When IT equipment such as external drives, USB drives, laptops, or printers are no longer needed, they are either physically destroyed, returned back to the leaser, transferred to a third party, recycled, or made available for reuse to carry out other business operations.
Considering that this equipment may contain information assets and licensed software, organisations should ensure that all information and licensed software is irretrievably cleared off or overwritten before the disposal or reuse takes place. This will help maintain the confidentiality of information contained in this equipment.
For example, if an organisation uses an external IT asset disposal service provider and transfers old laptops, printers, and external drives to this provider, this service provider may gain unauthorised access to information hosted on this equipment.
Control 7.14 addresses how organisations can maintain the confidentiality of the information stored on the equipment to be disposed of or reused by implementing appropriate security measures and procedures.
Control 7.14 enables organisations to prevent unauthorised access to sensitive information by confirming that all information and licensed software stored on equipment are irreversibly deleted or overwritten before the equipment is disposed of or is provided to third parties to be reused.
Control 7.14 is a preventive type of control that requires organisations to maintain the confidentiality of information hosted on the equipment that will be disposed of or deployed to be reused by establishing and applying appropriate procedures and measures for disposal and reuse.
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventive | #Confidentiality | #Protect | #Physical Security #Asset Management | #Protection |
Compliance with Control 7.14 requires the establishment of an organisation-wide data disposal-reuse procedure, identification of all equipment and implementing suitable technical disposal mechanisms and reuse process.
Therefore, the Chief Information Officer should be responsible for the establishment, implementation, and maintenance of equipment disposal and reuse procedures and mechanisms.
The Control 7.14 lists four key considerations that organisations should take into account for compliance:
Before disposal takes place or the equipment is made available for reuse, organisations must confirm whether the equipment contains any information assets and licensed software and should ensure that such information or software is permanently deleted.
Control 7.14 lists two methods by which the information contained in equipment can be securely and permanently removed:
Components of the equipment and the information contained in it can have labels and markings that identify the organisation or that disclose the name of the asset owner, network, or information classification level assigned.
All these labels and markings should be irretrievably destroyed.
Taking into account the following conditions, organisations may choose to uninstall all security controls such as access restrictions or surveillance systems when they vacate facilities:
Book a tailored hands-on session
based on your needs and goals
Book your demo
In addition to the General Guidance, the Control 7.14 entails three specific recommendations for organisations.
When damaged equipment containing information is sent to repair, it may be exposed to the risk of unauthorised access by third parties.
Organisations should carry out a risk assessment taking into account the level of sensitivity of the information and consider if destroying the equipment is a more viable option than repair.
While the full-disk encryption technique greatly minimises risks to the confidentiality of information, it should adhere to the following standards:
Organisations should choose an overwriting technique taking into account the following criteria:
27002:2022/7.14 replaces 27002:2013/(11.2.7)
The Control 7.14 is largely similar to its counterpart in the 2013 Version. However, the Control 7.14 in the 2022 version includes more comprehensive requirements in the General Guidance.
In contrast to the 2013 Version, the 2022 Version introduces the following requirements:
ISMS.Online is a complete solution for ISO 27002 implementation.
It is a web-based system that allows you to show that your information security management system (ISMS) is compliant with the approved standards using well thought out processes and procedures and checklists.
Get in touch today to book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |