A.7.14 Secure Disposal or Re-use of Equipment

What is this control?

ISO 27001 control A.7.14 Secure Disposal or Re-use of Equipment ensures items of equipment containing storage media are verified to be free of sensitive data prior to disposal or re-use. The control requires cryptographic sanitisation via Microsoft Intune and Windows Autopilot for internal re-use, secure destruction with Chain of Custody and Certificate of Destruction for end-of-life equipment, BitLocker encryption as a safety net, and factory reset procedures for network appliances.

How to implement in Microsoft 365

Implement A.7.14 for internal re-use by initiating Fresh Start, Autopilot Reset, or Remote Wipe via Intune to cryptographically obliterate previous user’s data when equipment transfers from one user to another. Verify device successfully re-enrolled before issuing to new user. For end-of-life functional devices, perform legal wipe using Intune or certified data erasure tool before disposal.

For non-functional devices with motherboard failure, physically remove and destroy hard drive or SSD or surrender to certified secure destruction partner for physical shredding. Maintain BitLocker encryption on all Windows devices as safety net. Obtain Certificate of Destruction listing serial numbers.

What an auditor looks for

Auditors will verify BitLocker encryption status report showing 95% or more of physical Windows devices are encrypted. They will check the list of unencrypted devices for disposal risk assessment. Auditors will review Certificate of Destruction PDFs from certified e-waste partners listing serial numbers.

They will verify the asset register showing devices marked Disposed with method and date. Auditors will check device retirement audit trail including Intune deletion records and Entra ID deletion records. They will review FortiGate reset confirmation logs showing factory reset before disposal.

Related controls

• A.7.13
• A.8.10
• A.8.24