prevent traceability.
Implementation tips
- Office managers should designate a responsible person to oversee the removal of labels from IT equipment before disposal. They can ensure that all computers, printers, and other devices have their labels removed as part of the decommissioning process. This involves physically checking each item and using a simple scraper or alcohol solution to remove sticky residues.
- IT teams should create a checklist for equipment disposal that includes steps for removing any identifying information. This checklist should be shared with all staff involved in equipment decommissioning to follow easily. By having this checklist, everyone can understand the exact steps and ensure nothing is left with identifying labels.
- Procurement officers should include label removal as a requirement in any disposal contracts with third-party providers. This means they need to ensure that any company hired to take away old equipment is contractually obligated to remove all labels. They can do this by updating the terms covered in disposal agreements.
- HR departments should train employees on the importance of label removal when equipment is broken or replaced. They can provide a simple handout or part of an IT policy manual outlining what information labels may contain and why their removal is crucial. This ensures that anyone handling equipment understands their role in protecting sensitive information.
- Executives need to allocate the necessary resources and support for IT equipment disposal processes. This includes budgeting for proper disposal materials like solvents for label removal or hiring services to ensure compliance. By doing this, they facilitate proper procedures and prevent shortcuts that could compromise data security.
Audit / evidence tips
-
Ask: the equipment disposal checklist: Request the checklist used by staff for decommissioning IT equipment. Look to see if label removal is included as a specific step
Good: is a checklist clearly listing label removal and showing who is responsible for the task
-
Ask: to see agreements with third-party disposal companies: Request a copy of the contract or agreement where label removal is mentioned. Look to ensure that there is a clause specifying that all identifying labels must be removed before disposal
Good: example has this clause included and signed off by both parties
-
Ask: training records: Request evidence of training sessions or materials where equipment disposal and label removal practices are covered
Good: includes dated records showing who was trained and when
-
Ask: a sample of recently disposed equipment: Request a demonstration of the label removal process on equipment ready to be disposed. Look to see if no labels indicating ownership or use remain on the equipment
Good: shows clean equipment with no identifying information left visible
-
Ask: incident reports related to disposal: Request any reports or logs where disposal practices were not followed properly
Good: is the absence of any incidents or a clear record that shows prompt action was taken to address them
Cross-framework mappings
How ISM-1217 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| Annex A 7.10 | Annex A 7.10 requires organisations to manage storage media (and associated handling requirements) securely through to disposal | |
| Annex A 7.14 | ISM-1217 requires labels and markings that could identify the owner, sensitivity or classification of IT equipment to be removed before d... | |