Implement IT Equipment Destruction Procedures
Create and maintain processes for safely destroying IT equipment.
Plain language
Implementing IT equipment destruction procedures means setting up a clear and safe way to permanently get rid of old computers, servers, or other technology. This is important because if you just throw away or sell old equipment without proper destruction, sensitive information could be retrieved by the wrong people, leading to data breaches or privacy violations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
IT equipment destruction processes, and supporting IT equipment destruction procedures, are developed, implemented and maintained.
Why it matters
Without documented equipment destruction procedures, retired devices may retain recoverable data, causing data breaches, compliance failures, financial loss and reputational damage.
Operational notes
Maintain documented destruction steps (sanitisation/shredding), chain-of-custody records and certificates of destruction; periodically verify vendors and sample-check destroyed assets.
Implementation tips
- IT Team: Develop a clear procedure for destroying old IT equipment, including computers, servers, and other devices. Use methods like degaussing, shredding, or crushing to ensure data is irretrievable.
- Office Manager: Assign a person or team responsible for regularly reviewing which equipment needs destruction. Make this part of routine maintenance schedules to ensure no devices slip through the cracks.
- Procurement: Coordinate with certified e-waste disposal companies to handle the destruction process. Choose a vendor who provides certificates of destruction as proof.
- HR: Train staff to recognise what equipment falls under these procedures and why it's critical. This includes educating them about the importance of securely managing sensitive data at all stages.
- Finance: Budget for the costs associated with proper IT equipment destruction, including vendor services and staff training. This ensures no corners are cut due to financial constraints.
Audit / evidence tips
-
Askthe equipment destruction procedures document: Request to see the documented process for how IT equipment is to be destroyed in the organisation
GoodDetailed steps that reference specific destruction methods and timescales
-
Askdestruction records: Request recent records of destroyed equipment including dates, types of equipment, and methods used
GoodConsistent records showing recent and compliant destruction activities
-
Askvendor agreements: Check copies of agreements or contracts with e-waste vendors
GoodContracts that have data destruction clauses and certifications
-
Askcertificates of destruction: Request certificates from the vendor for destroyed items
GoodCertificates linked to the equipment inventory and specific destruction records
-
Askstaff training records: Request records indicating staff have been trained on the equipment destruction process
GoodTraining logs showing names, dates, and completed training specific to data and equipment destruction
Cross-framework mappings
How ISM-1741 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.14 | ISM-1741 requires organisations to develop, implement and maintain end-to-end IT equipment destruction processes and supporting procedures | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.