GRCWatch
Sign inStart free trial

CIS Control 3.5: Securely Dispose of Data

Data disposal is the final step in your data lifecycle—but many organizations skip it or do it poorly, leaving sensitive information vulnerable to breach. CIS Control 3.5 requires you to destroy data in ways that match its sensitivity and align with documented processes. This control prevents competitors, threat actors, and internal bad actors from recovering deleted files.

What this means

Secure data disposal means permanently destroying data in a way that prevents recovery, with methods proportional to the data's classification level. Your organization must have a documented data management policy that specifies disposal timelines, approved methods (e.g., cryptographic erasure, physical shredding, incineration), and verification processes. The disposal method should reflect the sensitivity of the data—confidential records require stronger destruction than public information.

How to comply

  1. 1.Create a formal data retention and disposal policy that defines lifecycle rules for each data classification level
  2. 2.Document approved disposal methods for physical media (shredding, incineration), digital storage (secure wiping, encryption key destruction), and cloud systems (vendor deletion procedures)
  3. 3.Establish clear timelines for when data must be disposed after it's no longer needed—align with legal, regulatory, and business requirements
  4. 4.Implement technical controls to automate deletion or cryptographic erasure based on retention schedules
  5. 5.Maintain audit logs and certificates of destruction for all disposed data, including date, method, and person responsible
  6. 6.Test disposal procedures regularly to ensure deleted data cannot be recovered

Evidence auditors look for

  • Data retention and disposal policy signed by leadership
  • Vendor contracts specifying data deletion procedures and timeframes for cloud services
  • Certificates of destruction from IT or third-party vendors confirming deletion
  • Audit logs showing automated data deletion by classification level and retention date
  • Physical inventory of media (hard drives, USB devices) with documented destruction records
  • Testing reports confirming that disposal methods permanently prevent data recovery
  • Procedure documentation for emergency data destruction in incident response scenarios

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates data retention schedules and logs disposal evidence automatically, eliminating manual tracking and ensuring certificates of destruction are generated and stored for every purge cycle.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 3.1 — Govern DataCIS 3.2 — Address Unauthorized DataCIS 3.3 — Remediate Unauthorized DataCIS 3.4 — Secure Data in TransitCIS 2.1 — Document Data Flows