Background
----------

ISO/IEC 27002:2022 clause 7.14 indicates that "Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use [in order] to prevent leakage of information from equipment to be disposed or re-used."


Policy statements
-----------------

1.	Legal, regulatory, or contractual obligations dictate the retention or deletion of certain information, so consult the information retention policy.

2.	The potential exploitation of redundant information being discarded necessitates the implementation of risk controls.

3.	The classification of information guides risk assessment, with SECRET information requiring permanent destruction via secure erasure and an auditable disposal process.

4.	Despite the protection encryption offers, future vulnerabilities necessitate the physical destruction of devices containing encrypted data, especially those containing highly classified information.

5.	If the information content is unknown or inaccessible, it is safest to assume a SECRET classification and dispose of it accordingly.

6.	To avoid inappropriate disclosure, office paperwork should be discarded in recycling bins for shredding rather than in the ordinary office waste.

7. 	Proper disposal of IT equipment and storage media should be handled by the IT department, particularly when disposing of large volumes of valuable or sensitive information.

8.	Assurance controls such as certificates of destruction, oversight, attempted forensic can verify proper information disposal.


Notes
-----

This is a “skeleton” policy providing just the bare bones, the basic foundations on which to construct a custom policy for your organisation.  Jump-start the process by visiting www.SecAware.com for a more comprehensive customisable policy template in MS Word.