A.7.14 — Secure Disposal or Re-Use of Equipment

A company upgrades its server fleet and donates the old machines to a university. Nobody checks the hard drives. A student runs a data-recovery tool and finds: payroll records, customer contracts, internal strategy documents and database backups with plaintext passwords. The story makes local news. The cost of the data breach exceeds the value of the new servers. A.7.14 prevents this by requiring that every piece of equipment is verified clean before it leaves your control.

The control requires organizations to ensure that equipment containing storage media is verified — data securely erased or the media physically destroyed — before disposal or re-use. The goal is to prevent information leakage from decommissioned or repurposed equipment.

What does the standard require?

The core requirements cover four areas:

Data erasure before disposal. All sensitive data and licensed software must be securely erased or overwritten before equipment is disposed of or re-used. The method must make data recovery infeasible.
Physical destruction as alternative. When secure erasure is not possible (e.g. damaged drives, integrated storage), the storage media must be physically destroyed.
Labelling and identification removal. All labels, stickers and markings that identify the organization or the nature of the data stored must be removed before disposal.
Security-system removal. When vacating premises, all security controls (access systems, surveillance equipment, locks) must be decommissioned to prevent them from being repurposed by a subsequent tenant.

In practice

Define a decommissioning procedure. Create a step-by-step checklist: (1) back up any needed data, (2) determine the data classification of the device, (3) select the appropriate erasure/destruction method, (4) perform the erasure or arrange destruction, (5) verify the result, (6) remove labels and markings, (7) log the action, (8) issue or collect a destruction certificate.

Use certified tools. For data erasure, use tools that comply with recognized standards (NIST SP 800-88, DoD 5220.22-M or equivalent). For physical destruction, use a certified shredding service (DIN 66399 or equivalent). Retain certificates of destruction.

Verify before release. Before any device leaves the organization — whether for disposal, donation, resale or return to a lessor — verify that the data erasure is complete. For wiped devices, run a spot-check with data-recovery tools. For destroyed devices, collect the destruction certificate.

Cover all device types. Servers, workstations, laptops, tablets, smartphones, printers, copiers, network equipment, IoT devices — anything with persistent storage. Printers and copiers are frequently overlooked despite containing copies of every document they have processed.

Handle leased equipment. When returning leased equipment, the same erasure requirements apply. Coordinate with the lessor to ensure your data is removed before the device is refurbished or reissued.

Typical audit evidence

Auditors typically expect the following evidence for A.7.14:

Decommissioning procedure — documented step-by-step process (link to Physical Security Policy in the Starter Kit)
Decommissioning log — register of all decommissioned devices with dates, methods and responsible persons
Destruction certificates — certificates from the destruction vendor (per batch or per device)
Secure-erase reports — tool-generated reports confirming successful erasure
Vendor contracts — agreements with certified destruction providers
Spot-check records — evidence of verification tests on wiped devices

KPI

% of decommissioned equipment with verified secure data erasure

Measured as a percentage: how many of the devices decommissioned in the last 12 months have documented proof of secure data erasure or physical destruction? Target: 100%. The most common gap: devices that were “just thrown away” or donated without going through the formal process.

Supplementary KPIs:

Number of devices awaiting decommissioning (backlog — should be minimized)
Average time between decommissioning decision and completed erasure/destruction
% of destruction certificates on file for the last 12 months
Number of device types included in the decommissioning procedure (target: all types with persistent storage)

BSI IT-Grundschutz

A.7.14 maps primarily to BSI CON.6 (Deletion and Destruction of Data):

CON.6.A2 (Selection of methods for deletion and destruction) — requires that erasure/destruction methods are selected based on the classification level, with reference to DIN 66399 security levels.
CON.6.A13 (Documentation of deletion and destruction) — requires documented proof of every erasure and destruction action, including method, date and responsible person.
SYS.1.1.A25 (Server decommissioning) — specific requirements for server decommissioning: data erasure, configuration removal, documentation.
SYS.1.8.A16 / SYS.1.8.A25 (Storage systems) — erasure and destruction of storage-system components.
SYS.2.1.A27 (Client decommissioning) — specific requirements for workstation and laptop decommissioning.
SYS.4.4.A20 (IoT device decommissioning) — covers IoT devices, which often have firmware-embedded data.
NET.4.1.A11 / NET.4.2.A12 (Telecommunications equipment) — erasure of configuration data and logs from telecom devices.

A.7.14 closes the equipment lifecycle:

A.7.12 — Cabling security: Decommissioned cabling must be removed or disconnected.
A.7.13 — Equipment maintenance: When maintenance is no longer viable, disposal begins.

Additional connections: A.7.10 (Storage media — the data-lifecycle perspective), A.5.12 (Classification of information — drives the destruction method) and A.8.10 (Information deletion — the logical counterpart to physical destruction).

Sources

ISO/IEC 27001:2022 Annex A, Control A.7.14 — Secure disposal or re-use of equipment
ISO/IEC 27002:2022 Section 7.14 — Implementation guidance for secure disposal or re-use of equipment
BSI IT-Grundschutz, CON.6 — Deletion and destruction of data

Frequently asked questions

Is formatting a hard drive sufficient for secure disposal?

A standard format (quick or full) does not securely erase data — it merely removes the file-system pointers. Data recovery tools can retrieve the content. Use a certified secure-erase tool (e.g. compliant with NIST SP 800-88) or physically destroy the drive.

What about SSDs — are they harder to wipe?

Yes. Due to wear-leveling, over-provisioning and controller-managed block allocation, standard overwrite methods may miss data on SSDs. Use the manufacturer's secure-erase command (ATA Secure Erase or NVMe Format) or physically destroy the drive. For high-classification data, physical destruction is the safest option.

Do I need a third-party destruction service?

For organizations that do not have their own shredding equipment, a certified third-party service is the standard approach. Ensure the provider is certified (e.g. to DIN 66399 or equivalent), provides a certificate of destruction per batch, and allows you to witness the destruction if needed.

What about printers and copiers?

Modern printers and copiers contain hard drives or flash memory that store copies of every document processed. When decommissioning these devices, the storage must be wiped or removed — treating them like any other device with persistent storage.

Responsible	Facility Manager
Accountable	Information Security Officer / (C)ISO
Consulted	Data Protection Officer, Department Head, Head of IT, Legal Counsel, Supply Chain Manager
Informed	Department Head, Head of IT, Legal Counsel, Top Management