ISO 27001 and physical destruction: which controls require what?
Anyone seeking or maintaining ISO 27001 certification will sooner or later face the question of how confidential information is removed at end of life. The standard explicitly requires control of media disposal as part of the Information Security Management System (ISMS). This article unpacks the relevant controls from Annex A and shows what an auditor wants to see in practice.
Which controls touch destruction?
ISO 27001:2022 Annex A explicitly mentions, under ‘A.7 Physical controls’ and ‘A.8 Technological controls’:
- A.7.10 Storage media: management of storage media throughout the lifecycle, including disposal.
- A.8.10 Information deletion: deletion of information when no longer needed.
- A.8.12 Data leakage prevention: preventing unwanted distribution of confidential information, including during disposal.
- A.5.34 Privacy and protection of PII: protection of personal data (relates to destruction via the GDPR link).
Under the old version of the standard (ISO 27001:2013) this was spread across A.8.3 (Media handling) and A.11.2.7 (Secure disposal or re-use of equipment). The substance is materially the same. The structure was streamlined in 2022.
What does an auditor expect in practice?
Documentation
- Disposal Policy: written policy stating which methods are used for which information classes.
- Procedure per media type: paper, HDD, SSD, optical, plastic cards.
- Processor agreement with the external destruction supplier. Read the checklist.
- Information-class link: which classification (Public, Internal, Confidential, Strictly Confidential) gets which destruction method?
Evidence of execution
- Destruction certificates per job. Read the certificate of destruction.
- Log of disposed media (asset tag, date, method).
- Periodic supplier review.
- Training records for staff handling confidential media.
Operational controls
- Locked consoles in the office. Read locked consoles versus open bins.
- Chain-of-custody documentation. Read chain of custody from archive to shredder.
- Risk analysis on the disposal chain.
Information Classification: linking to destruction method
A common Annex A-conformant classification looks like this:
| Class | Example | Destruction method |
|---|---|---|
| Public | Promotional material | Regular waste stream |
| Internal | Internal procedures | DIN P-3 |
| Confidential | Customer administration, HR | DIN P-4 / P-5 |
| Strictly Confidential | Special categories of personal data, confidentiality-professional data | DIN P-5 / P-6, for hardware H-5 / H-6 |
The auditor wants to see classification and destruction method logically linked. Generic ‘everything at P-5’ works, but over-specifying is expensive and illogical.
NIST 800-88 as a technical source
ISO 27001 does not refer explicitly to NIST 800-88, but the standard is the implicit technical reference. In audit reports NIST's Clear / Purge / Destroy is often used as a technical class alongside DIN classifications. Read our article NIST 800-88 vs DIN 66399 for the translation table.
The supplier assessment
ISO 27001 certification requires periodic demonstration that external suppliers meet your security requirements. For a destruction supplier you ask, among other things:
- Own ISO 27001 certification (not required, but it shortens due diligence).
- Description of operational processes.
- DIN classification of equipment and process.
- Certificate template per job.
- Processor agreement under GDPR.
- Incident procedure (what if material is lost?).
Mobile versus off-site in ISO context
Auditors often ask about chain of custody. Mobile destruction (on site) shortens that chain considerably and is therefore often the recommended route in ISO context. For the wider trade-off, read mobile versus off-site shredding. For off-site, additional documentation is needed on transport security and processing time at the shredding site.
Common audit findings (NCs)
- ‘Disposal policy missing or outdated.’ Create and review annually.
- ‘No processor agreement with destruction supplier.’ Request it from the supplier.
- ‘Certificates incomplete (no DIN classification).’ Request a more explicit certificate.
- ‘No link between classification and disposal method.’ Include a table in the policy.
- ‘No supplier assessment.’ Plan annually or per job.
Our role in your ISO journey
We deliver as standard:
- Processor agreement under GDPR art. 28.
- Certificate per job with DIN classification and method.
- On request, supplier statement with our security measures.
- Asset-tag or serial-number list for hardware destruction.
For IT MSPs managing ISO environments for clients this matters. Read our sector-specific article.
ISO 27001-compliant destruction evidence.
We deliver the processor agreement, certificate and on request a supplier statement. Ready to add directly to your ISO file.
Request a quoteWorking on ISO certification? Email us via desnipperaar.nl about the specific audit evidence your auditor expects.