DATA

DESTRUCTION
PROCEDURE

1
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Document Information
Version Control
Owner Version Edited By Date Change History
User 1 Assent DD/01/2016 First Draft

Distribution
Held Format Location Comments
By
User Digital / Physical

Status
X Status Approved By Date
X Draft DD/MM/YYYY
Final Draft
Published
Withdrawn

Classification
Confidential
X Restricted
Unclassified

Relevance to Standard

Standard Clause Title

[ISO 27001:2013] [A.8] []

License

Licensed by Assent Risk Management via Resilify.io Under a Creative Commons Share Alike License.

2
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Contents

Document Information_____________________________________________________________________________2
Contents_______________________________________________________________________________________________3
Data Destruction Procedure Content____________________________________________________________4
1.0 Types of Data & Reasons to Securely Destroy___________________________________________4
2.0 Audit Trail_____________________________________________________________________________________4
3.0 Digital Data Destruction____________________________________________________________________4
3.1 Physical Storage of Media_____________________________________________________________________________5
3.2 In-House Data Destruction___________________________________________________________________________5
3.3 External Data Destruction____________________________________________________________________________5
3.4 Reuse of Equipment___________________________________________________________________________________5

4.0 Physical Data Destruction__________________________________________________________________6

4.1 Storage of Data________________________________________________________________________________________6
4.2 In-House Data Destruction___________________________________________________________________________6
4.3 External Data Destruction____________________________________________________________________________6

3
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Data Destruction Procedure Content

1.0 Types of Data & Reasons to Securely Destroy

The company takes the confidentiality of its data very seriously, and it’s important for
legal, contractual, and reputational reasons that data is destroyed securely when no
longer required.

Types of information includes but is not limited to:

Digital Physical
Emails & Attachments Customer Related Paperwork
USB Memory Government Correspondence 
Laptop & PC Hard Drives Note paper / post-Its
Mobile Phones Statements & Financial Information
See the company’s record list.

The company will take appropriate steps to destroy data according to its
Classification.  See ISMS01, Information Classification and Handling.  

2.0 Audit Trail

It’s important to maintain traceability of data assets and keep appropriate records of
their whereabouts and destruction status.  

The asset inventory will be updated when assets are stored in the IT office or
removed from site.

When assets are removed from site, a transfer note containing the asset id and/or
serial number of each asset collected will be maintained.

Where paper records are removed from site, the number of sacks and date of
collection will be recorded on the transfer note.

3.0 Digital Data Destruction

NOTE: Please remember that data can still be recovered from a drive after you
have deleted it using the operating system (Windows or OSX).

4
© Distributed by Resilify.io under a Creative Commons Share Alike License.
 3.1 Physical Storage of Media

At End-of-Life, media should be immediately returned to the IT

Department for secure storage in the IT Office.

The IT department will update the asset inventory and appropriately

mark media to prevent them being reused.

3.2 In-House Data Destruction

All media will be formatted, functionality allowing, providing a basic level

of destruction.

Where media is damaged to a point that it cannot be reformatted, it will

be sent for external data destruction see 3.4 below.

Media from workstations and other devices which contain no data

classified ‘confidential’, will be securely stored in the IT Office until there
is a quantity to be collected by a Licensed WEEE carrier.

Media from Servers, SANs, NAS or other devices that are likely to
contain data classified as ‘confidential’ will additionally be sent to an
approved external party for destruction. See 3.3 below.

3.3 External Data Destruction

An approved supplier will be used for data destruction and will provide
either of the following:

 Data Erasure to a minimum of HMG IS5 or

 Physical Disk Shredding to a maximum of 25mm.

The supplier will provide a schedule of devices and certificate of

destruction and the IT department will retain this information.

3.4 Reuse of Equipment

When equipment is to be reused within the business, all data and user
profiles will be removed prior to re-issue.

The IT department will take all further actions they consider necessary to
reduce the risk of users gaining unauthorised access to information that
may have previously been on the machine.
5
© Distributed by Resilify.io under a Creative Commons Share Alike License.
 It is company policy NOT to allow equipment to be re-used outside the
business.

4.0 Physical Data Destruction

4.1 Storage of Data

Paperwork will be stored securely according to the Classification and

Handling procedure while it is required.

When no longer required, physical data will be immediately destroyed

using the in-house shredder or placed in secure shredding bins awaiting
collection.

4.2 In-House Data Destruction

In line with ISMS 02 the Information Classification and Handling

procedure, physical data will be cross-cut shredded on site immediately
when no longer required.

Documents should NOT be left on top or next to the shredder.

The shredder will be emptied nightly into the recycling waste stream.

If documents are too large to be shredded, they should be separated or

stored securely until an external contractor can collect them.

4.3 External Data Destruction

In line with ISMS 02 the Information Classification and Handling

procedure, an approved waste contractor will collect physical data
requiring secure disposal.

Sacks collected from the secure bins will be securely tied with a unique
reference number for each sack.

The contractor may provide secure shredding on-site or remove the

sacks to their depot for destruction.

The contractor will provide a certificate of secure destruction including

the relevant sack numbers and weights and this information will be
retained.
6
© Distributed by Resilify.io under a Creative Commons Share Alike License.
 Sacks will be stored in a secure area while awaiting collection.

7
© Distributed by Resilify.io under a Creative Commons Share Alike License.