0

To be compliant with ISO27001 secure disposal controls with a magnetic HDD we could degauss it before disposal. In SSD scenario, what is the best way for secure disposal which is compliant to ISO27001 standard?

TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
MemoryLeak
  • 101
  • 1
  • 5
    AFAIK, ISO 27001 doesn't actually specify technical requirements for disk disposal (or for anything if that matters). All that ISO 27001 boils down to is that your organization have considered the risk and benefits of whatever it does, made an informed decision, have a written policy and procedure, and that day to day operations actually conform to these policies and procedures, and there are evidence that these policies and procedures are being followed and documented. It's really up to the organization to decide whatever risk/benefit they want to take. – Lie Ryan Jul 28 '17 at 04:42
  • Thanks Ryan, I know what you have mentioned, my intention for this question is to solicit existing SSD disposal practices in other companies, which I think would be helpful for us to make decision. – MemoryLeak Jul 28 '17 at 04:51

3 Answers3

7

ISO 27001 does not mandate a specific way SSDs should be destroyed, it just requires that the process is consistently applied after it has been approved by the business risk owners.

That being said, depending on the size of your business and the volume of devices you might consider the following:

  • Make use of a secure disposal service
  • Use a SSD shredder - Costly but quick and efficient and you might be able to hire a device depending on where you are in the world
  • Depending on your risk profile, consult the manufacturers of the SSD for secure software erase techniques
Joe
  • 1,214
  • 1
  • 11
  • 16
  • In general the ISO/IEC norms do not specify certain ways on how to deal with threats or risks. It just states, how to introduce working processes to manage them. – Tom K. Jul 28 '17 at 07:52
  • 1
    To add the obligatory quote from ISO 27001. `A.8.3.2 Disposal of media: Media shall be disposed of securely and safely when no longer required, using formal procedures.` Control A 8.3.2, ISO/IEC 27001:2013 – Tom K. Jul 28 '17 at 10:19
1

Physical destruction, this would mean destroying the PCBs physically. You can do this with a shredder/crusher. Burning is also an option but might be in violation of health and environment regulations (burning plastics aren't really good).

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
-2

For safe data sanitization and to follow various laws like ISO 27001, the busnisses are now more concern to properly destroy their IT assets (both SSD and HDD).

Various industries experts, recommend to overwrite data with random patterns of 0's and 1's followed by physical destruction.

Even I remember, once senior expert informed me that this method was already going in various US Govt Departments.

But, yes approach differes from company to company and how well they complaince with rules and regulations.

May be its time that various agencies like ISO 27001, EU-GDPR come under one umbrella and create a global body.

It is suggested to use data erasure software like Blancco 5, BitRaser and Secure Erase which you can easily download from Google.

David Johnson
  • 9