The secure disposal of media is a critical aspect of information security management.
The A.8.3.2 control objective in the ISO/IEC 27001:2013 standard provides guidelines for the disposal of media.
Organizations must ensure that they dispose of media in a secure and responsible manner to prevent unauthorized access to sensitive information.
This article provides a checklist of critical factors that organizations should consider when disposing of media.
- Are media disposal methods clearly defined, and are they consistent with the organization’s policies, contractual, legal, or regulatory requirements?
- Are media disposed-of in-house, or are they outsourced to a third party?
- If media is outsourced, has the third party been selected after due diligence, and is there a suitable contract in place that meets the applicable security and assurance requirements?
Approval and Documentation
- Are there documented approvals at every stage for the disposal of media?
- Are data that still need to be retained copied to other media and verified before disposal
- Is documentary evidence retained of media destruction, and what is its retention period, review periods, etc.?
- Are media embedded within equipment, such as multifunction devices, appropriately disposed of to ensure the security of sensitive data?
- Are particularly sensitive data securely deleted before media disposal, such as by cryptographic erasure, degaussing, and/or physical destruction?
The disposal of media is an essential aspect of information security management.
Organizations must ensure that they dispose of media securely and responsibly to prevent unauthorized access to sensitive information.
The checklist provided in this article covers critical factors that organizations should consider when disposing of media.
By following these guidelines, organizations can minimize the potential risks associated with the disposal of media and protect their valuable information assets.