Hardware Disposal Checklist

Look up the asset tag in your CMDB or RMM (ServiceNow, IT Glue, Hudu, NinjaOne) and pull serial number, model, last assigned user, BitLocker/FileVault recovery key, and encryption status. Flag any device still showing an active user — that's an offboarding gap to close before disposal proceeds.

Classification drives the sanitization method per NIST SP 800-88 Rev. 1: Low confidentiality permits Clear, Moderate requires Purge, and High (PHI under HIPAA, cardholder data under PCI DSS, CUI under CMMC) requires Destroy. Devices from finance, HR, legal, or healthcare clients default to High unless proven otherwise.

Confirm the device record is removed or retired in Intune / JAMF / Kandji, the AD computer object is disabled, and any associated service account or certificate (VPN, 802.1x, S/MIME) is revoked. Stale device objects in Entra ID are a common audit finding.

Coordinate with the prior assignee's manager before wiping. OneDrive/Google Drive should already be transferred during offboarding, but check the local desktop, Documents, and any non-synced folders for orphaned work product before erasure.

NIST 800-88 method depends on media type. HDDs accept multi-pass overwrite (Clear). SSDs and NVMe require ATA Secure Erase or NVMe Format with Crypto Erase (Purge) — overwrites alone are unreliable due to wear leveling. Self-encrypting drives (SEDs) support cryptographic erase via PSID revert.

Use a NIST 800-88 compliant tool: Blancco Drive Eraser, KillDisk, or vendor utility (Samsung Magician, Crucial Storage Executive, Dell DataWipe). Generate the per-drive wipe certificate with serial number, method, and pass/fail outcome. Manufacturer Secure Erase via hdparm is acceptable for HDDs and SATA SSDs.

For High-sensitivity data, drives soldered to the board, or any drive where software erase failed, proceed to physical destruction per NIST 800-88 Destroy. Use a NAID AAA-certified shredder, degausser (HDDs only — does not work on SSDs), or vendor on-site crush service. Photograph the destroyed media with the original serial number visible.

Peel asset tags, service tag stickers, MDM enrollment labels, and any client-branded markings. For Apple devices, also release the serial from Apple Business Manager / ASM so the next owner can enroll cleanly — a forgotten ABM lock is a frequent resale complaint.

Open the chassis and check for M.2 NVMe sticks, secondary SATA drives, mSATA caching drives, USB dongles left in ports, SD/microSD cards, and embedded eMMC on board. Multifunction printers and copiers hold internal HDDs — a commonly missed data-exposure vector.

Compare RAM modules, drives, GPU, and any add-in cards against what the CMDB recorded at issue. Missing components trigger an investigation — could indicate prior tampering, an undocumented swap, or a lost peripheral that needs to be located before disposal proceeds.

Verify current certification on SERI's R2 directory or e-Stewards.org before each shipment — certifications lapse. Confirm downstream chain (the recycler's own vendors) is also certified to prevent material ending up in informal overseas processing, which has triggered EPA enforcement actions.

25 states plus DC have electronic-waste landfill bans (California SB 20, New York ECL Article 27, Illinois EPSDA). CRTs, batteries, and lamps often have separate handling rules. For multi-state MSPs, the pickup-site state controls — not the headquarters state.

Use locked totes or shrink-wrapped pallets with tamper-evident seals. The driver signs the manifest at pickup; the receiving facility signs at delivery. Any break in this chain invalidates the audit trail — a frequent SOC 2 and HIPAA finding.

Recyclers issue a Certificate of Destruction (CoD) or Recycling per shipment, itemized by serial number. HIPAA, PCI DSS, and SOC 2 auditors will request these by date range — store them in the GRC platform (Vanta, Drata, Hyperproof) or document vault with the CMDB asset record linked.