Workflow Templates for Systems Administration: Hardware Disposal Checklist

Intake and Chain of Custody

Pull the asset record from the CMDB

Look up the asset tag in your CMDB or RMM (ServiceNow, IT Glue, Hudu, NinjaOne) and pull serial number, model, last assigned user, BitLocker/FileVault recovery key, and encryption status. Flag any device still showing an active user — that's an offboarding gap to close before disposal proceeds.

Classify the data sensitivity of the device

Classification drives the sanitization method per NIST SP 800-88 Rev. 1: Low confidentiality permits Clear, Moderate requires Purge, and High (PHI under HIPAA, cardholder data under PCI DSS, CUI under CMMC) requires Destroy. Devices from finance, HR, legal, or healthcare clients default to High unless proven otherwise.

Verify the device is offboarded in identity systems

Confirm the device record is removed or retired in Intune / JAMF / Kandji, the AD computer object is disabled, and any associated service account or certificate (VPN, 802.1x, S/MIME) is revoked. Stale device objects in Entra ID are a common audit finding.

Log the device into the disposal queue

Move the asset to a locked staging area with a sign-in/sign-out log. Update CMDB status to "Pending Disposal" so the device isn't accidentally redeployed. Chain-of-custody breaks here are the most common reason SOC 2 auditors fail an asset-disposal control.

Data Sanitization

Capture any user data still needed

Coordinate with the prior assignee's manager before wiping. OneDrive/Google Drive should already be transferred during offboarding, but check the local desktop, Documents, and any non-synced folders for orphaned work product before erasure.

Identify the drive type and sanitization method

NIST 800-88 method depends on media type. HDDs accept multi-pass overwrite (Clear). SSDs and NVMe require ATA Secure Erase or NVMe Format with Crypto Erase (Purge) — overwrites alone are unreliable due to wear leveling. Self-encrypting drives (SEDs) support cryptographic erase via PSID revert.

Run cryptographic or secure erase on the drive

Use a NIST 800-88 compliant tool: Blancco Drive Eraser, KillDisk, or vendor utility (Samsung Magician, Crucial Storage Executive, Dell DataWipe). Generate the per-drive wipe certificate with serial number, method, and pass/fail outcome. Manufacturer Secure Erase via hdparm is acceptable for HDDs and SATA SSDs.

Physically destroy the storage media

For High-sensitivity data, drives soldered to the board, or any drive where software erase failed, proceed to physical destruction per NIST 800-88 Destroy. Use a NAID AAA-certified shredder, degausser (HDDs only — does not work on SSDs), or vendor on-site crush service. Photograph the destroyed media with the original serial number visible.

Verify sanitization with a second technician

NIST 800-88 requires verification by someone other than the sanitizer. For software erase, boot from a forensic image (e.g., Tsurugi, CAINE) and confirm the drive reads zero recoverable partitions. For physical destruction, the second tech signs off on the destruction photo and serial match.

Hardware Decommissioning

Remove asset tags and company identifiers

Peel asset tags, service tag stickers, MDM enrollment labels, and any client-branded markings. For Apple devices, also release the serial from Apple Business Manager / ASM so the next owner can enroll cleanly — a forgotten ABM lock is a frequent resale complaint.

Inspect for hidden storage and removable media

Open the chassis and check for M.2 NVMe sticks, secondary SATA drives, mSATA caching drives, USB dongles left in ports, SD/microSD cards, and embedded eMMC on board. Multifunction printers and copiers hold internal HDDs — a commonly missed data-exposure vector.

Reconcile components against the CMDB record

Compare RAM modules, drives, GPU, and any add-in cards against what the CMDB recorded at issue. Missing components trigger an investigation — could indicate prior tampering, an undocumented swap, or a lost peripheral that needs to be located before disposal proceeds.

Update the disposition record in the CMDB

Mark the asset as "Decommissioned" with the disposal pathway (recycle, resale, donation, destruction). For leased hardware, generate the return paperwork — Dell Financial Services, HPE Financial, and CIT have specific RMA forms and condition reports.

Certified Disposal and Documentation

Confirm the recycler holds R2v3 or e-Stewards certification

Verify current certification on SERI's R2 directory or e-Stewards.org before each shipment — certifications lapse. Confirm downstream chain (the recycler's own vendors) is also certified to prevent material ending up in informal overseas processing, which has triggered EPA enforcement actions.

Check state e-waste regulations for the device class

25 states plus DC have electronic-waste landfill bans (California SB 20, New York ECL Article 27, Illinois EPSDA). CRTs, batteries, and lamps often have separate handling rules. For multi-state MSPs, the pickup-site state controls — not the headquarters state.

Schedule pickup with sealed-container handoff

Use locked totes or shrink-wrapped pallets with tamper-evident seals. The driver signs the manifest at pickup; the receiving facility signs at delivery. Any break in this chain invalidates the audit trail — a frequent SOC 2 and HIPAA finding.

File the certificate of destruction or recycling

Recyclers issue a Certificate of Destruction (CoD) or Recycling per shipment, itemized by serial number. HIPAA, PCI DSS, and SOC 2 auditors will request these by date range — store them in the GRC platform (Vanta, Drata, Hyperproof) or document vault with the CMDB asset record linked.

Close the disposal record with final sign-off

IT manager or designated control owner signs off after confirming wipe certificate, destruction certificate, manifest, and CMDB state all reconcile. Discrepancies (missing serial on the CoD, count mismatch on the manifest) must be resolved before close — not after.