Disposal and Decommissioning
Disposal and decommissioning removes IT assets from operational use through controlled processes that protect data, comply with environmental regulations, and maintain accurate records. Every asset that enters the organisation must eventually leave it, and the manner of departure determines whether sensitive data remains protected, whether the organisation meets its environmental obligations, and whether financial records accurately reflect asset status.
- Disposal
- The final removal of an asset from the organisation’s possession through destruction, recycling, donation, or sale.
- Decommissioning
- The process of removing an asset from active service, including data removal and configuration clearing, prior to disposal or redeployment.
- Data sanitisation
- The process of deliberately, permanently, and irreversibly removing or destroying data stored on a device.
- Certificate of destruction
- Documented evidence from a qualified provider confirming that data sanitisation or physical destruction has been completed to specified standards.
Prerequisites
Before initiating disposal or decommissioning, verify that you have the following in place.
Policy and authority requirements:
- Written disposal policy or approval from IT management for the disposal method
- Data classification for all data stored on the asset (consult the data owner if uncertain)
- Budget code for disposal costs if using third-party services
- Authority to update the asset register and CMDB
Information requirements:
- Asset tag number and serial number
- Current location and custodian
- Purchase date, original cost, and current book value
- Associated software licences that may be recoverable
- Any donor or grant restrictions on the asset
- Backup confirmation for any data requiring retention
Technical requirements:
- Access credentials for the device (local administrator, BIOS/UEFI password, encryption recovery keys)
- Data sanitisation tools appropriate to the storage media type
- Secure storage location for assets awaiting disposal
- Transport arrangements for assets moving to disposal vendors
Documentation templates:
- Disposal authorisation form
- Data sanitisation record
- Certificate of destruction request
- Asset register update form
Donor-funded assets
Assets purchased with restricted grant funding may have specific disposal requirements. USAID-funded equipment over $5,000 requires prior approval before disposal. Check grant agreements and consult your grants team before proceeding.
Procedure
Assess disposal eligibility
Confirm the asset meets disposal criteria by verifying at least one of the following conditions: the asset has reached end of life as defined in your refresh policy (typically 4 years for laptops, 5 years for servers, 7 years for network equipment), the asset has failed and repair cost exceeds 50% of replacement cost, the asset no longer meets operational requirements and cannot be redeployed, or the asset presents a security risk that cannot be mitigated.
Check for active dependencies by querying the CMDB for any services, applications, or other assets that depend on the asset being disposed. If dependencies exist, coordinate with service owners to migrate or decommission dependent items first. Do not proceed until all dependencies are resolved or formally accepted by stakeholders.
Verify data retention requirements have been met. For assets containing data subject to retention policies, confirm that required data has been backed up or migrated to replacement systems. Obtain written confirmation from the data owner that retention obligations are satisfied.
Obtain disposal authorisation. Complete the disposal authorisation form with asset details, disposal reason, proposed disposal method, and estimated costs. Route for approval according to your authority matrix. Assets with original cost over £5,000 typically require senior management approval. Assets under £1,000 may be approved by IT operations.
The following decision flow guides disposal method selection:
+------------------+ | Asset ready | | for disposal? | +--------+---------+ | +--------v---------+ | Data | | classification? | +--------+---------+ | +-----------------------------+-----------------------------+ | | | v v v+--------+--------+ +--------+--------+ +--------+--------+| PUBLIC or | | INTERNAL | | CONFIDENTIAL || unclassified | | | | or above |+--------+--------+ +--------+--------+ +--------+--------+ | | | v v v+--------+--------+ +--------+--------+ +--------+--------+| Standard wipe | | Secure erase | | Physical || acceptable | | required | | destruction || | | | | required |+--------+--------+ +--------+--------+ +--------+--------+ | | | v v v+--------+--------+ +--------+--------+ +--------+--------+| Donation, | | Donation with | | Certified || resale, or | | certificate, | | destruction || recycling | | or recycling | | only |+--------+--------+ +--------+--------+ +--------+--------+Figure 1: Disposal method selection based on data classification
Perform data sanitisation
Data sanitisation methods vary by storage media type and data classification. Select the appropriate method and execute it before the asset leaves your physical control.
Identify the storage media type. Hard disk drives (HDDs), solid state drives (SSDs), and hybrid drives each require different sanitisation approaches. Check the device specifications or physically inspect the drive to confirm type. Magnetic tape, optical media, and removable storage require separate handling.
Select the sanitisation method appropriate to the media type and data classification:
For HDDs containing INTERNAL data, use secure erase (ATA Secure Erase command) or overwrite with a minimum of one pass using a recognised tool. NIST SP 800-88 recommends a single overwrite pass for most HDD scenarios. The historical recommendation of multiple passes derives from older drive technologies and is no longer necessary for modern drives.
For SSDs containing INTERNAL data, use the manufacturer’s secure erase utility or the ATA Secure Erase command. Standard overwrite tools are ineffective on SSDs due to wear levelling and over-provisioning. If secure erase is unavailable, physical destruction is required.
For any media containing CONFIDENTIAL or higher classification data, physical destruction is mandatory. Degaussing is effective for HDDs but ineffective for SSDs. Shredding to particles no larger than 2mm satisfies most security requirements.
Execute the sanitisation using appropriate tools:
# For HDDs using hdparm (Linux) # First, check if secure erase is supported sudo hdparm -I /dev/sdX | grep -i security
# If supported, set a temporary password sudo hdparm --user-master u --security-set-pass temp123 /dev/sdX
# Execute secure erase (takes 30-120 minutes depending on drive size) sudo hdparm --user-master u --security-erase temp123 /dev/sdX
# Verify completion sudo hdparm -I /dev/sdX | grep -i security # Should show "not enabled" and "not locked"For Windows environments, use manufacturer utilities (Samsung Magician, Intel SSD Toolbox, Crucial Storage Executive) or DBAN (Darik’s Boot and Nuke) for HDDs.
Document the sanitisation by recording the asset serial number, drive serial number, sanitisation method used, tool name and version, date and time of completion, and the name of the person who performed the sanitisation. This record forms part of the audit trail.
Verify sanitisation success. For overwrite methods, attempt to mount the drive and confirm no readable data remains. For secure erase, check the drive’s security status shows the operation completed. For physical destruction, visual inspection confirms destruction.
The relationship between data classification and required sanitisation method:
+-------------------------------------------------------------------+| DATA SANITISATION REQUIREMENTS |+-------------------------------------------------------------------+| || Classification HDD Method SSD Method Verification|| -----------------------------------------------------------------|| PUBLIC Clear (1 pass) Clear Visual || || INTERNAL Purge (secure Purge (vendor Tool report || erase or 1 pass) secure erase) || || CONFIDENTIAL Destroy Destroy Certificate || (degauss+shred) (shred only) || || RESTRICTED Destroy Destroy Certificate || (witnessed) (witnessed) + witness || |+-------------------------------------------------------------------+| Clear = Logical overwrite, protects against simple recovery || Purge = Renders data unrecoverable with laboratory techniques || Destroy = Physical destruction rendering media unusable |+-------------------------------------------------------------------+Figure 2: Sanitisation requirements by classification level (aligned with NIST SP 800-88)
Encryption is not sanitisation
Encrypted drives still require sanitisation. Encryption protects data while the drive is in use, but cryptographic key recovery, implementation weaknesses, or future advances in cryptanalysis may expose data. Treat encrypted drives with the same sanitisation requirements as unencrypted drives of the same classification.
Arrange disposal or destruction
Select a disposal method based on the sanitisation outcome and asset condition:
Certified destruction is required for assets that contained CONFIDENTIAL or higher data, or where sanitisation could not be verified. Use an approved vendor who provides certificates of destruction specifying the asset serial numbers, destruction method, destruction date, and destruction location. Verify the vendor holds appropriate certifications (e.g., ADISA for UK, R2 or e-Stewards for international operations).
Recycling is appropriate for sanitised assets with no residual value. Use certified e-waste recyclers who comply with WEEE regulations (in the EU/UK) or equivalent local requirements. Obtain documentation of compliant recycling.
Donation may be suitable for sanitised assets that remain functional. Establish a donation policy specifying eligible recipients, minimum specifications for donated equipment, and liability considerations. Obtain written acknowledgment from recipients.
Resale is permitted for sanitised assets with market value. Remove all organisational identification (asset tags, stickers). Ensure any software licences transferred comply with licence terms. Document the sale and retain records.
Prepare assets for transport. Remove any asset tags or organisational identification that should not leave the premises. Package assets securely to prevent damage during transport. For assets requiring witnessed destruction, arrange escort or secure courier.
Transfer custody with documentation. Complete a custody transfer form recording asset identifiers, transfer date, receiving party name, and receiving party signature. Retain a copy and provide one to the receiving party.
Obtain and verify certificates of destruction. For physical destruction, the certificate must include:
- Organisation name and address
- Asset description including make, model, and serial number
- Destruction method (shredding, degaussing, incineration)
- Date of destruction
- Name and signature of witnessing representative
- Vendor certification number and validity dates
Verify certificate details match the assets transferred. Store certificates with asset records for the retention period specified in your records policy (typically 7 years).
+-------------------------------------------------------------------+| CERTIFICATE OF DESTRUCTION WORKFLOW |+-------------------------------------------------------------------+| || +----------------+ || | Prepare asset | || | manifest | || +-------+--------+ || | || v || +-------+--------+ +----------------+ || | Transfer to +---->| Vendor receives| || | disposal vendor| | and logs assets| || +----------------+ +-------+--------+ || | || v || +-------+--------+ || | Destruction | || | performed | || +-------+--------+ || | || +----------------------+----------------------+ || | | || v v || +-------+--------+ +--------+-------+ || | Standard | | Witnessed | || | (INTERNAL data)| | (CONFIDENTIAL+)| || +-------+--------+ +--------+-------+ || | | || v v || +-------+--------+ +--------+-------+ || | Certificate | | Certificate | || | issued within | | issued same | || | 5 working days | | day, witness | || +-------+--------+ | signature | || | +--------+-------+ || | | || +----------------------+----------------------+ || | || v || +-------+--------+ || | Verify and | || | file | || +----------------+ || |+-------------------------------------------------------------------+Figure 3: Certificate of destruction workflow showing standard and witnessed paths
Handle software and licence decommissioning
Identify recoverable software licences associated with the asset. Query your software asset management records for licences assigned to the device or user. Common recoverable licence types include:
- Named user licences (e.g., Microsoft 365, Adobe Creative Cloud)
- Device-based licences (e.g., Windows OEM, endpoint security)
- Concurrent use licences that may be reassigned
- Perpetual licences with transfer rights
Unassign or release licences in vendor portals before disposal:
# Microsoft 365 Admin Centre Navigate to: Users > Active users > [User] > Licenses and apps Uncheck assigned licenses > Save changes
# Adobe Admin Console Navigate to: Users > [User] > ... > Remove from products Select products to remove > Remove
# For device-based licences, consult vendor documentation # OEM Windows licences are non-transferable and expire with hardwareDocument licence recovery. Record the licence type, licence key or agreement number, original assignment, recovery date, and new status (available for reassignment, returned to pool, expired). Update your software asset management system.
Remove the device from management systems. Deregister from MDM/EMM platforms, remove from Active Directory or identity provider, delete from monitoring systems, and remove from backup schedules. This prevents alerts, licence consumption, and management overhead for non-existent assets.
Update asset records
Update the asset register with disposal information:
- Change asset status to “Disposed”
- Record disposal date
- Record disposal method (destruction, recycling, donation, sale)
- Record disposal vendor or recipient
- Attach or reference certificate of destruction
- Record any proceeds from sale
- Record final book value and write-off amount if applicable
Update the CMDB to reflect the asset’s removal:
- Mark the CI as “Retired”
- Record retirement date
- Remove relationships to active CIs
- Retain historical record for audit purposes
Update financial records. Notify finance of the disposal for fixed asset register updates. Provide purchase date, original cost, accumulated depreciation, disposal proceeds (if any), and disposal date. Finance will calculate and record any gain or loss on disposal.
Archive disposal documentation. Retain the following in a retrievable format for your records retention period:
- Disposal authorisation form
- Data sanitisation record
- Certificate of destruction
- Custody transfer documentation
- Asset register extract showing final state
Handle field and remote location disposals
Disposing of assets in field offices, remote locations, or countries with limited e-waste infrastructure requires adapted procedures.
Assess local disposal options. Certified e-waste recyclers may not exist in all operating locations. Research available options:
- International e-waste recyclers with collection services
- Regional hub offices with disposal arrangements
- Manufacturer take-back programmes
- Embassy or UN compound disposal arrangements in some contexts
Where certified destruction is unavailable locally, consolidate assets at regional hubs. Package assets securely, maintain chain of custody documentation, and ship to a location with certified disposal services. Budget for international shipping costs.
For assets that cannot be shipped (due to cost, customs restrictions, or urgency), perform on-site physical destruction as a last resort. Document the destruction with photographs, witness statements, and detailed records. This approach is acceptable only when:
- Data has been sanitised using available methods
- Certified disposal is genuinely unavailable
- Management has approved the exception
- Full documentation is maintained
Consider local donation where appropriate. Functional equipment may benefit local organisations, schools, or community groups. Ensure complete data sanitisation, document the donation with a signed acknowledgment, and verify any donor restrictions on the original equipment permit donation.
Customs considerations
Shipping e-waste across borders may require export permits or compliance with Basel Convention requirements on transboundary movement of hazardous waste. Consult your logistics team and verify requirements before arranging international shipment of equipment for disposal.
Verification
After completing disposal, verify the process succeeded through the following checks.
Documentation completeness:
- Disposal authorisation form is signed and filed
- Data sanitisation record exists with tool output or witness confirmation
- Certificate of destruction received and verified against asset manifest
- Custody transfer documentation signed by both parties
- Asset register shows “Disposed” status with complete metadata
- CMDB shows “Retired” status with retirement date
- Financial notification sent to finance team
Record accuracy:
# Query asset register for disposal record# Expected: Status = Disposed, Disposal Date = [date], Method = [method]
# Query CMDB for CI status# Expected: Status = Retired, Retirement Date = [date]
# Query software asset management for licence release# Expected: Licences previously assigned to asset/user show Available statusAudit trail integrity:
- All documents reference consistent asset identifiers (asset tag, serial number)
- Dates are consistent across documents (sanitisation before transfer, destruction after transfer)
- Approvals obtained before actions taken
- Certificates received within expected timeframe (5 working days for standard, same day for witnessed)
Run a quarterly reconciliation to identify disposed assets still appearing in active inventory or management systems:
# Compare asset register "Disposed" records against CMDB active CIs# Any matches indicate incomplete decommissioning
# Compare disposed assets against MDM enrolled devices# Any matches indicate devices not properly removed from management
# Compare disposed assets against active directory computer objects# Stale objects should be disabled or removedTroubleshooting
Secure erase command fails or is not supported
Some drives, particularly older models or drives with firmware issues, do not support the ATA Secure Erase command. Check the drive’s security status with hdparm -I /dev/sdX | grep -i security. If security features show “not supported”, use NIST-compliant overwrite software (DBAN, nwipe) for HDDs, or physical destruction for SSDs. Document the alternative method used.
Drive is locked or frozen
Drives in a “frozen” state reject security commands. This is a BIOS/UEFI security feature. To unfreeze, suspend the system to RAM and resume (systemctl suspend on Linux), then immediately retry the command. Alternatively, hot-plug the drive after system boot (if hardware supports it). For locked drives, you need the existing password or must use physical destruction.
Certificate of destruction delayed beyond 5 working days
Contact the disposal vendor to confirm receipt of assets and request status. If assets were received but certificate is delayed, request interim confirmation via email while awaiting formal certificate. If assets were not received, investigate transport and initiate lost asset procedures. Document all communications.
Disposal vendor cannot accept certain items
Some items require specialist disposal: batteries (lithium-ion fire risk), CRT monitors (lead content), mercury-containing devices (backlights in older displays). These require hazardous waste disposal routes. Contact your facilities management team or local authority for approved hazardous waste contractors.
Asset tag not found in asset register
Unregistered assets still require proper disposal. Create a retrospective asset record with available information (serial number, model, location found, estimated age). Note the registration gap in the disposal record. Investigate how the asset bypassed normal registration to prevent recurrence.
Data owner unavailable to confirm retention requirements
Escalate to the data owner’s manager or the information governance lead. Document attempts to contact the data owner. If confirmation cannot be obtained within a reasonable timeframe (5 working days), treat the data as the highest classification likely present based on the asset’s usage history and apply corresponding sanitisation requirements.
Assets in remote location with no secure storage
Assets awaiting disposal are vulnerable to theft or tampering. If secure storage is unavailable, expedite disposal by prioritising data sanitisation immediately upon decommissioning (do not wait for disposal arrangements), storing sanitised assets in the most secure available location, and arranging disposal transport as quickly as possible. Document the risk acceptance if standard secure storage is not achievable.
Donor requirements conflict with standard procedures
Some donors require return of equipment or have specific disposal requirements that differ from organisational policy. Review the grant agreement to identify donor requirements, contact the grants team for clarification, follow donor requirements where they impose additional restrictions, and document any variance from standard procedure with the authorisation source.
Book value does not match finance records
Reconcile with finance before proceeding. Discrepancies often arise from missed depreciation runs, incorrect capitalisation dates, or duplicate records. Resolve the discrepancy with finance and document the agreed final book value before completing disposal records.
Software licence shows as still assigned after decommissioning
Licence portal updates may be delayed or require manual refresh. Re-check after 24 hours. If still assigned, manually remove the assignment and document the issue. For volume licences, contact your Microsoft or vendor representative if portal access is insufficient.