SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / IT Assets Disposal/ Write-Off

Guest

IT Assets Disposal/ Write-Off

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Sep 01, 2021 Last commented:   Sep 01, 2021

IT Assets Disposal/ Write-Off

ISO 27001 & 22301
Dear Dejan, Hope you are doing fine. We are glad to inform you that we are officially an ISO 27001 certified Company now. Thank you for your support and toolkit. We need your advice in the IT assets disposal/write-off, our query is we recently gave few laptops to our staff since there previous laptops were old enough, please suggest a suitable and universal method accepted by Auditors to dispose them as per controls A.8.3.2 Disposal of Media and A.11.2.7 Secure Disposal or Re-use of Equipment and return the old laptops to staff for their personal use. Basically, we need to know what proofs we need to keep to show the auditors that the disposal/write-off has been done in compliance with ISO 27001. Thank you in advance.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Sep 01, 2021

First of all, congratulations on your company’s achievement.

Regarding the IT assets disposal, you need to evidence that the applied data deletion method has made the previously stored information unrecoverable and that its application was verified and approved by the data owner.

For example, for a laptop, you can perform full disk encryption two or three times in a row, and at each time encryption is performed you must destroy the related encryption key.

As a proof for auditors you can develop a "Destructio/Deletion Record" containing the information about the asset, the deletion method aplied, date when the procedure was performed, and the signature of the person responsible for the deleted data, as a confirmation that the procedure was successfull.

For technical guidance, you should consider these references:
- ISO/IEC 27040 Information technology — Security techniques — Storage security - https://www.iso.org/obp/ui/#iso:std:iso-iec:27040:ed-1:v1:en
- NIST 800-88 - Guidelines for Media Sanitization https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 31, 2021

Aug 31, 2021

Suggested Topics
Guest user Created:   Oct 31, 2023 ISO 27001 & 22301
Replies: 1
0 0

Question on risk register and selection of the assets
Guest user Created:   Aug 10, 2023 ISO 27001 & 22301
Replies: 1
0 0

What asset to list when Risks relate to general or high-level assets?
Guest user Created:   Jan 24, 2023 ISO 27001 & 22301
Replies: 1
0 0

Statement for logs retention periods regarding critical assets