Skip to content
AuditFront
CC6.5 SOC 2

SOC 2 CC6.5: Logical and Physical Access - Logical Access to Protected Assets

What This Control Requires

The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity's objectives.

In Plain Language

Old hard drives end up on eBay with recoverable customer data more often than you'd think. CC6.5 is about making sure that never happens to your organisation.

When hardware gets retired, returned, or disposed of - and when cloud instances, databases, or VMs are decommissioned - the data on them must be properly destroyed before security protections are dropped. Simply deleting files or reformatting a drive isn't enough. Data recovery from formatted media is trivial with off-the-shelf tools.

Auditors want to see a formal disposal process, appropriate destruction methods matched to the data sensitivity, and documentation proving it happened - typically certificates of destruction. In cloud environments, this extends to cleaning up orphaned snapshots, backups, and replicas when you decommission resources.

How to Implement

Write a formal asset disposal and data destruction policy covering all media types: hard drives, SSDs, backup tapes, USB drives, mobile devices, virtual machines, and cloud storage. Specify approved destruction methods for each media type and data classification level.

Choose destruction methods based on the media and data sensitivity. Degaussing or physical destruction works for magnetic media. SSDs need cryptographic erasure or physical destruction since traditional overwriting can miss storage cells. For cloud resources, delete data from all instances, backups, and replicas, then destroy the encryption keys.

Set up a chain of custody for assets waiting to be destroyed. Store them securely with limited access. Keep a log of everything in the disposal queue - asset identifiers, data classification, and who's responsible.

Get certificates of destruction for every disposed asset. If you use a third-party vendor, make sure their certificates identify the specific assets, the method used, and the date of destruction. Vet the vendor's qualifications before handing them anything.

Don't forget cloud resource decommissioning. When you shut down instances, databases, or storage buckets, delete data from all regions and availability zones, remove snapshots and backups, rotate or destroy encryption keys, and fully deprovision the resource.

Audit the disposal process periodically. Check that every decommissioned asset has proper destruction documentation and that your active asset inventory reconciles with disposal records.

Evidence Your Auditor Will Request

  • Asset disposal and data destruction policy specifying approved methods for each media type
  • Certificates of destruction for disposed assets including asset identifiers and destruction method
  • Chain of custody logs for assets pending disposal
  • Cloud resource decommissioning procedures and evidence of data deletion from cloud environments
  • Periodic audit records verifying completeness and compliance of the disposal process

Common Mistakes

  • Assets are disposed of by simply deleting files or formatting drives without proper data sanitization
  • No certificates of destruction are obtained, leaving no evidence that data was properly destroyed
  • Decommissioned cloud resources leave orphaned snapshots, backups, or replicas containing sensitive data
  • Assets pending disposal are stored in unsecured locations without chain of custody controls
  • Third-party destruction vendors are used without verification of their qualifications or methods

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 ISO 27001 A.7.14 (equivalent mapping) Equivalent
ISO 27001 ISO 27001 A.8.10 (related mapping) Related
nist-csf nist-csf PR.DS-11 (equivalent mapping) Equivalent

Frequently Asked Questions

What is the best method for destroying SSDs?
Traditional overwriting doesn't work reliably on SSDs because of wear levelling and over-provisioning. Your best options are cryptographic erasure (if the SSD supports hardware encryption, just destroy the keys) or physical destruction (shredding). For highly sensitive data, shredding is the safest bet. NIST SP 800-88 has detailed guidance on this.
How do we handle data destruction in multi-tenant cloud environments?
You're relying on the cloud provider's deletion and isolation mechanisms here. Check their SOC 2 report to confirm data is properly isolated and deleted. Encrypt everything you store in the cloud, and destroy the encryption keys when you decommission resources. Make sure you also clean up snapshots, backups, and logs - those are easy to miss.
Can we donate or resell old equipment?
Absolutely, just sanitise it properly first. Use NIST SP 800-88 compliant methods before the equipment leaves your control, verify the sanitisation worked, and document everything. For equipment that held highly sensitive data, physical destruction is the safer choice over sanitisation and reuse.

Related Articles

The True Cost of Compliance: DIY vs Consultant vs Platform (2026)

A realistic comparison of three compliance approaches - DIY spreadsheets, hiring a consultant, or using a platform - with costs, timelines, and tradeoffs.

Read article →

ISO 27001 vs SOC 2: Which Do You Need?

A clear comparison of ISO 27001 and SOC 2 - key differences, when to choose which, where they overlap, and whether you should pursue both.

Read article →

SOC 2 for Startups: When You Need It and How to Get Started

A practical guide for startup founders and CTOs on SOC 2 compliance - when it's actually required, Type 1 vs Type 2, realistic costs, and a readiness checklist.

Read article →

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment