Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

IT Assets Disposal/ Write-Off

  Quote
Guest
Guest user Created:   Sep 01, 2021 Last commented:   Sep 01, 2021

IT Assets Disposal/ Write-Off

Dear Dejan,

Hope you are doing fine. 

We are glad to inform you that we are officially an ISO 27001 certified Company now. Thank you for your support and toolkit. 

We need your advice in the IT assets disposal/write-off, our query is we recently gave few laptops to our staff since there previous laptops were old enough, please suggest a suitable and universal method accepted by Auditors to dispose them as per controls A.8.3.2 Disposal of Media and A.11.2.7 Secure Disposal or Re-use of Equipment and return the old laptops to staff for their personal use. 

Basically, we need to know what proofs we need to keep to show the auditors that the disposal/write-off has been done in compliance with ISO 27001. 

Thank you in advance.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 01, 2021

First of all, congratulations on your company’s achievement.

Regarding the IT assets disposal, you need to evidence that the applied data deletion method has made the previously stored information unrecoverable and that its application was verified and approved by the data owner.

For example, for a laptop, you can perform full disk encryption two or three times in a row, and at each time encryption is performed you must destroy the related encryption key.

As a proof for auditors you can develop a "Destructio/Deletion Record" containing the information about the asset, the deletion method aplied, date when the procedure was performed, and the signature of the person responsible for the deleted data, as a confirmation that the procedure was successfull.

For technical guidance, you should consider these references:
- ISO/IEC 27040 Information technology — Security techniques — Storage security - https://www.iso.org/obp/ui/#iso:std:iso-iec:27040:ed-1:v1:en
- NIST 800-88 - Guidelines for Media Sanitization https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 31, 2021

Aug 31, 2021