English
Français
Deutsch
Italiano
Español
Most businesses know how to protect active data, but many overlook the risk that hides in retired devices.
One missing hard drive can trigger audits, breach fines and lasting reputational damage. That’s why a secure chain of custody is just as important as data destruction itself.
When businesses plan IT asset disposal (ITAD), most focus on the end of the process, shredding old hard drives and SSDs so data can’t be recovered.
But what often gets missed is everything that happens before destruction.
If data-bearing devices are lost, stolen or tampered with between collection and shredding, your organisation could still face a data breach, even if the drives are eventually destroyed. That’s where the chain of custody becomes critical.
Why These Standards Matter
Just deleting files or formatting a drive isn’t enough. If a device leaves your site with recoverable data on it and goes missing in transit or storage, it could be treated as a data breach.
That means regulatory investigations, possible fines, insurance claims being rejected — and the risk of serious reputational damage.
Standards exist to stop that happening. They give everyone a common language and a clear benchmark for what “secure” really means, with:
Defined methods for wiping or destroying data
Clear guidance on shred sizes and security levels
Documentation requirements so you can prove what happened
Independent audits and certifications for added assurance
NIST 800-88
NIST 800-88 is the standard we see referenced most often in contracts and audits. It was developed by the U.S. National Institute of Standards and Technology, and it’s now widely accepted across the world.
It sets out three main ways to deal with old data:
Clear – overwrite data so it can’t be read through standard tools
Purge – use secure erase commands or degaussing
Destroy – physically destroy the device so data can never be recovered
It applies to almost any kind of storage: hard drives, SSDs, tapes, even optical discs.
And crucially, NIST recognises that SSDs are different, because data is scattered across many chips, the only reliable way to destroy them is physical shredding.
ISO 27001 — Proving You Have the Right Processes
ISO 27001 is less about how you destroy data, and more about showing that you have secure processes in place.
It’s an international framework for managing information security.
To achieve it, organisations must have policies covering:
How data-bearing assets are tracked, handled and disposed of
Who is responsible at each stage
What evidence is kept to prove it was done securely
ISO 27001 doesn’t mention shred sizes or wiping tools, but it does expect you to demonstrate that devices are disposed of securely and that you can prove it during an audit.
We design our ITAD process to align with ISO 27001 controls — because even if you’re not certified yourself, your clients or auditors may expect you to follow the same principles.
ISO/IEC 27001:2022 – Information Security Management Systems
ADISA — Independent UK Certification for ITAD Providers
While NIST and ISO are global standards, ADISA is a UK-based certification scheme created specifically for IT asset disposal companies like us.
ADISA audits the way we handle data-bearing devices end to end — from collection and secure transport, to shredding and recycling. It checks things like:
- Staff vetting
- Transport security
- Chain of custody controls
- How effective our data sanitisation methods are
For organisations in government, defence and other regulated sectors, ADISA certification is often a requirement.
It’s a simple way to know your ITAD provider has been independently assessed and meets strict security standards.
DIN 66399
DIN 66399 is a German/EU standard that defines how small data fragments must be after physical destruction.
It’s what we use to set our shred size levels.
There are seven security levels (H-1 to H-7) for hard drives and SSDs.
H-5 (≤10mm) and H-6 (≤5mm) are the norm for most corporate data
H-7 (≤2mm) is used for top-secret government data
This standard matters because it gives you something measurable to prove the data can’t be reconstructed, not just a promise that “it’s destroyed.”
PCI DSS, GDPR and Other Rules to Know About
You’ll often see other regulations mentioned alongside the main destruction standards:
- PCI DSS — covers payment card data, and requires secure destruction of cardholder data when it’s no longer needed
- GDPR / UK GDPR — requires you to make personal data “irretrievable” and be able to prove it
- NHS DSPT, FCA and MoD contracts — often mandate physical destruction and a full chain of custody for data-bearing devices
These rules don’t tell you exactly how to destroy data, but they do make you legally responsible for proving it’s gone forever.
Bringing the Standards Together
With so many acronyms and frameworks, it’s easy to feel unsure which data destruction standards your business should follow.
The reality is, you don’t need to choose between them — you just need a provider who already meets them all.
At Secure ITAD, we’ve built our entire process to align with:
- NIST 800-88 — internationally recognised data destruction methods
- ISO 27001 — documented, auditable security processes
- ADISA certification — independent UK auditing of our end-to-end ITAD service
- DIN 66399 — certified shred sizes for HDDs and SSDs
This means you get full compliance, audit-ready evidence, and peace of mind — without having to decode the standards yourself.
There’s a lot of jargon around data destruction, but at its core, it comes down to one simple thing: you need to be able to prove your data is gone, and that it can never come back.
Working to recognised standards takes away the guesswork. It protects your organisation from data breaches, satisfies auditors and regulators, and gives you confidence that old devices won’t become a future liability.
At Secure ITAD, we build those standards into everything we do — so you can get on with your work, knowing your data is handled safely from collection to destruction.
