05) Does your organisation ensure that all used digital media (that may have stored data) is disposed of securely and are certificates of destruction obtained?
IT Operations Secure Media Disposal Secure Destruction
Written by Haydn Brooks
Created on March 18, 2019
Modified on June 7, 2020

Answer yes if your organisation has a process to securely destroy all media that may hold business information. If a third party is used, only answer yes if your organisation receives certificates of destruction. Please provide a document outlining the process (as a PDF file) as evidence or describe the process in the notes section.

A common way for businesses to experience a data breach is through confidential data being recovered from digital media that is being thrown out or repurposed. In fact, a common method used by malicious actors who are targeting a company will be to do thorough bin searches to see if there is any information they can use in a later attack.

It is therefore essential that you ensure any media is securely wiped or destroyed before being thrown away. Either an internal robust and auditable secure media destruction process should be evidenced, with the appropriate procedures, tools and logs/audits in place, or an auditable third party contract for the secure destruction of media, supported by certificates of destruction, should be in operation.

How to implement the control:

You can either implement an internal and auditable secure media destruction process if your IT team have the tools and expertise to do so, or you can contract this work out to a third party who specialises in the secure destruction of media.

It is important that if this work is contracted out to a third party, that the third party supplier provides certificates of destruction.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.