See answers to previous information requests

Follow on request from WBCIR:21280.
In response to Question 1, you confirmed that all data sanitisation is carried out to ISO 27001 standards. To clarify the recorded assurance model relied upon, please provide the following recorded information held by the Council:

1. Confirmation of whether ISO 27001 certification is relied upon by the Council as constituting an explicit outcome-based warranty or guarantee of irretrievability.
ISO27001 is used as a framework for our security processes, including our interaction with suppliers. Our supplier is ISO27001 certified and carries out all data sanitization to ISO27001 standards.

2. The recorded basis on which the Council concludes that ISO 27001 standards demonstrate that software-based erasure renders data permanently irretrievable.
Our supplier is ISO27001 certified and carries out all data sanitization to ISO27001 standards. We receive certificates of data destruction for all our data containing assets that they dispose of.

3. Confirmation of whether the Certificates of Data Destruction (COD) received from the third party represent:
Yes, we receive certificates of data destruction from our asset disposal company.

4. Confirmation that a defined erasure process was executed; or an explicit vendor-issued outcome warranty of irretrievability.
Our asset disposal company uses a 2-stage data sanitization process with a 100% pass process. Any data failures are physically destroyed on-site using data punching and crushing machines; these parts are then dismantled and sent for metal refinement.

5. If an explicit vendor-issued outcome warranty is relied upon, please provide the recorded documentation demonstrating that warranty.
We receive asset inventory sheets (AIS) for assets that have undergone data sanitization. 1 Page example included.