Annex A 7.14 ISO/IEC 27001:2022
Secure disposal or re-use of equipment
Ensure device data is erased or secured before disposal or reuse to prevent data breaches.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Physical controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 Maturity levels
N/A
Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
Source: ISO/IEC 27001:2022
Plain language
This control is about making sure that any device you want to throw away or give to someone else has all its data completely wiped clean. If you don't do this, someone could find your sensitive information and use it against you.
Why it matters
Failing to securely erase devices can cause data breaches or licensing issues, exposing sensitive information to unauthorised parties.
Operational notes
Train staff in secure disposal. Before re-use or disposal, verify data removal and use approved wiping or destruction methods; keep disposal logs and certificates from recyclers.
Implementation tips
- IT Manager: Develop a clear process for wiping data from old computers, phones, or any other devices with storage before they leave the organisation. Use software tools that overwrite data multiple times—this makes sure the data is not just 'deleted' but really gone.
- Office Manager: Before you sell or donate any of your office equipment, make sure to check whether it still has storage media inside. Remove any labels or stickers that say who owns it to keep this information private.
- Procurement: Whenever you buy new equipment, ensure it comes with the tools and instructions needed for secure data wiping when it's time to replace it. This helps plan for future secure disposal or re-use from the start.
- HR Department: Make employees aware of the importance of secure data disposal. Train them to report any old equipment so it can be handled correctly by the IT department.
- Compliance Officer: Reference applicable local data protection laws like the Privacy Act 1988 and CPS 234 to ensure compliance with data handling requirements. This will help avoid legal issues related to data breaches.
Audit / evidence tips
-
Ask: evidence of a data disposal policy
Good: clear procedures with defined responsibilities and tools for secure data erasure
-
Ask: to see records of disposed equipment
Good: a log that matches with the organisation’s policy on data disposal
-
Ask: a demonstration of the data wiping software
Good: a reputable tool with certifications or evaluations (e.g., ISO standards) showing it does a thorough data wipe
-
Ask: to see training records for employees on data disposal processes
Good: regular, detailed sessions that cover the importance and methods of data wiping
-
Ask: to inspect the physical disposal or recycling facilities
Good: secure storage with access control until data is verified as wiped
Cross-framework mappings
How Annex A 7.14 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (24) | ||
| ISM-0312 | ISM-0312 requires that overseas IT equipment (including associated media) that has processed, stored or communicated AUSTEO or AGAO data ... | |
| ISM-0317 | ISM-0317 requires printing at least three full pages of random text (with no blank areas) on each colour printer cartridge or MFD print d... | |
| ISM-0318 | ISM-0318 requires destruction of printer cartridges or print drums when sanitisation is not possible to prevent residual data exposure | |
| ISM-0351 | ISM-0351 requires volatile media to be sanitised by removing power for at least 10 minutes | |
| ISM-0352 | ISM-0352 mandates a specific sanitisation technique for SECRET and TOP SECRET volatile media: full overwrite with random data followed by... | |
| ISM-0354 | ISM-0354 mandates a specific, verifiable overwriting process to sanitise non-volatile magnetic media so that prior data cannot be accessed | |
| ISM-0357 | ISM-0357 requires a specific sanitisation method for non-volatile EPROM media, including extended UV erasure and a full overwrite with ve... | |
| ISM-0359 | ISM-0359 requires non-volatile flash memory to be sanitised by overwriting the entire media at least twice with a random pattern and perf... | |
| ISM-0362 | ISM-0362 mandates following the degausser manufacturer’s directions to ensure correct degaussing of magnetic media | |
| ISM-0368 | ISM-0368 requires physical destruction of media such that waste particles are no larger than 9 mm to prevent data recovery | |
| ISM-0373 | ISM-0373 requires personnel supervising destruction of media storing accountable material to supervise handling through to destruction, v... | |
| ISM-0836 | Annex A 7.14 requires ensuring sensitive data is removed or securely overwritten from storage media before equipment disposal or re-use | |
| ISM-1067 | Annex A 7.14 requires ensuring sensitive data is removed or securely overwritten from storage media prior to disposal or re-use | |
| ISM-1157 | ISM-1157 requires that when destroying magnetic storage media, organisations use NSA-evaluated degaussers to ensure the destruction metho... | |
| ISM-1160 | Annex A 7.14 requires ensuring sensitive data is removed or securely overwritten before equipment containing storage media is disposed of... | |
| ISM-1218 | ISM-1218 requires IT equipment (and associated media) located overseas that has handled AUSTEO or AGAO data to be sanitised in situ | |
| ISM-1219 | ISM-1219 requires MFD print drums and image transfer rollers to be inspected and destroyed if remnant toner cannot be removed or an image... | |
| ISM-1220 | ISM-1220 requires organisations to inspect printer and MFD platens and destroy them if any text or images are retained | |
| ISM-1222 | ISM-1222 requires televisions and computer monitors that cannot be sanitised to be physically destroyed to prevent residual data compromise | |
| ISM-1223 | ISM-1223 requires network device memory to be sanitised using device-specific evaluation guidance, vendor sanitisation guidance, or a dum... | |
| ISM-1517 | ISM-1517 requires the secure destruction of microfiche and microfilm using equipment that reduces microform to a fine powder such that fr... | |
| ISM-1641 | ISM-1641 requires that after degaussing, magnetic media is physically damaged (e.g | |
| ISM-1726 | ISM-1726 requires optical disks to be physically destroyed using specific methods (e.g | |
| ISM-1727 | ISM-1727 requires semiconductor memory to be physically destroyed using specialised destruction methods (e.g., furnace/incinerator, hamme... | |
| Partially overlaps (29) | ||
| ISM-0161 | ISM-0161 requires IT equipment and media to be secured when not in use to prevent unauthorised access | |
| ISM-0307 | ISM-0307 requires sanitising IT equipment and any associated media before maintenance or repair when the technician is not appropriately ... | |
| ISM-0313 | ISM-0313 requires organisations to develop, implement and maintain IT equipment sanitisation processes and procedures | |
| ISM-0315 | ISM-0315 requires that high assurance IT equipment is destroyed prior to disposal to prevent any data leakage | |
| ISM-0316 | ISM-0316 requires that, after sanitisation, destruction or declassification, a formal administrative decision authorises releasing IT equ... | |
| ISM-0321 | ISM-0321 requires the organisation to contact ASD for disposal requirements when disposing of emanation security (TEMPEST-like) equipment | |
| ISM-0330 | ISM-0330 requires that before media is reclassified to a lower sensitivity or classification, it is sanitised or destroyed and a formal a... | |
| ISM-0350 | ISM-0350 mandates destruction of media that cannot be sanitised before disposal | |
| ISM-0360 | ISM-0360 requires that sanitised SECRET and TOP SECRET flash media still retains its classification and must continue to be treated and c... | |
| ISM-0363 | ISM-0363 requires media destruction processes and supporting procedures to be developed, implemented and maintained so media is securely ... | |
| ISM-0371 | ISM-0371 requires personnel to supervise the handling of media through to destruction and verify that destruction is completed successfully | |
| ISM-0374 | ISM-0374 requires organisations to develop, implement and maintain media disposal processes and supporting procedures | |
| ISM-0375 | ISM-0375 requires that after sanitisation, destruction or declassification, an authorised administrative decision is formally made before... | |
| ISM-0378 | ISM-0378 requires removal of labels/markings from media before disposal so the media cannot be linked to an owner, classification, or pri... | |
| ISM-0835 | ISM-0835 requires that, even after sanitisation, TOP SECRET volatile media may retain its TOP SECRET classification where data persistenc... | |
| ISM-0839 | ISM-0839 requires that the destruction of media storing accountable material is not outsourced | |
| ISM-0947 | ISM-0947 requires that when data is manually transferred between systems in different security domains, any rewritable transfer media is ... | |
| ISM-1217 | ISM-1217 requires labels and markings that could identify the owner, sensitivity or classification of IT equipment to be removed before d... | |
| ISM-1361 | Annex A 7.14 requires verification that data and licensed software are removed or securely overwritten before equipment is disposed of or... | |
| ISM-1550 | ISM-1550 requires organisations to develop, implement and maintain IT equipment disposal processes and supporting procedures | |
| ISM-1599 | ISM-1599 requires IT equipment handling according to sensitivity or classification | |
| ISM-1642 | ISM-1642 requires media to be sanitised before it is reused in a different security domain to prevent data leakage across domains | |
| ISM-1724 | ISM-1724 requires magnetic hard disks to be physically destroyed using approved methods to prevent data recovery | |
| ISM-1729 | ISM-1729 specifies how destroyed TOP SECRET media waste particles must be classified, stored, and handled after destruction based on part... | |
| ISM-1735 | ISM-1735 requires that media which cannot be successfully sanitised is destroyed prior to disposal | |
| ISM-1741 | ISM-1741 requires organisations to develop, implement and maintain end-to-end IT equipment destruction processes and supporting procedures | |
| ISM-1742 | ISM-1742 requires that IT equipment that cannot be sanitised is destroyed to prevent residual data compromise | |
| ISM-2021 | ISM-2021 requires system owners to minimise data held in their systems by limiting what is collected and retained | |
| ISM-2053 | ISM-2053 requires organisations to produce and publish end-of-life (EOL) procedures for software, including removal of the software and a... | |
| Supports (3) | ||
| ISM-0361 | ISM-0361 requires the destruction of magnetic media using a degausser with suitable field strength and orientation, ensuring the data can... | |
| ISM-1065 | ISM-1065 requires organisations to reset the host-protected area (HPA) and device configuration overlay (DCO) on non-volatile magnetic ha... | |
| ISM-1221 | Annex A 7.14 requires verification that sensitive data is removed prior to disposal or re-use of equipment containing storage media | |
| Related (1) | ||
| ISM-0311 | ISM-0311 requires IT equipment containing media to be sanitised, either by removing the media or sanitising it in situ, to ensure residua... | |