Decommissioned laptops and servers don’t forget what they stored. Every year, organizations that skip proper sanitization before disposing of or reallocating equipment hand attackers a free path to sensitive records — customer data, credentials, intellectual property — all recoverable with freely available forensic tools. ISO 27001 control 7.14 exists to close that gap.
What 7.14 Requires
ISO 27001 Annex A control 7.14 mandates that every piece of equipment containing storage media must be verified as sanitized before it leaves your control — whether that means disposal, resale, recycling, or internal reallocation to another team or business unit.
The control has two non-negotiable outcomes:
- Sensitive data is permanently removed. Not deleted, not formatted — permanently destroyed beyond forensic recovery.
- Licensed software is removed. Leaving proprietary software on reassigned or disposed equipment creates licensing violations and potential privilege escalation paths.
The scope covers both disposal (equipment leaving the organization entirely) and re-use (equipment transferred internally or to another party). A laptop reassigned from the finance team to a new hire carries the same risk as one shipped to a reseller — if the drive wasn’t properly sanitized, prior data remains recoverable.
This matters because “deleted” does not mean “gone.” Standard file deletion and disk formatting remove pointers to data, not the data itself. Anyone with access to basic forensic recovery tools — many of which are free — can reconstruct files from a formatted drive in minutes. The same applies to SSDs: while wear-leveling complicates traditional overwrite methods, it doesn’t eliminate the risk. Without cryptographic erasure or physical destruction, residual data on solid-state media remains a liability.
The control also extends to equipment containing embedded storage that’s easy to overlook — network switches with configuration data, printers with internal hard drives, multifunction copiers that cache scanned documents, and IoT devices with flash memory. If it stores data, 7.14 applies.
Why 7.14 Matters
In a common pattern, an organization retires a batch of laptops to a reseller without verifying sanitization. Months later, customer PII surfaces on a forensic recovery blog. The organization faces regulatory scrutiny under GDPR or HIPAA, a mandatory breach notification, and the reputational damage that follows.
This isn’t a theoretical risk. According to Blancco’s 2025 State of Data Sanitization Report, which surveyed 2,000 enterprise respondents, 17% of data breaches were caused by redeployed devices or drives still containing sensitive data from prior use. The same report found that 25% of laptops and desktops were refurbished without certified erasure, and only 37% of enterprises were aware of NIST 800-88 — the de facto standard for media sanitization.
The risk class is data leakage through physical media, with cascading consequences: regulatory penalties, audit nonconformities, loss of customer trust, and potential legal liability. Severity ranges from moderate to high depending on the data classification of what was stored on the equipment.
For organizations subject to multiple regulatory frameworks, a single disposal failure can trigger parallel investigations. A healthcare provider that loses patient data from an unsanitized laptop faces both a HIPAA breach notification and, if the patient is an EU resident, a GDPR supervisory authority inquiry — each with independent penalty structures. Blancco’s research found that 41% of enterprises surveyed had lost data through stolen devices or drives containing sensitive information, making physical media one of the most common breach vectors alongside credential theft and ransomware.
What Attackers Exploit
Specific failure modes that make improperly disposed equipment a target:
- Drives “deleted” but not overwritten — data is fully recoverable with free forensic tools like Recuva or PhotoRec
- Broken equipment assumed safe — damaged hard drives still yield data; platters can be transplanted into working enclosures
- No verification step before handoff — equipment reaches disposal vendors with live data because no one checked
- Leased equipment returned without sanitization — lease returns often bypass IT disposal workflows entirely
- Asset tags and labels left on equipment — physical identifiers reveal which organization the device belonged to, making targeted data recovery trivial
- Licensed software left on re-used devices — creates licensing violations and may grant unintended access to enterprise services
- No certificate of destruction from vendors — without serial-number-level proof of destruction, there’s no way to verify a vendor actually sanitized anything
- Overlooking embedded storage — printers, copiers, network switches, and IoT devices often contain data-bearing flash memory or hard drives that are forgotten during disposal workflows
How to Implement 7.14
For Your Organization (First-Party)
Implementing 7.14 starts with connecting your disposal process to your asset register and data classification scheme. The goal is a repeatable, auditable workflow that ensures no device leaves your control with recoverable data. Here’s a step-by-step approach:
1. Build an equipment disposal policy tied to your asset register. Every device containing storage media should be tracked from procurement through disposal. Your asset register (see control 5.9) is the single source of truth — if a device isn’t in the register, you can’t prove it was properly disposed of. The policy should define who can authorize disposal, which sanitization methods are approved for each data classification tier, and how long disposal records must be retained.
2. Classify data sensitivity on each device before choosing a sanitization method. The sanitization method must match the data classification. A development laptop with no customer data requires a different approach than a database server that held PII.
3. Apply the appropriate sanitization level. NIST SP 800-88 (updated to revision 2 in September 2025) defines three levels:
- Clear — Overwrites user-accessible storage with a fixed pattern. Suitable for internal re-use of low-risk devices. Protects against simple recovery tools.
- Purge — Renders data unrecoverable using techniques like cryptographic erasure, block-level overwrite, or degaussing. Required for devices leaving your organization or being transferred to another party.
- Destroy — Physical destruction through shredding, incineration, or disintegration. Required for high-sensitivity data where no residual risk is acceptable.
4. Remove all physical identifiers. Strip asset tags, labels, inventory stickers, and any markings that identify the device’s origin organization before it leaves the building.
5. Maintain a disposal log. Record the device serial number, asset tag, data classification, sanitization method applied, date of sanitization, verification result, and the responsible personnel for every device. This log is a primary audit artifact and should be reviewed regularly for completeness. Any gaps between the asset register and the disposal log indicate devices that may have left the organization without proper sanitization.
6. Collect certificates of destruction from third-party vendors. If you use a disposal vendor, require serial-number-level certificates of destruction that specify the sanitization method, date, and the name of the individual who performed the destruction. A certificate that lists only “batch destroyed” without individual serial numbers offers no assurance that a specific device was actually sanitized.
7. Revoke logical access and retire device identity. Remove the device from IAM systems, network access lists, MDM platforms, certificate stores, and any directory services. A sanitized device that still has an active identity in your network is a loose end. This step also applies to devices with embedded credentials — VPN certificates, SSH keys, or API tokens stored in hardware security modules or TPM chips should be revoked before the device is decommissioned.
Common tooling categories: Data erasure software compliant with NIST 800-88 (such as Blancco, DBAN, or Eraser), hardware shredders for physical destruction, degaussing equipment for magnetic media, and full-disk encryption as a compensating control — if a drive was encrypted from day one, cryptographic erasure (destroying the key) renders data unrecoverable without needing to overwrite every sector.
Note that degaussing is effective only on magnetic media (traditional HDDs and tape). It has no effect on SSDs, flash drives, or other solid-state storage. For these devices, use firmware-level secure erase commands, cryptographic erasure, or physical destruction.
Common mistakes to avoid:
- Treating “delete” or “format” as sanitization — neither removes underlying data
- Assuming damaged drives are unreadable — they’re not
- Covering disposal but ignoring internal re-use — reallocated devices carry the same risk as disposed ones
- Failing to remove asset tags before equipment leaves the building — this gives an attacker immediate attribution
- Not verifying that third-party vendors actually performed destruction — trust without verification is not a control
For Your Vendors (Third-Party Assessment)
When your vendors handle equipment disposal — whether for their own assets or yours — you need to verify their practices as part of your third-party risk management program. Here’s what to assess:
Questionnaire questions:
- “Describe your media sanitization process. Which standard do you follow (NIST 800-88, DoD 5220.22-M)?”
- “Do you provide certificates of destruction with individual device serial numbers?”
- “How do you handle equipment that cannot be sanitized (e.g., damaged drives)?”
Evidence to request:
- Certificates of destruction with device serial numbers and sanitization method
- Chain-of-custody documentation from device receipt through destruction
- Proof of environmental compliance for physical destruction methods
Red flags:
- Vendor cannot name a specific sanitization standard
- No serial-number-level tracking on destruction certificates
- Certificates lack details on the method used
- No chain-of-custody process
- Vendor mixes destruction with recycling without documented separation
Verification beyond self-attestation:
- Request an on-site visit or video walkthrough of the destruction process
- Cross-reference serial numbers on certificates of destruction against your asset register
- Ask for a third-party audit report (SOC 2 or equivalent) covering disposal operations
- Periodically send test devices with known data through the vendor’s process and verify complete sanitization on return
The vendor assessment isn’t a one-time exercise. Include disposal practices in your ongoing vendor review cycle, and re-evaluate whenever the vendor changes subcontractors, facilities, or sanitization methods.
Audit Evidence for 7.14
When an auditor assesses 7.14, they’ll ask for specific artifacts that prove your disposal process works consistently, not just in theory. The evidence should demonstrate that your organization follows its documented policy for every device, with no exceptions. Missing records for even a single device can result in a minor nonconformity.
| Evidence Type | Example Artifact |
|---|---|
| Policy | Equipment Disposal and Sanitization Policy defining sanitization methods by data classification, approval workflows, and retention of disposal records |
| Procedure | Media Sanitization Procedure documenting step-by-step processes for Clear, Purge, and Destroy methods |
| Asset records | Asset Register entries showing disposition status (Disposed, Recycled, Reallocated) with dates and responsible personnel |
| Destruction certificates | Certificates of Destruction from third-party vendors listing device serial numbers, sanitization method, and date |
| Disposal log | Equipment Disposal Log tracking each device from decommissioning request through verified sanitization |
| Verification records | Sanitization Verification Reports confirming overwrite completion or physical destruction |
| Training records | Staff training records showing disposal-process awareness for IT and operations personnel |
Cross-Framework Mapping
Control 7.14 aligns with equivalent requirements across major compliance frameworks. If you’re preparing for a multi-framework audit or mapping controls across standards, these are the direct parallels. “Full” coverage means the external control addresses the same scope as 7.14; “Partial” means it covers a subset of the requirements:
| Framework | Equivalent Control(s) | Coverage |
|---|---|---|
| NIST 800-53 | MP-06 (Media Sanitization) | Full |
| SOC 2 Trust Services Criteria | CC6.5 (Logical and Physical Access Controls — disposal) | Partial |
| CIS Controls v8.1 | Control 3.4 (Enforce Data Retention Management) | Partial |
| NIST CSF 2.0 | PR.DS-03 (Assets are formally managed throughout removal, transfers, and disposition) | Full |
| DORA (EU) | Article 11(1) — ICT asset management including disposal | Partial |
Related ISO 27001 Controls
Control 7.14 doesn’t operate in isolation. It connects to a broader set of controls that govern the equipment lifecycle from deployment through decommissioning. When implementing 7.14, review these related controls to ensure your disposal process integrates with your wider ISMS:
| Control ID | Control Name | Relationship |
|---|---|---|
| 7.8 | Equipment siting and protection | Protects equipment during its operational life; 7.14 covers end-of-life |
| 7.9 | Security of assets off-premises | Governs equipment leaving the premises; overlaps with disposal transport |
| 7.10 | Storage media | Directly related — media handling throughout lifecycle; 7.14 covers terminal phase |
| 7.11 | Supporting utilities | Equipment reliability during use; damaged equipment feeds into 7.14 disposal decisions |
| 7.13 | Equipment maintenance | Maintenance records inform disposal timing; repair-or-dispose decisions |
| 5.9 | Inventory of information and other associated assets | Asset register is the source of truth for tracking disposal |
| 5.10 | Acceptable use of information and other associated assets | Governs how assets are used, including reuse constraints |
| 8.10 | Information deletion | Logical deletion complement to 7.14’s physical sanitization |
| 5.12 | Classification of information | Data classification drives sanitization method selection in 7.14 |
Frequently Asked Questions
What is ISO 27001 7.14?
ISO 27001 control 7.14 requires organizations to verify that all equipment containing storage media is sanitized to permanently remove sensitive data and licensed software before disposal or re-use. It applies to both equipment leaving the organization and devices being reallocated internally. The control prevents data leakage from decommissioned hardware by mandating documented sanitization processes and verification steps.
What happens if 7.14 is not implemented?
Without control 7.14, decommissioned equipment may retain recoverable sensitive data, exposing the organization to data breaches, regulatory penalties under frameworks like GDPR and HIPAA, and reputational harm. Auditors will flag missing disposal evidence as a nonconformity during ISO 27001 certification or surveillance audits.
How do you audit 7.14?
Auditors verify 7.14 by reviewing the equipment disposal policy, cross-referencing the asset register against disposal logs and certificates of destruction, and confirming that sanitization methods match data classification levels. They may also check that third-party disposal vendors provide serial-number-level destruction certificates.
How UpGuard Helps
Your disposal process is only as strong as your weakest vendor’s. UpGuard’s third-party risk management platform continuously monitors vendor security posture — including disposal and media handling practices — through automated questionnaires, security ratings, and real-time risk detection. Control gaps in your vendor ecosystem surface before they become audit findings or data breaches.
See how UpGuard helps you manage vendor risk across your entire supply chain at upguard.com/product.