What does control A.1.4.9 require?
The organisation shall have documented policies, procedures or mechanisms for the disposal of PII.
This control sits within the PII minimization objective (A.1.4) and ensures that when PII reaches the end of its lifecycle, whether through expiry of the retention period (A.1.4.8), fulfilment of the processing purpose, or a request from the PII principal, the data is destroyed in a way that prevents recovery.
What does the implementation guidance say?
Annex B (section B.1.4.9) provides the following guidance:
- Ensure PII cannot be recovered — Disposal methods should guarantee that PII cannot be retrieved, reconstructed or recovered after disposal. Simple deletion (removing a file from a directory) is typically not sufficient as the data may remain on the storage medium
- Select appropriate disposal methods — Methods should be matched to the storage medium and include: secure deletion (overwriting), physical destruction of media (shredding, degaussing, incineration) and cryptographic erasure (destroying the encryption keys for encrypted data)
- Document procedures per medium type — The disposal method should be documented for each type of storage medium used by the organisation (hard drives, SSDs, USB devices, paper records, cloud storage, backup tapes)
- Maintain disposal records — Keep records of what was disposed of, when, by whom and using what method. These records serve as audit evidence and accountability documentation
- See also A.1.4.2: Limit Collection for related requirements
- See also A.1.4.3: Limit Processing for related requirements
The key principle is that disposal must be verifiable. An auditor should be able to trace PII from its retention schedule through to a disposal record confirming it was securely destroyed.
How does this map to GDPR?
Control A.1.4.9 maps to GDPR Article 5(1)(f), the integrity and confidentiality principle, which requires that personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Secure disposal directly supports this by ensuring that PII is not inadvertently exposed through inadequate destruction methods.
For the full GDPR-to-ISO 27701 mapping, see GDPR Compliance Guide.
How does this relate to ISO 29100 privacy principles?
This control supports the ISO 29100 principle of Use, retention and disclosure limitation, specifically the requirement that PII be securely destroyed when it is no longer needed. Without secure disposal, retention limitation controls are incomplete because the data continues to exist even after the retention period has notionally expired.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.1.4.9, auditors will typically look for:
- Disposal policy — A documented policy covering the organisation’s approach to PII disposal, including responsibilities, approved methods and verification requirements
- Medium-specific procedures — Documented disposal procedures for each type of storage medium: electronic (HDD, SSD, cloud), removable (USB, backup tapes), and physical (paper, printed documents)
- Disposal records — A register or log of disposal activities showing what was disposed of, when, by whom and using which method
- Third-party disposal agreements — Where disposal is outsourced (e.g. to a shredding company or IT asset disposal firm), contracts specifying secure disposal standards and certificates of destruction
- Verification evidence — Records confirming that disposal was effective, such as certificates of destruction, overwrite verification reports or confirmation from cloud providers
- Staff training — Evidence that personnel involved in disposal understand the procedures and the importance of secure destruction
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.4.8 Retention | Retention schedules define when disposal should be triggered |
| A.1.4.6 De-identification and deletion | Deletion is one form of disposal; de-identification is the alternative |
| A.1.4.7 Temporary files | Temporary files require disposal within their defined short retention periods |
| A.1.4.5 PII minimization objectives | Disposal is the final mechanism in the minimisation lifecycle |
| A.1.4.10 PII transmission controls | PII transmitted to third parties may also need disposal at the recipient end |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, disposal was addressed under Clause 7.4.8 (disposal). The 2025 control retains the same core requirement for documented disposal policies, procedures or mechanisms. The implementation guidance now places more emphasis on the need for medium-specific procedures and the importance of maintaining disposal records. Cryptographic erasure is also more prominently mentioned as a disposal technique. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing PII disposal?
ISMS.online helps you close the data lifecycle loop with documented, verifiable disposal processes:
- Disposal procedure library — Maintain documented disposal procedures for each storage medium type, with version control and approval workflows
- Disposal log — Record every disposal action with what was destroyed, the method used, who performed it and when, creating the audit trail auditors require
- Third-party management — Track disposal service providers, their contracts, destruction certificates and compliance with your disposal standards
- Retention integration — Automatically trigger disposal tasks when retention periods expire, connecting your retention schedule to the disposal process
- Asset register linkage — Link disposal records to your IT asset register and data inventory so you can trace PII from collection through to certified destruction
FAQs
Is deleting a file sufficient disposal under this control?
Generally no. Standard file deletion (moving to a recycle bin or removing the directory entry) does not remove the data from the storage medium. The data remains recoverable using forensic tools until it is overwritten. Secure disposal requires overwriting (for HDDs), using manufacturer secure erase commands (for SSDs), physical destruction or cryptographic erasure. The method should be proportionate to the sensitivity of the PII and the risk of recovery.
How should disposal be handled for cloud-stored PII?
For cloud storage, physical destruction of media is not typically an option. Instead, the organisation should: use the cloud provider’s secure deletion APIs; verify through the provider’s terms or certifications that deleted data is not recoverable; consider cryptographic erasure (encrypting data with a unique key and then securely destroying the key); and retain confirmation from the provider that data has been removed from all replicas and backups. The disposal procedure should be documented in your cloud data processing agreement.
Do disposal records themselves need to be retained?
Yes. Disposal records serve as your proof that PII was securely destroyed. They should be retained for a period sufficient to demonstrate compliance during audits and to respond to any queries from PII principals or regulators about what happened to their data. Disposal records should not contain the PII itself, only metadata about the disposal (what category, when, how, by whom). A typical retention period for disposal records is aligned with your audit cycle plus any applicable limitation period.
