Develop and Maintain IT Equipment Disposal Procedures
Ensure IT equipment is disposed of properly by following established procedures.
Plain language
Properly getting rid of old IT equipment is important because if you don't, sensitive information could end up in the wrong hands. Think of all the data stored on your phones, computers, and servers-without a secure disposal process, this information could be accessed by someone it shouldn't be, leading to privacy breaches and potential financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Section
IT equipment disposalOfficial control statement
IT equipment disposal processes, and supporting IT equipment disposal procedures, are developed, implemented and maintained.
Why it matters
Improper disposal of IT equipment can expose residual data, causing data breaches, regulatory consequences and reputational damage.
Operational notes
Maintain disposal procedures: track assets, sanitise media per approved methods, and keep records of destruction or certified wipe for each device.
Implementation tips
- IT team should develop a clear disposal policy: Define exactly what needs to happen when IT equipment is no longer in use. Include steps like securely wiping all data and determining whether equipment should be recycled, donated, or scrapped.
- Office manager should audit current device inventory: Conduct a check of all devices currently in use to ensure there are no outdated pieces that need disposal. Create a list of equipment with details about its age and condition.
- Procurement manager should liaise with a certified e-waste disposal company: Choose a company authorised to handle secure data destruction. Verify their credentials and compliance with Australian privacy standards to ensure data is destroyed safely.
- Manager should train staff on disposal procedures: Organise short educational sessions for team members highlighting the importance of data security and walk them through the correct disposal process for IT equipment.
- IT team should maintain records of disposal actions: Keep detailed logs of each piece of equipment disposed of, including dates, methods used, and confirmation of successful data destruction. This helps track compliance and monitors the effectiveness of the process.
Audit / evidence tips
- AskThe IT equipment disposal policy document: Request to see the written procedures that outline the disposal process GoodDocument will be detailed, covering all aspects from data deletion to final equipment fate
- AskRecent disposal records: Request the logs that show recent equipment disposals GoodWill include all relevant details and proof that procedures were followed
- AskTraining session records: Request documentation showing that staff training on disposal procedures has been conducted GoodWould confirm regular training occurs and participants understand their roles
- AskA list of approved disposal vendors: Request the list of vendors authorised for disposing of IT equipment GoodConfirms vendors' credentials are verified and up-to-date
- AskAn inventory audit report: Request the most recent audit of IT equipment inventory GoodShows that inventory is current and any missing devices have documented explanations
Cross-framework mappings
How ISM-1550 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-1550 requires organisations to develop, implement and maintain procedures for disposing of IT equipment | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.14 | ISM-1550 requires organisations to develop, implement and maintain IT equipment disposal processes and supporting procedures | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.