NIST 800-88 | PCI | ISO 27001 Hard Drive Destruction

NIST 800-88, PCI / DSS and ISO 27001 offer guidelines to securely dispose of digital data such as hard drive destruction.  These three security standards dictate how digital media, such as computer hard drives, is destroyed when no longer in use.  The organization is ultimately responsible defending their decisions, processes and implementation.  The two major decisions for any data destruction project:

#1. Classify information based on its value, legal requirements, sensitivity and critically to the organization.

#2. Determine the appropriate data destruction process based on its value to the organization and other stakeholders.


NIST 800-88 Guidelines for Media Sanitization:  “Catagorize the VALUE of information….”.  The risk decision should include the potential consequence of disclosure of information.


PCI – DSS:  “Classify media [information] so that the VALUE and sensitivity of the data can be determined.  An auditor will test your personnel to verify that they can determine the classification of a random piece of media,  If not, then you are not meeting PCI requirement 9.6.1″

ISO 27001 Information Security Management System:  “Information shall be classified in terms of its VALUE…”.  

Value: ‘relative worth, utility, or importance’…’to estimate or assign the monetary worth’

Merriam – Webster

computer hard drive before and after shredding