01 / WHY A CHECKLISTThe project that gets delegated to whoever is nearest the loading dock
Decommissioning is the rare IT project where the physical work is trivial and the evidentiary work is everything. Racks unbolt. Trucks load. What's hard is being able to show, a year later, exactly which serialized devices left, what happened to each one's data, and who had custody at every hop. When that record doesn't exist, the organization doesn't find out during the project — it finds out when a regulator, an assessor, or a buyer of second-hand equipment asks.
The canonical example is Morgan Stanley, which retained a moving and storage company with no data-destruction experience for a 2016 data-center decommission — and ultimately paid more than $160 million across an OCC penalty, an SEC penalty, a class-action settlement, and a multistate agreement after devices with unwiped customer data were resold at auction. We walk that case, and two others, in the ITAD breach case files. Every phase below exists because one of those failures happened to someone.
02 / PHASE 1Before anything moves: inventory, reconciliation, stakeholders
- Build the authoritative inventory. Every asset in scope, by serial number and asset tag: servers, storage arrays, network gear, PDUs, appliances, spares shelves, and the drawer of loose drives that every facility has. Reconcile it against the CMDB or ITAM system now — a ghost asset discovered mid-project is a custody gap waiting to happen.
- Identify every data-bearing component. Not just the storage tier. Server BMCs and RAID controllers hold configuration and cached data; switches and firewalls hold configs and credentials; tape libraries hold tapes; SAN controllers hold cache modules.
- Name the stakeholders and the sign-offs. Security (sanitization standards), compliance/legal (retention holds — confirm nothing in scope is under legal hold before it's destroyed), finance (book value, disposal accounting), the application owners (dependency sign-off), and facilities/landlord (access, freight elevators, floor protection).
- Decide the disposition path per asset class. Redeploy, remarket, or destroy — decided now, because it determines the sanitization method later. Recent-generation enterprise gear often carries real value recovery; five-generation-old drives do not.
03 / PHASE 2Map the data, pick the method — per media type
With the inventory fixed, classify what's on it and choose a NIST 800-88 method per media type and sensitivity: Clear, Purge, or Destroy. Two decisions dominate this phase:
- On-site vs. at-facility sanitization. Sanitizing or shredding before media leaves the building removes transport risk entirely — the defensible default for regulated data and anything under CMMC or ITAR scope. Facility-based destruction is fine when custody is unbroken and documented: sealed and serialized containers, tracked transport, and processing at a certified facility.
- Working media vs. failed media. Firmware-based Purge techniques require a drive that responds to commands. Failed, degraded, or unresponsive drives can't be verified — they route to physical destruction, and the checklist should say so in advance rather than leaving it to a technician's judgment at hour eleven.
Encryption deserves one honest sentence in your plan: full-disk encryption helps only if it was actually enabled, with keys managed, for the data's entire life on the media. Assuming it was on is how encrypted-in-theory becomes readable-in-practice.
04 / PHASE 3Decommission logically before physically
The step order exists to prevent both outage tickets and orphaned data:
- Dependency check and final sign-off. Confirm workloads are migrated, DNS entries retired, monitoring silenced, and no system still calls anything in scope. The application owner signs.
- Backups and replicas. Decide the fate of backup sets, snapshots, and DR replicas tied to the retiring systems — data destroyed on the primary but alive on a replica isn't destroyed.
- Licenses and support contracts. Harvest transferable licenses; terminate maintenance contracts and support entitlements so the organization stops paying for hardware it no longer owns.
- Credentials and remote management. Clear BMC/iLO/iDRAC configurations and stored credentials; release the assets from any management platform that would otherwise flag them — or lock them — after they leave. (Our companion piece on locked devices in ITAD covers why this step decides resale value.)
- Records to retention. Export final configs and the retirement entries into the ITAM system — the inventory's “retired” state is what future audits sample against.
05 / PHASE 4De-installation and the unbroken chain
Physical day is where documentation either keeps pace or never catches up:
- Serial-verified removal. Each asset scanned or logged against the Phase-1 inventory as it comes off the rack — discrepancies resolved on the spot, not at the dock.
- Media segregation. If drives are pulled for separate destruction, each drive's serial maps to its source chassis in the record.
- Sealed, serialized transport. Locked containers or shrink-wrapped, banded pallets with numbered seals; a signed chain-of-custody document at every handoff — dock, truck, receiving. (The Vault's chain-of-custody log is a ready template.)
- Qualified hands only. The crew touching data-bearing assets should be the ITAD provider's vetted staff under its audited process — not a general-purpose mover. That single sourcing decision is the entire Morgan Stanley lesson.
- Site closeout. Cable mining, rack removal if contracted, floor and pathway condition documented for the landlord.
06 / PHASE 5Closeout: the records that make it defensible
The project ends when the paper reconciles, not when the trucks leave:
- Serialized certificates of sanitization and destruction, naming the NIST 800-88 method (and technique) per device — reconciled line-by-line against the Phase-1 inventory. Zero unexplained serials is the standard.
- Settlement and value recovery reporting for remarketed assets — what sold, for what, with revenue share documented.
- Downstream documentation. The processor's certifications (R2v3, NAID AAA) and, for recycled material, certificates of recycling covering final disposition.
- Sustainability reporting where your ESG program wants it — diverted weight and reuse figures feed Scope 3 reporting.
- The closeout file. Inventory, custody chain, certificates, settlement, and sign-offs in one archive, retained per your policy. This file is the deliverable; the empty room is a side effect.
The whole sequence, as a printable working document, is in the Vault: the decommissioning checklist template.
Decommissioning FAQ
Sanitize on-site or at the facility?
Treat it as a risk decision per data class. On-site work removes transport risk entirely — the defensible default for regulated data and CMMC/ITAR scope. Facility destruction at a certified processor is acceptable when custody is unbroken and documented: serialized sealed containers, tracked transport, audited processing. Many projects mix both.
What counts as data-bearing besides the drives?
More than the storage tier. BMCs (iLO/iDRAC) and RAID controllers store configs, credentials, and cached data; network gear holds configs and secrets; SAN/NAS controllers contain cache modules; tape libraries contain tapes; appliances carry embedded flash. Inventory every component that could hold data, not just drive bays.
Is reselling decommissioned servers safe?
Yes, when the process is right — and recent-generation gear can meaningfully offset project cost. Safe remarketing means verified Purge-level sanitization per drive (or destruction and replacement), cleared BMC/controller configs, release from management platforms, and serialized certificates before anything sells. The risk isn't resale — it's resale without verified sanitization.
How long do we keep the closeout records?
Follow your retention policy and the strictest regulation touching the data that was on the gear — audits and breach lookbacks reach years past the hardware. Practical rule: keep the closeout file at least as long as you'd need to answer a regulator about any device in it, and make retention compliance's call, not IT's.
What happens to backup tapes in a decommission?
Tapes are media and get a line in the same inventory. Sets staying in service transfer custody formally; sets leaving service are sanitized or destroyed — degaussing works on tape (it's magnetic), and destruction is common at end of life. The trap is scope: offsite-vaulted tapes tied to retiring systems are easy to forget and hold exactly the same data.