What does control A.3.21 require?
Items of equipment containing storage media with PII shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
This control sits within the Shared security controls annex (A.3) and addresses a critical end-of-life risk: PII that remains on storage media in decommissioned or reassigned equipment can be recovered using readily available forensic tools. Without verified data destruction, organisations risk significant data breaches every time they dispose of, sell, donate or reassign hardware.
What does the Annex B implementation guidance say?
Annex B (section B.3.21) provides the following guidance:
- Ensure storage re-assignment safety — Whenever storage space is re-assigned, any PII previously residing on that storage space must not be accessible to the new user or system
- Address performance-related deletion challenges — Explicit erasure of PII may be impractical due to system performance constraints, creating a risk that another user can access the PII. This risk should be avoided by specific technical measures
- Default to treating all media as containing PII — Equipment containing storage media that can possibly contain PII should be treated as though it does contain PII, ensuring secure disposal procedures are applied regardless of whether PII presence has been confirmed
- See also A.3.5: Classification of Information for related requirements
- See also A.3.6: Labelling of Information for related requirements
The precautionary approach in the guidance is significant: rather than requiring organisations to determine whether each piece of equipment actually contains PII (which can be difficult and error-prone), the standard recommends treating all equipment with storage media as if it contains PII.
How does this map to GDPR?
Control A.3.21 maps to the following GDPR article:
- Article 5(1)(f) — The integrity and confidentiality principle, requiring appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
Failing to securely dispose of equipment is one of the most common and visible ways organisations breach Article 5(1)(f), often resulting in enforcement action and significant fines.
For the full GDPR-to-ISO 27701 mapping, see GDPR Compliance Guide.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered by Clause 6.8.2.7 (secure disposal or re-use of equipment). The 2025 edition retains the same core requirements as A.3.21 with implementation guidance in B.3.21. The principle of treating all media-containing equipment as if it holds PII remains a key recommendation. See the Annex F correspondence table for the full mapping.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.3.21, auditors will typically look for:
- Data destruction policy — A documented policy specifying how equipment containing PII is to be sanitised before disposal or re-use, including approved methods (e.g. cryptographic erasure, degaussing, physical destruction)
- Certificates of destruction — Written confirmation from internal teams or third-party disposal providers that data destruction has been completed, ideally referencing specific asset or serial numbers
- Asset disposal register — A log of all disposed or reassigned equipment, recording the asset identifier, disposal date, method of data destruction and the responsible person
- Third-party disposal contracts — Where disposal is outsourced, contracts specifying data destruction standards and liability, with evidence of due diligence on the disposal provider
- Verification checks — Evidence that data destruction has been verified (e.g. spot checks, sampling, or automated verification reports from data wiping software)
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.20 Storage media | Disposal is the final stage of the storage media life cycle managed by A.3.20 Storage Media |
| A.1.4.9 Disposal | Controller-specific disposal requirements for PII data, complementing physical equipment disposal |
| A.1.4.6 De-identification and deletion | Data deletion requirements that must be satisfied before equipment disposal |
| A.3.10 Supplier agreements | Third-party disposal providers must be bound by appropriate contractual terms |
| A.3.14 Protection of records | Disposal certificates and records must be retained as evidence |
Who does this control apply to?
A.3.21 is a shared control that applies to both PII controllers and PII processors. Any organisation that owns or leases equipment capable of storing PII must ensure secure data destruction before that equipment changes hands, whether through disposal, sale, donation, return (at lease end) or internal reassignment.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for equipment disposal management?
ISMS.online provides practical tools for managing secure disposal and re-use of equipment:
- Asset lifecycle tracking — Track every piece of equipment from acquisition through to disposal, with status updates and ownership history linked to your asset register
- Disposal workflows — Trigger disposal workflows that require data destruction verification before an asset can be marked as decommissioned
- Certificate storage — Upload and link certificates of destruction directly to asset records, creating a complete audit trail
- Supplier management — Manage third-party disposal providers with contract records, due diligence documentation and performance reviews
- Automated evidence packs — Generate audit-ready evidence packs combining asset registers, disposal logs and destruction certificates for A.3.21 compliance
FAQs
What data destruction methods are acceptable?
Acceptable methods include cryptographic erasure (rendering encrypted data unreadable by destroying the encryption keys), secure overwriting using industry-standard algorithms (e.g. NIST 800-88 guidelines), degaussing (for magnetic media) and physical destruction (shredding, crushing or incineration). The method chosen should be proportionate to the sensitivity of the PII and the type of storage media. For solid-state drives (SSDs), cryptographic erasure or physical destruction is preferred because traditional overwriting may not reach all storage cells.
What about leased equipment returned to the lessor?
Leased equipment must be treated the same as disposed equipment: all PII must be securely erased before return. The lease agreement should specify data destruction responsibilities and allow the organisation to perform or verify data wiping before the equipment leaves its premises. If the lessor handles destruction, obtain written confirmation and certificates of destruction.
Should damaged or faulty equipment be treated differently?
Damaged equipment requires extra caution because software-based data wiping may not be possible. If the storage media is still intact, physical destruction is usually the safest option. If the equipment is being sent for repair, the organisation should assess whether PII-containing storage media can be removed before the equipment leaves its premises. The implementation guidance’s precautionary principle applies: if the equipment could contain PII, treat it as though it does.
