How should ISO 27001 Certified Companies Deal with Media Disposal?

Posted by Luke Tayler on December 27th, 2018

Gone are the days when medical devices were of immense importance. Though people who prefer using pen drives or external drives still exist, the modern world is ruled by the cloud. Well, let me tell you that all the information stored in the cloud is stored on a server (for instance, its hard disk). Who doesn’t know that hard disk itself is a media device? There is one more thing that everyone must know. The media devices should be disposed of safely.

ISO 27001 is an internationally acclaimed standard that ensures the information safety. This is not the end; ISO 27001 certification helps the organisations with the disposal of media devices. In this article, I will explain how this ISO certification influences the disposal of media device.

Before delving into the details, it’s important to figure out what kind of media you need to take care of.

What are Media?

What plays the most important role in the ISO 27001 standard? Of course, information! Therefore, it is important to take care of the media that your organisation is using to store their data. By the way, what is media, in the present context? Media is a device that is used widely for storing the information. Therefore, media should include hard drives, USB pen drives, USB pen drives, CDs, DVDs etc. When it comes to the ISO 14001 standard, Environmental Management Systems assume great importance. Similarly, when it comes to the ISO 27001 Standard, media assumes great importance.

Information Classification

Many companies follow a method for the classification of their information, as not all the media possess the same information; moreover, not all the information has the same value for an enterprise. For instance, there is a huge difference between a pen drive containing a PDF of a presentation of your business (which is a piece of public information) and a pen drive containing the client database of an organisation.

See, how important it is to classify the information type! In the “Annex A” of ISO 27001, you will find a mention of “Classification of Information” section. It will help you understand the main purpose of this classification. You should come up with an effective information classification policy following the steps given below:

• Outline an asset inventory that may include electronic documents, information database, paper documents, storage media, verbally transmitted information, email etc.
• Classify the information into these four categories- confidential, restricted, internal use, and the public.
• Label the classified information
• Set out rules for each type of asset on the basis of the level of confidentiality

Now, let’s head towards our main discussion- how to deal with media disposal effectively.

5 Effective Ways of Dealing with Media Disposal

If you have a media device that stores your confidential information, you should consider the risks associated with it. Well, you can manage these risk factors with the help of an effective risk management plan and treatment methodology. Listed below are the five ways that can help you implement a security control for disposing of the media:

1. Destroy the Media Physically

You can destroy the media by incineration or shredding. This method can be applied to damaging the devices as well. However, you should be careful enough as a damaged media device might possess certain sensitive information as well. Having a backup of this sensitive information would be a great way of avoiding this disaster. Before processing the methods required for ISO 27001 certification, you should ensure that backup has been taken.

2. Delete the Information Safely

You can use smart software tools for overwriting the information or deleting the data in a safe way.

3. Employ an External Device

Nowadays, many companies are offering tools o services for destroying the media. You can choose one of these tools or services. However, you need to choose the tool or service carefully.

4. Avoid the Aggregation Effect

Avoiding multiple media having non-sensitive information is always a good idea. It will help you get rid of useless elements and makes your system active, charged, and safe.

5. Register the Disposal

By registering the disposal, you will be able to gain useful information required for the audit trails.

A Final Takeaway

By taking all of these ways into account, you can recover the information. No one can deny that ISO 27001 is a great tool for securing the media containing the confidential information as it enables an organisation to figure out the risks, address the risks, and implement the security controls for disposing of the media in a safe and secure way.

Author Bio

Damon Anderson is an ISO 27001 certification consultant who is a regular blogger as well. Most of his blogs cover different aspects of ISO standards including ISO Quality Assurance System, Environmental Management Systems etc.