HomeGuidesIdentity & Access › IS-16B
IS-16B Identity & Access 8% of OML score

Are unused or old systems removed, disabled, or securely wiped before disposal?

When you stop using old computers, servers, phones, or hard drives, you need to make sure all the customer names, passwords, bank details, and other sensitive information stored on them is completely erased so nobody can recover it later. Simply deleting files or formatting a drive is not enough—you need proper tools or services to wipe the data completely before selling, donating, or throwing away the equipment.

Why This Matters to Your Business

If you dispose of old equipment without properly erasing data, someone could recover customer information, financial records, or employee details and use them for fraud or blackmail. For example, a Delhi-based garment exporter sold old computers without wiping them; recovered customer payment details led to ₹45 lakh in fraudulent transactions and loss of major contracts when the breach became public. Regulators under the DPDP Act can fine you up to ₹5 crore for failing to protect personal data, and your customers may stop doing business with you if they learn their data was exposed through your negligence.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You find old laptops, external drives, and network storage devices scattered in a storeroom, still containing employee and customer files, spreadsheets with passwords, and financial records. No one tracks what happens to them when they eventually get removed.

Level 1
Initial

You have a rough list of old equipment somewhere, and you hand it over to a local vendor or ask someone to 'format the drive' before disposal, but there's no formal process, no documentation, and no verification that data was actually erased.

Level 2
Developing

You have a documented device disposal policy that requires IT staff to wipe drives before removal, and you keep basic records of what was erased. However, the wiping process is sometimes skipped under time pressure, and you don't use certified tools.

Level 3
Defined

You follow a formal procedure: devices are tagged when retired, wiped using recognized software tools, and records are kept with dates and names. Occasionally you have external IT vendors handle old equipment with basic contractual clauses about data destruction.

Level 4
Managed

All retired devices go through a documented lifecycle: inventory tracking, secure wiping with certified tools (NIST 800-88 standard), destruction certificates from vendors, and quarterly audits to ensure nothing slips through. Contracts with third parties explicitly require data destruction certification.

Level 5
Optimised

Device retirement is part of your formal information lifecycle management. Every device is tracked from purchase to disposal, wiped using certified processes, and third-party vendors provide signed destruction certificates. You audit compliance quarterly, train staff annually, and adjust procedures based on emerging threats or regulatory changes.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Create a simple one-page Device Disposal Procedure document stating that all old equipment must have data erased before leaving the office, and assign one person responsibility for tracking old devices IT Manager or Business Owner 1 day
1 → 2 Download and install free data wiping software (like DBAN or Eraser) on one test machine, test it on non-critical old hardware, document the steps, and add it to your procedure. Start keeping a simple log sheet with device serial number, date wiped, and who did it IT Staff or designated technician 3-4 days
2 → 3 Formalize the disposal procedure into a documented process with roles assigned (who retires devices, who wipes them, who records it), integrate device tracking into your asset register, and require IT sign-off before any equipment leaves the premises IT Manager + Finance/Admin head 1 week
3 → 4 Establish contracts with certified e-waste vendors that include written data destruction obligations and certificate requirements; transition to enterprise-grade wiping tools; conduct a quarterly compliance audit by reviewing device logs against the asset inventory IT Manager + Procurement/Admin 2-4 weeks
4 → 5 Embed device lifecycle management into your information security policy, conduct annual staff training on data handling at end-of-life, review and update procedures annually based on regulatory changes, and document continuous improvement actions IT Manager + Information Security Lead Ongoing (1 review per quarter, 1 training per year)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Documented Device Disposal or Asset Retirement Policy signed by management
  • Device Retirement Log or Register with columns: Device ID/Serial, Device Type, Retirement Date, Data Wiping Method Used, Wiped By (name), Date Wiped, and sign-off
  • Certificates or invoices from certified e-waste vendors showing data destruction confirmation or signed destruction certificates
  • Records of wiping software licenses (or free tool download/installation logs) with dates and versions used
  • Audit trail or checklist showing which devices were tracked and disposed of, cross-referenced with your fixed asset inventory
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Walk me through your process when a computer or server reaches end-of-life. Who decides it's time to dispose of it, and what happens next?"
  • "Show me your device retirement log for the last 12 months. How many devices were retired, what data was on them, and what method was used to erase the data?"
  • "If I pick a device from your log, can you show me evidence that it was actually wiped—a certificate, a vendor receipt, a technician's note—anything?"
  • "Who are your e-waste vendors or disposal partners? Can you show me their data destruction guarantees or certification? Are they certified by any recognized body?"
  • "Have you ever had a situation where an old device was removed without going through your disposal process? If yes, what happened, and how did you investigate it?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Securely erase data from hard drives and SSDs using multiple overwrite passes to prevent recovery DBAN (Darik's Boot and Nuke) - works on Windows/Linux, free and open-source; Eraser - Windows-only, free and open-source Blancco Drive Eraser (₹50,000–1,50,000/year depending on licenses); Certify by Seagate (₹30,000–80,000/year for small teams)
Track and manage inventory of IT assets from purchase to disposal LibreOffice Calc or Google Sheets with custom templates; Snipe-IT (open-source asset management, requires self-hosting) Zoho Inventory (₹2,000–8,000/month); Microsoft Intune or ManageEngine ServiceDesk Plus (₹20,000–2,00,000/year depending on users)
Securely delete files and folders on live systems to ensure no recovery is possible CCleaner (free version for basic cleanup); Cipher command (Windows built-in command-line tool) Permanent Eraser (₹1,500 one-time); KillDisk (₹8,000–15,000 for enterprise)
🛡
How This Makes You More Resilient
When you properly erase data before disposing of equipment, you eliminate the risk of customer or employee information being recovered and misused after the device leaves your control. This protects your reputation, prevents regulatory fines under the DPDP Act, and ensures you can confidently certify to customers and auditors that their data was handled securely throughout its lifecycle. You also reduce exposure to blackmail, fraud, and competitive intelligence theft that commonly occur when old equipment is carelessly discarded.
⚠️
Common Pitfalls in India
  • Relying on simple 'format' or 'delete' operations, which only remove file pointers and leave data recoverable with forensic tools—you must use certified wiping software that overwrites data multiple times
  • Handing over old equipment to local vendors or recyclers without written data destruction agreements or certificates, then having no way to prove the data was actually erased if a breach occurs later
  • Not tracking which devices contain what data, so when old equipment is retired, no one knows if customer, financial, or employee records were stored on it—maintain an asset inventory linked to what data each device held
  • Exempting old mobile phones, USB drives, and portable hard drives from the disposal process because they're 'small,' missing a major source of leakage (a single forgotten USB stick with employee records can cause a significant breach)
  • Documented procedure exists but is bypassed under pressure (IT staff wipe devices informally without logging it), leaving no audit trail and no way to prove compliance during an audit or investigation
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (Consent and Notice), Section 10 (Responsibility of Data Fiduciary), and Schedule 2 (Reasonable Security Practices) - requires secure deletion of personal data when no longer necessary
CERT-In 2022 Guidelines Direction 4 (Incident Reporting and Response) and Direction 6 (Data Security and Protection) - emphasize secure disposal of hardware containing personal or sensitive data
ISO 27001:2022 Annex A, Control 5.3 (Segregation of Duties) and Control A.8.3.4 (Removal of Access Rights) - require secure disposal and sanitization of media
NIST CSF 2.0 Govern Function, GV.RO-02 (Removal of Access Rights) and Protect Function, PR.DS-03 (Data is managed consistent with risk levels) - address secure device retirement and data destruction

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →