ISO 27001
Information security during IT phase-out
When phasing out IT hardware, the biggest risk is not the equipment itself, but the data on it. That is why every step in the process is carried out within controlled procedures, supported by documentation, audit trails and certified processes.
- Data Destruction
- Verified
- Documentation
- Available
- Chain of Custody
- Complete
XITAD brings data destruction, transport, processing and reporting together within one verifiable process. In doing so, we work with partners that meet recognized security standards, including ISO 27001.
What ISO 27001 means
ISO 27001 is the international standard for information security.
The standard describes how organizations identify, control and document risks around information. For IT phase-out, this means that storage media, handovers and processing steps must be demonstrably managed and recorded.
As long as hardware contains data, it remains part of an organization's information security domain.
Control throughout the entire process
From intake to processing, every step is recorded.
Transport, data destruction, processing and reporting are part of one verifiable process. This keeps it visible which actions were carried out, when they took place and which documentation belongs to them.
Evidence per step
A verifiable process requires demonstrable evidence.
That is why certificates, reports and handover records are recorded centrally within the project file. This keeps it traceable which equipment was processed, which method was applied and which documentation is available.
This information supports internal controls, audits and compliance obligations.
Certified processes under oversight
XITAD acts as the orchestration layer within the process.
For services where certification is required, we work exclusively with parties that meet the agreed requirements. Certifications and process requirements are checked in advance and reviewed periodically.
This keeps the execution aligned with the security and compliance requirements of the project.
Protection of information
Project information, reports and documentation are managed centrally within the platform.
Access to, processing and storage of data take place within controlled processes. In addition, status changes, handovers and project activities are recorded, so that a verifiable audit trail is created.
Data destruction before further processing
Data destruction is independent of the final destination of the hardware.
Storage media are first processed according to the agreed method. Only after the required documentation is available is equipment released for further processing, reuse or sale.
This keeps the burden of proof independent of the final transaction.
Documentation for audits and compliance
After completion, the relevant documentation remains available within the project file.
Depending on the project, this can consist of:
Data destruction certificates
Audit trails
Chain of custody documentation
Processing reports
Project documentation
This keeps it demonstrable how equipment was processed and which measures were applied.
- Data Destruction Certificates
- Chain of Custody Records
- Processing Reports
- Compliance Documentation
- Project Archive
Frequently asked questions about ISO 27001 and IT phase-out
What does ISO 27001 mean for IT phase-out?
ISO 27001 is the international standard for information security. For IT phase-out, this means that storage media, handovers and processing steps are demonstrably managed and recorded, as long as hardware contains data.
What documentation do I receive?
Depending on the project, you receive data destruction certificates, audit trails, chain of custody documentation, processing reports and project documentation, available centrally within the project file.
Does XITAD work with ISO 27001-certified partners?
Yes. XITAD acts as the orchestration layer and, for services where certification is required, works exclusively with parties that meet the agreed requirements, including ISO 27001. Certifications are checked in advance and reviewed periodically.
How does this support my own ISMS?
The recorded data, certificates and audit trails can be incorporated within your own ISMS as substantiation that retired IT was processed within controlled and demonstrable processes.
How is the handling of data recorded?
Access to, processing and storage of data take place within controlled processes. Status changes, handovers and project activities are recorded, so that a verifiable audit trail is created.
When is data destruction carried out?
Data destruction is decoupled from the sale. Storage media are first processed according to the agreed method and only released after the required documentation is available.
Information security does not end with the last user
Combine data destruction, documentation and control within one demonstrable ITAD process.