Cyber Essentials
DashboardSign Out

Lesson 7.5 — Device lifecycle: decommissioning, disposal and account removal

This lesson covers the end-of-life stage of the device lifecycle — how to decommission devices cleanly, remove accounts and credentials before disposal, handle data destruction, and update the device inventory so the organisation's Cyber Essentials position remains accurate after devices leave the estate.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • describe the key steps in decommissioning a device safely
  • explain why improper disposal creates risks for Cyber Essentials and for data security generally
  • maintain an accurate device inventory that reflects the current — not the historic — device estate.

Why This Matters

The Core Rule

When a device leaves the active estate — through replacement, reuse, donation, sale, or loss — it must be decommissioned properly. This means removing accounts, revoking credentials, unenrolling from management systems, destroying data appropriately, and updating the device inventory.

A device that is decommissioned but not recorded creates an inventory discrepancy that affects the accuracy of control answers. A device that is disposed of without being properly wiped creates a data security risk.

Why decommissioning matters for Cyber Essentials

The device inventory must reflect the current state of the organisation's in-scope devices. A device that has been replaced but not removed from the inventory contributes to answers about operating systems, update status and malware protection — even though it may no longer be active or maintained.

More significantly, a device that is decommissioned but not properly wiped may retain:

The decommissioning process

A clean decommissioning process involves the following steps:

Step 1 — Identify the device and its state

Devices associated with leavers

When a staff member leaves the organisation, their devices must be handled as part of the leaver process. This involves:

  • collecting company devices;
  • revoking access to all systems and cloud services;
  • removing the person's user accounts;
  • removing administrator privileges if the person had them;
  • processing the device through the decommissioning steps above.

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] Why does a decommissioned device that remains in the device inventory create a problem for Cyber Essentials?
  • [ ] What is cryptographic erasure as a method of data destruction?
  • [ ] What should happen immediately when a mobile device is reported as lost or stolen?
  • [ ] Why should device decommissioning be linked to the staff leaver process?
  • [ ] What is the minimum expected outcome of a device decommissioning process before the device leaves the organisation?

Your Action

Do this now — it takes 10–20 minutes.

Check your device disposal process: how are devices wiped before being sold, donated, or discarded? Record the process in Section SC.

Key Takeaway

The decommissioning process should be linked to the leaver process for staff — device collection and account removal are two parts of the same event.

Your Workbook Activity

Complete: Device decommissioning log and disposal record

Next Lesson

In the next lesson: Malware protection: choosing the right protection method for your organisation

Up next

Interviews

Explore interviews with industry experts and thought leaders.