Skip to main content
Entire section Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

3.3.11 Secure Disposal of Information Assets

No: 381000091275 Date(g): 24/5/2017 | Date(h): 28/8/1438 Status: In-Force

Principle

The information assets of the Member Organization should be securely disposed when the information assets are no longer required.

Objective

To ensure that the Member Organization’s business, customer and other sensitive information are protected from leakage or unauthorized disclosure when disposed.

Control considerations

  1. The secure disposal standard and procedure should be defined, approved and implemented.
  2. The compliance with the secure disposal standard and procedure should be monitored.
  3. The effectiveness of the secure disposal cyber security controls should be measured and periodically evaluated.
  4. Information assets should be disposed in accordance with legal and regulatory requirements, when no longer required (i.e. meeting data privacy regulations to avoid unauthorized access and avoid (un)intended data leakage).
  5. Sensitive information should be destroyed using techniques to make the information non-retrievable (e.g., secure erase, secure wiping, incineration, double crosscut, shredding)
  6. The Member Organization should ensure that third party service providers used for secure disposal, transport and storage comply with the secure disposal standard and procedure and the effectiveness is periodically measured and evaluated.