Decommissioning a server room or a data hall is the rare project where the physical work is easy and the evidence is everything. Racks unbolt and trucks load — what's hard is proving, a year later, exactly which serialized devices left and what happened to each one's data.
The sequence that makes it defensible: build the serialized inventory before anything moves, and reconcile it against your asset system. Map the data and pick a NIST 800-88 method per media type — with on-site destruction for the sensitive tier if transport risk is unacceptable. Then sealed containers, numbered seals, and a signed chain of custody at every handoff.
Skip those steps and you're gambling at institutional scale. Morgan Stanley's decommissioning failures — a moving company with no data-destruction experience, devices resold with customer data aboard — cost more than $160 million across regulators and settlements, all of it public record. The close-out standard is simple to say: zero unexplained serials, and certificates that reconcile to the inventory you started with.
The complete phase-by-phase checklist covers inventory, sanitization decisions, custody, and the closeout records — with a downloadable working copy.