The process of safely retiring IT equipment at the end of its useful life. ITAD covers data destruction, device refurbishment, resale, and compliant disposal, ensuring retired assets don't become a security or regulatory liability.
What ITAD Actually Means
When a device reaches the end of its life, the work is not over. IT Asset Disposition is the set of processes that handle what happens next: wiping data, assessing whether the device can be reused, refurbishing or reselling it, and disposing of what cannot be recovered.
Every step creates potential risk if done wrong. A drive that was not properly wiped. A device sold on a secondary market with company data still on it. An old server dropped in a skip instead of cycled through a certified recycler. These are not theoretical scenarios. A study found that 42% of used drives sold on secondary markets contained recoverable sensitive data. Morgan Stanley paid $35 million to the SEC after improperly disposing of servers holding customer information.
ITAD is where IT operations meet legal compliance. Organizations subject to GDPR, HIPAA, SOC 2, or ISO 27001 need documented, auditable proof that retired assets were handled correctly.
The ITAD Process
IT asset disposition typically runs through five stages.
- Collection: retrieving devices from employees, including remote workers who may be in other countries.
- Inventory and assessment: cataloguing each asset, checking condition, and deciding whether to reuse, resell, donate, or destroy.
- Data destruction: wiping or physically destroying storage media to certified standards.
- Refurbishment or remarketing: restoring usable devices for resale.
- Environmental disposal: recycling components through certified e-waste vendors, with documentation.
The logistics of collection from distributed teams is where the process most often breaks down. An employee in another country returning a device needs a clear, prepaid return path otherwise the device disappears into a drawer and becomes a ghost asset.
Data Destruction Standards
Not all wiping is equal. Formatting a drive does not erase data; it removes the file index. The actual data stays until something overwrites it. Proper erasure follows certified standards: NIST 800-88, which covers logical overwrite (clear) and more intensive purge methods. DoD 5220.22-M specifies multi-pass overwriting. For physically damaged or end-of-life drives, shredding or degaussing destroys the media itself.
SSDs require special attention. Their wear-leveling algorithms can redirect writes to locations an erasure tool does not know to target, making overwrite-based methods less reliable than on spinning hard drives. NIST 800-88 provides guidance specific to solid-state media.
The endpoint of any compliant ITAD process is a certificate of destruction: a document recording which device was erased, when, by what method, to what standard, and by whom.
ITAD and the Device Lifecycle
Disposition is the final stage of the device lifecycle, not an afterthought. Organizations with accurate asset records know exactly what they have, where it is, and when it is scheduled for retirement, which makes disposition faster and cheaper. The device that has been tracked from procurement through every reassignment has a clear record at retirement. The device that was informally passed between employees and never updated in the ITAM system creates uncertainty about what data it holds and who last used it.
E-Waste and Sustainability
The UN Global E-waste Monitor reported 62 million tonnes of e-waste generated in 2022, rising five times faster than documented recycling, with only 22.3% properly collected. For organizations with ESG commitments, ITAD partners need to be certified e-waste recyclers. The EU's Corporate Sustainability Reporting Directive and incoming Digital Product Passports are making device reuse rates and recycling documentation compliance requirements rather than voluntary initiatives.