What Are ISO 27001 and ISO 27040?
ISO 27001 and ISO 27040 are international standards published by the International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC). ISO 27001 defines the requirements for an information security management system (ISMS). ISO 27040 provides detailed technical guidance on storage security, including requirements for secure disposal of storage media at end of life.
ISO 27001:
- Full name: ISO/IEC 27001:2022 — Information Security, Cybersecurity and Privacy Protection: Information Security Management Systems Requirements
- Current version: ISO 27001:2022 (published October 2022, supersedes ISO 27001:2013)
- What it covers: The framework for establishing, implementing, maintaining, and continually improving an ISMS within an organization
- Legal force: Voluntary internationally; contractually required in many B2B and government procurement relationships
ISO 27040:
- Full name: ISO/IEC 27040:2024 — Information Technology: Security Techniques: Storage Security
- Current version: ISO 27040:2024 (published January 2024, supersedes ISO 27040:2015)
- What it covers: Technical requirements and guidance for protecting data stored in ICT systems and networks, including storage media disposal and destruction
- Legal force: Voluntary; referenced by ISO 27001 Annex A as a supporting standard
Relationship between the two standards: ISO 27001 is the certification standard (organizations get certified against it). ISO 27040 is a technical implementation guide that fills in the specifics of how to handle storage security, including media destruction. ISO 27001 Annex A.7.14 requires secure disposal; ISO 27040:2024 specifies how to achieve it.
Important note on DDI and ISO: Data Destruction Inc. does not hold ISO 27001 certification. ISO 27001 certifies the information security management system of an organization, not the destruction methods of a vendor. Data Destruction Inc. provides destruction services consistent with ISO 27001 Annex A.7.14 and ISO 27040:2024 requirements. Organizations pursuing ISO 27001 certification use DDI’s services and documentation to satisfy the media disposal controls.
What ISO 27001:2022 Requires for Media Disposal
ISO 27001:2022 requirements for media disposal appear in Annex A, the list of information security controls. Annex A.7.14 is the operative control.
Control A.7.14: Secure Disposal or Reuse of Equipment
Standard: ISO/IEC 27001:2022, Annex A
Control identifier: A.7.14
Control name: Secure disposal or reuse of equipment
What it requires: All items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software have been removed or securely overwritten prior to disposal or reuse.
Plain English: Any device that stored sensitive information must either have that information securely destroyed before the device is reused or must be physically destroyed before disposal. Returning a server to a vendor or selling a retired laptop without sanitizing the drives violates A.7.14.
ISO 27002:2022 guidance for A.7.14: ISO 27002 provides implementation guidance for ISO 27001 controls. For A.7.14, ISO 27002:2022 recommends verifying whether storage media contains sensitive information before disposal; using appropriate sanitization techniques including physical destruction, degaussing (for magnetic media), cryptographic erasure (for encrypted media with key destruction), or secure overwriting; documenting the disposal process; and retaining records. The supporting standard for technical implementation is ISO 27040:2024.
Control A.8.10: Information Deletion
Standard: ISO/IEC 27001:2022, Annex A
Control identifier: A.8.10 (new in the 2022 version)
What it requires: Information stored in information systems, devices, or in any other storage media should be deleted when no longer required.
Relevance to media disposal: A.8.10 covers the data lifecycle, including the obligation to delete or destroy information when its retention period ends. This control works in conjunction with A.7.14 (equipment disposal) to address both the data and the media.
What ISO 27040:2024 Requires for Storage Media Disposal
ISO 27040:2024 (Edition 2, January 2024) provides the technical requirements that implement ISO 27001 Annex A.7.14. It directly addresses media sanitization with specifics by media type.
Sanitization of Storage Devices
ISO 27040:2024 defines three sanitization methods aligned with NIST SP 800-88 r2 categories.
Logical sanitization (equivalent to NIST Clear/Purge): Overwriting all data sectors with patterns or using cryptographic erasure (CE) where the encryption key is destroyed. Suitable for media intended for reuse at the same or lower classification level.
Cryptographic sanitization (CE — equivalent to NIST Purge): Destroying the encryption keys of encrypted media. ISO 27040:2024 references ISO/IEC 19790 validation requirements for cryptographic implementations, consistent with NIST SP 800-88 r2 Section 3.2.
Physical destruction (equivalent to NIST Destroy): Shredding, crushing, disintegration, or incineration that renders the media physically unable to be read. Recommended for highest-sensitivity data or media leaving organizational control permanently.
SSD and flash storage: ISO 27040:2024 provides updated guidance for NVMe SSDs, eMMC, and UFS flash storage, recognizing that logical overwrite is ineffective due to wear-leveling. For these media, cryptographic erasure (where conditions are met) or physical destruction is required.
Alignment with NIST SP 800-88 r2: ISO 27040:2024 is explicitly aligned with NIST SP 800-88 r2. NIST SP 800-88 r2 itself references ISO 27040:2024 as a supporting standard. The two standards are technically consistent, though NIST SP 800-88 r2 is more commonly cited in US compliance contexts and ISO 27040:2024 is more commonly cited in European and international contexts.
How Data Destruction Inc. Satisfies ISO 27001 and ISO 27040 Requirements
Data Destruction Inc. provides destruction services consistent with ISO 27001:2022 Annex A.7.14 and ISO 27040:2024 through documented, NIST SP 800-88 r2 Destroy-level physical destruction.
| ISO Control | DDI Service | ISO 27040 Method | Documentation |
|---|---|---|---|
| A.7.14 (disposal) | Hard drive shredding | Physical destruction | Certificate of Destruction with method, serialized inventory, date |
| A.7.14 (disposal) | Hard drive crushing | Physical destruction | Certificate of Destruction with method, serialized inventory, date |
| A.7.14 (reuse) | Data wiping | Logical/cryptographic sanitization | Certificate of Destruction + wipe report |
| A.7.14 + witness | Witnessed destruction | Physical destruction + CoC | CoD + signed witness page + chain-of-custody log |
| A.8.10 (deletion) | Data wiping or shredding | CE or physical | Certificate documenting the destruction event for records |
For ISO 27001 certification audits: ISO 27001 auditors (accredited certification bodies) evaluate A.7.14 compliance by requesting evidence of secure disposal procedures and disposal records. The Certificate of Destruction from Data Destruction Inc. satisfies the disposal record requirement. The service agreement specifying destruction methods satisfies the procedure evidence requirement.
Who Must Comply with ISO 27001 and ISO 27040?
ISO 27001 and ISO 27040 are voluntary international standards. No law in the United States directly mandates ISO 27001 certification. However, compliance is required or strongly expected in several practical contexts.
B2B procurement requirements: Many multinational corporations, European companies, and government entities in Europe, the UK, Australia, and Asia-Pacific require their vendors and suppliers to hold ISO 27001 certification as a procurement condition. A US company seeking to sell data services to a European enterprise client frequently faces this requirement.
EU and UK regulatory context: The UK National Cyber Security Centre recognizes ISO 27001 as a framework for meeting Cyber Essentials Plus requirements. Many EU organizations treat ISO 27001 certification as evidence of GDPR Article 32 “appropriate technical and organizational measures.”
Financial sector: Certain banking and insurance regulators in multiple countries recognize ISO 27001 certification as evidence of information security governance.
US federal contracts: While FISMA and CMMC are the primary frameworks for federal contracts, some federal agencies accept ISO 27001-certified vendors for specific contract categories.
Data center and cloud providers: ISO 27001 certification is a baseline expectation for cloud service providers, data center operators, managed service providers, and SaaS companies operating in global markets. ISO 27040:2024 specifically addresses the storage security requirements for these providers.
Enforcement and Consequences
Because ISO 27001 is a voluntary standard, there are no statutory penalties for non-compliance. The consequences of non-conformance are commercial and reputational.
Certification consequences: An ISO 27001 surveillance audit that finds non-conformance with A.7.14 results in a non-conformance finding that must be remediated before the certification is renewed. Failure to remediate results in suspension or withdrawal of the ISO 27001 certificate.
Commercial consequences: Loss of ISO 27001 certification can disqualify a vendor from contracts that require it. For data center operators, managed service providers, and IT companies targeting multinational clients, loss of ISO 27001 certification is a material commercial event.
GDPR interaction: Article 32 of the GDPR requires organizations to implement “appropriate technical and organizational measures” to ensure information security. ISO 27001 certification (including A.7.14 compliance) is widely recognized as evidence of GDPR Article 32 compliance. Poor media disposal practices that result in a breach can trigger GDPR enforcement, with fines up to 4% of global annual turnover or EUR 20 million, whichever is higher.
Storage Media Disposal: ISO 27040:2024 Method by Media Type
ISO 27040:2024 defines three sanitization methods aligned with NIST SP 800-88 r2 categories. The following matrix maps each media type to the ISO 27040:2024 sanitization requirement under ISO 27001:2022 Annex A.7.14. Organizations pursuing ISO 27001 certification should document which method was applied, by whom, and on which date — the Certificate of Destruction from DDI provides this documentation.
| Media Type | ISO 27040:2024 Method | Equivalent NIST r2 Category | DDI Method |
|---|---|---|---|
| Hard drive (HDD) | Logical sanitization (overwrite) or physical destruction | Clear/Purge for reuse; Destroy (§3.1.3) for disposal | Shredding or crushing (final disposal) |
| Solid-state drive (SSD / NVMe) | Cryptographic sanitization (CE) or physical destruction | Purge via CE (§3.1.2 + §3.2) or Destroy (§3.1.3) | Shredding — CE requires §3.2 verification |
| Magnetic tape | Degaussing or physical destruction | Purge (§3.1.2) or Destroy (§3.1.3) | Tape shredding / degauss + shred |
| Optical media (CD / DVD) | Physical destruction | Destroy (§3.1.3) | Shredding / disintegration |
| Cloud / virtual storage | Cryptographic sanitization (provider-side CE + key destruction) | Purge via CE (§3.1.2 + §3.2) | Provider-confirmed CE (DDI handles physical media) |
| Media for reuse | Logical sanitization (overwrite to standard) | Clear (§3.1.1) or Purge (§3.1.2) | Data wiping with wipe report |
Regulations and Frameworks That Interact with ISO 27001 / ISO 27040
ISO 27001 is a voluntary standard but frequently intersects with mandatory regulations. Organizations certified under ISO 27001 often use their ISMS controls — including A.7.14 media disposal — as evidence for multiple regulatory frameworks simultaneously. A serialized Certificate of Destruction from DDI supports all of the following.
NIST SP 800-88 r2
ISO 27040:2024 is explicitly aligned with NIST 800-88 r2 — implementing one satisfies both
HIPAA Disposal Rule
ISO 27001-certified healthcare vendors may use A.7.14 compliance as evidence for HIPAA disposal audits
GLBA Safeguards Rule
ISO-certified financial service providers may cross-reference Annex A.7.14 with GLBA §314.4(f)(3)
FISMA
Some federal agencies accept ISO 27001 certification as supplemental evidence for FISMA MP-6 audits
CMMC 2.0
Multinational defense suppliers may align ISO Annex A.7.14 with CMMC MP.L2-3.8.3 requirements
PCI DSS v4.0.1
ISO-certified payment processors may reference Annex A.7.14 as evidence for Req. 9.4.7 compliance
Authoritative Source and Official Standards
ISO/IEC 27001:2022 (Annex A.7.14) and ISO/IEC 27040:2024 — Storage Security
ISO 27001:2022 (October 2022) and ISO 27040:2024 (January 2024) — both current editions
Organizations certified under ISO 27001:2013 were required to transition to the 2022 edition by October 2025. ISO 27040:2024 supersedes the 2015 edition. Check iso.org for any forthcoming amendments.
Frequently Asked Questions
Does ISO 27001 certification mean a company is certified to destroy data?
No. ISO 27001 certifies an organization’s information security management system, including its policies and procedures for media disposal. It does not mean the organization is a certified data destruction vendor. Data Destruction Inc. provides services that help organizations satisfy A.7.14 requirements as part of their ISO 27001 ISMS, but DDI does not hold and does not claim ISO 27001 certification.
What changed between ISO 27040:2015 and ISO 27040:2024?
ISO 27040:2024 (Edition 2, January 2024) substantially updates the 2015 edition. The 2024 version adds guidance for NVMe SSDs, eMMC, UFS, and self-encrypting drives that were not covered in the 2015 edition. It aligns more explicitly with NIST SP 800-88 r2 and addresses cloud storage and distributed storage environments. Organizations with ISO 27001 certifications referencing ISO 27040:2015 should update their ISMS documentation to reference ISO 27040:2024.
What changed between ISO 27001:2013 and ISO 27001:2022?
ISO 27001:2022 reorganized and updated the Annex A controls. The control count changed from 114 controls in 14 domains to 93 controls in 4 themes (Organizational, People, Physical, Technological). The equipment disposal control moved from A.11.2.7 (in the 2013 version) to A.7.14 (in the 2022 version). A new control, A.8.10 (Information Deletion), was added to address the data lifecycle explicitly. Organizations certified under ISO 27001:2013 were required to transition to ISO 27001:2022 by October 2025.
How does ISO 27001 Annex A.7.14 interact with NIST SP 800-88 r2?
The two standards address the same requirement from different angles. ISO 27001 Annex A.7.14 establishes the requirement (secure disposal must happen). ISO 27040:2024 provides the technical specifics for storage media (methods aligned with NIST SP 800-88 r2 categories). NIST SP 800-88 r2 provides the method details for US contexts. For organizations operating in both US and international contexts, implementing NIST SP 800-88 r2 Destroy-level destruction and documenting it with a serialized Certificate of Destruction satisfies both ISO 27001 A.7.14 and US regulatory requirements simultaneously.
Does ISO 27001 apply to US companies?
ISO 27001 is an international standard applicable to any organization in any country. US companies are not legally required to pursue ISO 27001 certification. However, US companies that sell to European, UK, Australian, or government clients, or that provide cloud services, data center hosting, or managed IT services, frequently need ISO 27001 certification to compete for those contracts. For US organizations with ISO 27001 obligations, the media disposal requirements of Annex A.7.14 and ISO 27040:2024 apply.