What’s the most important thing in any business partnership? The provision of a quality service? Confidentiality? Maybe it’s having the same values? When it comes to your organisation’s data security and therefore your legal compliance, trust is quite simply crucial.
This essential requirement can only come when you have absolute confidence in the IT asset disposal services you engage. The professional standards, certifications and industry accreditations they hold can help you make a thorough assessment of their status and commitment to their level of service.
Are IT asset disposal companies regulated in the UK?
As data security and e-waste reduction are central to the sector, you certainly wouldn’t be alone in making the reasonable assumption that the secure IT asset disposal industry is highly regulated with its own stringent operational standards. However, in the UK, there is currently no direct, explicit authorisation for the ITAD industry itself.
That said, by the very nature of their business, all IT asset disposal services are governed by the GDPR data destruction requirements, the Waste Electrical and Electronic Equipment directive (WEEE), and environmental laws. These provide a best practice framework for data governance challenges, compliance, environmental sustainability, responsible recycling and secure data erasure services.
The enormous environmental impact of our digitalisation, a substantial surge in cybercriminal activity and strict data protection laws governing UK businesses have seen the importance of relevant certifications rise. By satisfying and then maintaining all requirements of an accreditation or professional standard, ITAD providers stay up-to-date with the latest regulations changes and continue to adopt the latest best practice techniques.
As there is no legislative obligation to do so, highly accredited IT asset disposition services demonstrate dedication and ongoing commitment to secure, quality service provision. Often taking a significant time to complete, most certification reassessments occur either annually or every three years.
These IT asset disposal qualifications provide an independent, third-party validation that the correct procedures are followed in line with the accreditation guidelines.
What accreditations should an ITAD company have?
ITAD accreditations can be wide-ranging, and without researching each in turn, these can appear a little confusing. So, what are ITAD certifications?
The independent certification body, ADISA upholds and promotes ITAD best practice, secure data wiping services and information security; the scheme is endorsed by the UK’s National Cyber Security Centre. A certified ADISA organisation will manage and maintain a robust ITAD chain of custody.
Furthermore, when it comes to the disposal of end-of-life IT assets, the ADISA accreditation promotes responsible environmental management processes and sustainable IT practices. After sanitisation, businesses can sell redundant IT assets and maximize return value with complete assurance. When necessary, devices can be securely recycled and sent for remanufacturing to prevent e-waste.
CAS. (Commodity Information Assurance Services).
The National Cyber Security Centre’s Assured Service, CAS, predefines the service requirements for ITAD services to be officially certified.
Complying with Infosec Standard 5; a data destruction standard used by the Government. The strict service requirements define what resilient security enforcement looks like. With detailed prerequisites for different records and different media, IS5 defines two different levels of overwriting that are required if supplying data erasure services to Government institutions.
CPNI. (Central Protection of National Infrastructure).
Established by the Government, the CPNI authority was created to protect national security and the UK’s infrastructure; reducing vulnerabilities from terrorism and other security-related threats, such as cyber-criminal activity.
The CPNI standard provides procedures and the monitoring of the processes to be implemented during onsite and offsite destruction of sensitive, static and mobile data-bearing media. This covers all from identification and categorisation, to the secure, documented destruction methods – this includes secure transportation to an external ITAD facility.
Under section 28 of the UK’s Waste Regulations 2011 (England and Wales), businesses that transport, buy, sell or dispose of waste, must register as a waste carrier and abide by the Environment Agency’s legislation.
As ITAD services are required by law to adhere to the WEEE directive, this regularly reviewed 3-year certification is an important one to look out for. It provides assurance that redundant IT equipment is processed by a WEEE-compliant, environment agency-approved service. This provides peace of mind that your assets are recycled or sent for further processing through the correct channels.
As the name might suggest, the Cyber Essentials self-assessment scheme mitigates against the most common cyber-attacks. Companies evaluate themselves through the secure Cyber Essentials assessment platform using five technical security controls; this is verified by an independent, qualified assessor.
Demonstrating an enhanced level of security and the mitigation of cyber threats, the certificate endorses the organisation’s cyber-attack defences. To make sure certified organisations keep on top of the rapidly evolving cyber security threats, the standard expires after 12 months.
Blancco Gold Partner status.
Although highly effective, the traditional technique of data shredding; physically destroys a device and its recoverable, reusable components.
The advanced data sanitisation software from Blancco, provides a sustainable alternative, ensuring total data destruction without obliterating the device. The market-leading software which can be used at scale, produces an IT asset disposal accreditation certificate for each individual asset providing clients, and regulatory bodies, with the utmost confidence in the ITAD’s data destruction services. By using the Blancco data erasure system, you will boost your organisations sustainable efforts; and consequently, enhance your reputation.
Sectors such as those with highly sensitive PII have extended data privacy regulations. For example, if you were looking for healthcare ITAD specifically, you will need to ensure that the IT asset disposition services you research have the appropriate accreditation.
The Data Security and Protection Toolkit, NHS IG, is another substantiated self-assessment certification that all organisations with access to NHS patient data and systems must hold; evidencing that they handle such valuable records securely and appropriately.
Similarly, the Financial Services Qualification System is a single standard for managing third and fourth-party information. The FSQS onsite assessment comprises of cybersecurity, business continuity, data privacy, fourth parties, and conduct risk. A further stage applies where detailed due diligence is needed to demonstrate regulatory or legal compliance, such as financial industry ITAD.
What other global standards are important?
When it comes to internationally recognised business standards, ISO accreditations provide a global benchmark for ongoing quality and corporate integrity. Reassessment must take place every 3 years where company performance against the highest standards is audited and verified.
ISO-9001, Quality Management is the vigorous standard used by over 1 million businesses today, across all sectors. Continual improvement is driven by the needs of customers. Highly relevant ISO accreditations for the ITAD industry are ISO-27001, Information Security Management and ISO-14001, Environmental Management.
With sustainability rightly surging in importance, many enterprises now demand that their suppliers have an environmental management strategy. The ISO 14001 framework demonstrates a company’s efforts to reduce waste, improve efficiency and cut waste management costs.
Built on the guiding data governance principles of confidentiality, integrity and availability, Information Security Management (ISO-27001) sets out essential policies, which will help to identify and mitigate risks to your data integrity.
Accreditations, certifications and industry standards inspire confidence in the qualified expertise of leading ITAD services. This demonstrate a clear commitment to professional integrity, along with the provision of the highest level of service, compliance and credibility. However, finding the right ITAD partner also stretches beyond industry accreditations.
Looking beyond ITAD best practice and your sector’s specific legal obligations, you might have further questions to ask your ITAD supplier. You might enquire about their social and ethical business standards. Do they go above and beyond with employee health and safety, well-being, training and support? Have they committed to the living wage? Do they promote inclusion, equality and diversity? How do they assess their own social and environmental impact?
External recognition is hard to come by so validation through business awards show any organisation’s credibility. The same can be said for client testimonials on impartial review platforms, like Trustpilot or Feefo.
When it comes to building a reliable, long-term working relationship that you can trust, your ethos and values should align with your needs and your own organisation’s level of commitment to secure, responsible IT asset disposition practices.
tier1 Group are proud to be the UK’s most accredited environmentally friendly ITAD partner in the UK. We continually strive to lead the way, with an unfaltering commitment to trust, data security, service quality and confidentiality.
Our goal is to achieve every relevant ITAD industry certification. However, with social impact, sustainability and inclusion at our core, we aim to go beyond ITAD-specific professional standards.
To find out more about our accreditations or our fully auditable, circular data wiping services – contact our friendly teams on 0161 777 1000 (Manchester), 01621 484380 (Maldon) or visit www.tier1.com
UK Government, The Information Commissioners Office, Eco IT Solutions, Asset Disposal, IT Asset Management, Bitraser, Rhino Doors, QMS UK, IASME Consortium, ADISA Global, National Cyber Security Centre, National Protective Security Authority, Centre for the Protection of National Infrastructure, S2s, tech Buyer, Hellios, NHS UK, Blancco,