Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
physical Preventive Protect

A.7.14 Secure Disposal or Re-use of Equipment

M365 Admin Path: Microsoft Intune admin center > Endpoint security > Disk encryption

Evidence Source: Microsoft Graph (Intune), Manual Certificates

What is A.7.14 Secure Disposal or Re-use of Equipment?

ISO 27001 control A.7.14 Secure Disposal or Re-use of Equipment ensures items of equipment containing storage media are verified to be free of sensitive data prior to disposal or re-use. The control requires cryptographic sanitisation via Microsoft Intune and Windows Autopilot for internal re-use, secure destruction with Chain of Custody and Certificate of Destruction for end-of-life equipment, BitLocker encryption as a safety net, and factory reset procedures for network appliances.

How to implement A.7.14 in Microsoft 365

Implement A.7.14 for internal re-use by initiating Fresh

Implement A.7.14 for internal re-use by initiating Fresh Start, Autopilot Reset, or Remote Wipe via Intune to cryptographically obliterate previous user’s data when equipment transfers from one user to another. Verify device successfully re-enrolled before issuing to new user. For end-of-life functional devices, perform legal wipe using Intune or certified data erasure tool before disposal. For non-functional devices with motherboard failure, physically remove and destroy hard drive or SSD or surrender to certified secure destruction partner for physical shredding.

Maintain BitLocker encryption on all Windows devices as

Maintain BitLocker encryption on all Windows devices as safety net. Obtain Certificate of Destruction listing serial numbers.

What an auditor checks for A.7.14

  • Auditors will verify BitLocker encryption status report showing 95% or more of physical Windows devices are encrypted.
  • They will check the list of unencrypted devices for disposal risk assessment.
  • Auditors will review Certificate of Destruction PDFs from certified e-waste partners listing serial numbers.
  • They will verify the asset register showing devices marked Disposed with method and date.
  • Auditors will check device retirement audit trail including Intune deletion records and Entra ID deletion records.
  • They will review FortiGate reset confirmation logs showing factory reset before disposal.

What your auditor expects for A.7.14

  • Disposal evidence with BitLocker encryption status
  • stale device identification
  • destruction certificates

See how your organisation scores against A.7.14 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Microsoft Media Handling Foundation

Microsoft-managed media storage, sanitization, and disposal procedures