ISO 27001 Management of Removable Media, Media Sanitization and Disposal

Download Free ISO 27001 Management of Removable Media, Media Sanitization and Disposal
Objectives:
- The organization identifies information system media requiring sanitization and the appropriate sanitization techniques and procedures to be used in the process;
- The organization sanitizes identified information system media, both paper and digital, prior to disposal or release for reuse; and
- Information system media sanitation is consistent with NIST Special Publication 800-88

Procedures:
- Examine information system media protection policy and procedures or other relevant documents; reviewing for the information system media requiring sanitization and for the sanitization techniques and procedures to be employed.
- Examine information system media protection policy and procedures, security plan or other relevant documents; reviewing for the measures to be employed to sanitize information system media types, both paper and digital, as identified in MP-6.1.1.1, prior to disposal or release for reuse.
- Examine an agreed-upon representative sample of media sanitization records, audit records or other relevant records for an agreed-upon representative sample of information system media identified in MP-6.1.1.1; reviewing for evidence that the measures identified in MP-6.1.2.1 are implemented as intended.
- Interview an agreed-upon, representative sample of organizational personnel with information system media sanitization responsibilities; conducting focused discussions for further evidence that the measures identified in MP-6.1.2.1 are implemented as intended.
- Examine information system media protection policy, information system media sanitization procedures, security plan or other relevant documents; studying for consistency with NIST Special Publication 800-88.
- Examine an agreed-upon representative sample of media sanitization records, audit records or other relevant documents; studying for further evidence that the information system media sanitization process is consistent with NIST Special Publication 800-88.

Objectives:
- Determine if the organization tracks, documents, and verifies media sanitization and disposal actions.

Procedures:
- Examine information system media protection policy and procedures, security plan, or other relevant documents; reviewing for the measures to be employed to track, document and verify media sanitization and disposal actions.
- Examine an agreed-upon representative sample of media sanitization and disposal records, audit records, or other relevant records; reviewing for evidence that the measures identified in MP-6(1).1.1.1 are implemented as intended.
- Interview an agreed-upon representative sample of organizational personnel with information system media sanitization and disposal responsibilities; conducting focused discussions for further evidence that the measures identified in MP-6(1).1.1.1 are implemented as intended.

Objectives:
- Determine if the organization periodically tests sanitization equipment and procedures to verify correct performance.

Procedures:
- Examine information system media protection policy and procedures, security plan or other relevant documents; reviewing for the organization-defined period for periodic testing of media sanitization equipment and for procedures to be employed to verify correct performance.
- Examine an agreed-upon representative sample of media sanitization equipment test records, media sanitization equipment maintenance records, information system audit records, or other relevant records; reviewing for evidence that media sanitization equipment is tested in accordance with the organization-defined period in MP-6(2).1.1.1 and that the procedures identified in MP-6(2).1.1.1 are implemented as intended.
- Interview an agreed-upon representative sample of organizational personnel with information system media sanitization responsibilities; conducting focused discussions for further evidence that media sanitization equipment is tested in accordance with the organization-defined period in MP-6(2).1.1.1 and that the procedures identified in MP-6(2).1.1.1 are implemented as intended.