Launched in 2010, Asset Disposal and Information Security Alliance (ADISA) Certification is a UK-based independent certification body that specialises in building assurance for data protection, data sanitisation, and quality management. Approved by UK-GDPR, accredited by the UK Accreditation Service (UKAS), and certified by ISO 17065, the ADISA Group comprises ADISA Certification, and ADISA Research Centre (ARC). The focus of the ARC is to improve data sanitisation practices which include secure data erasure practices for the prevention of data leakage or unauthorised access.
Importance of ADISA Certification for ITADs
ADISA utilises sophisticated data recovery techniques to check the possibility of data retrieval from a sanitised product. The tests used by ADISA to verify the claims of the product simulate an actual attack. These attacks increase in intensity as the levels of tests progress. On the basis of the score on the ADISA Assurance Level (AAL) model from 1 to 6 (Unknown - Assured) achieved by the product, inferring the competency of the product in matching the claims, they are awarded a suitable certification.
ADISA assesses the data sanitisation efficiency of products against industry standards such as NIST SP 800-88 Rev1 and IEEE 2883 guidelines. The data erasure guidelines recommended by these bodies highlight the method to be used to wipe a particular device type, ranging from the overwriting technique to physical data destruction methods like shredding and degaussing. ADISA certification is available for both hardware and software products that deal with data sanitisation. You can see ADISA Product Claim Test Software (PCT). ADISA also has a Product Assurance certification scheme that tests on both NIST and IEEE standards.
In addition, the ADISA Research Centre (ARC) in the UK is the first testing lab to have verified sanitisation on smartwatches, embedded storage, SSDs (2012), and compliance with IEEE sanitisation.
ADISA certification schemes that are approved by the UK’s Information Commissioner’s Office (ICO) are important for ITADs dealing with ICT asset recovery and software vendors developing data sanitisation tools to gain below advantages:
- Trust and Credibility: ADISA certification offers a third-party validation for the data sanitisation software used by ITADs, confirming that the data is erased securely and is non-retrievable even in laboratory settings. This helps clients gain trust in the ITAD provider, especially in regulatory industries like healthcare, finance, and government. Further, being certified by ADISA ICT Asset Recovery Standard 8.0, companies boost a company’s credibility in terms of following data security practices during IT asset disposal and recycling.
- Compliance with Data Protection Laws: Global laws and regulations are very demanding, and data security has become a legal necessity. Certifications under ADISA ICT Asset Recovery Standard 8.0, PCT, and Product Assurance Test (PA) validate that businesses are following secure data erasure practices.
- Competitive Edge: ADISA certifications can prove to be a great competitive differentiator for a business performing data sanitization services or software vendors like BitRaser. Since these certifications verify the data security protocols adhered to by a business, customers are bound to lend the services of a company that is certified by an independent and globally recognised body like ADISA. Likewise, they get confidence in using ADISA certified data erasure products.
Certifications by ADISA
Under the supervision of data sanitisation expert Dr. Philip Turner, the ARC undertakes several product certification schemes that are offered by ADISA. Verifying the compliance of businesses with NIST SP 800-88 Rev 1 and ISO/IEC 21964, these certifications serve as third-party evidence that a product justifies the claims. Below are the certification product and service schemes:
ADISA Product Certification Schemes: ADISA has designed certification schemes, namely, the Certified Product Claims Test (PCT), Certified Product Assurance (PA), and Certified Software Sanitisation Vendor (SSV), providing varying levels of assurance for businesses using a data sanitisation tool.
- ADISA Product Claims Test: By conducting threat-based rigorous level 1 or 2 tests, the ADISA PCT validates the claims of a manufacturer of a data sanitisation product on various types of storage media to render data unrecoverable. Methods to compromise cyberattacks can vary from a casual threat using an open-source forensic tool to a state-sponsored sophisticated attack involving proprietary hardware and software. Vendors like BitRaser, whose products pass the testing regime are awarded the certification based on the ADISA Assurance Level (AAL) of 3 or 4 (Trusted).
- Certified Product Assurance (PA): The sanitisation methods vary for different storage media types and interfaces as per NIST and IEEE guidelines. The ADISA PA Scheme verifies the erasure process by performing 13 tests on a specific product version for compliance with NIST SP 800-88 and IEEE 2883. Additionally, a level 2 test is done on a 15% sample of media and interface to ensure that the data is unrecoverable after the software has completed its execution. The supported media types include SSDs (ATA – SATA, SCSI - SAS) and HDDs (ATA - SATA PATA, SCSI – SAS).
- Certified Software Sanitisation Vendor (SSV): By replicating a real-world environment and introducing variables throughout the certification process, the ARC or the lab performs level 2 tests to verify the capabilities of a software vendor to comply with NIST SP 800-88 and IEEE 2883. Passing this ADISA certification scheme guarantees an AAL of 6 (Assured).
ADISA Service Certification Schemes: The ADISA service certification schemes – LOC:23 and ICT Asset Recovery Standard 8.0 recognise service providers, providing asset disposal and data sanitisation services, ensuring that they adhere to the highest standards of data security in an environmentally responsible manner. Through audits and continuous assessments, ADISA verifies that service providers follow best practices in accordance with the UK-GDPR safeguarding the personal data of the data subjects.
- LOC:23 Certification: Approved by the Information Commissioner’s Office (ICO) in Feb 2024, the Legal Services Operational Privacy Certification Scheme (LOCS:23) helps safeguard the personal data of the client and involved parties by implementing an auditable data protection standard in the organisation. This meets Article 42 of the UK-GDPR as an approved certification and governs data controllers that include law firms, barristers, solicitors, and in-house councils. It also applies to data processors, like software providers dealing with document management, solution providers dealing with translation services and consultants (implementers).
- ICT Asset Recovery Standard 8.0: The Information Communication Technology (ICT) Asset Recovery Standard 8.0 exists in three different versions for the UK, European Union, and the Rest of the World (ROW). This certification helps in assessing the risks to the privacy and rights of the data subject, and mitigating those risks to protect their personal data. It applies to service providers dealing in IT reuse, recycling, and refurbishment and has passed validation assessments of secure data sanitisation practices, responsible e-waste management, and other guidelines laid down by ADISA for ICT asset recovery companies. The certified companies have to undergo two surveillance audits each year; these result in pass or fail and are recorded in the certification report. The tests are done on certain parameters like reuse and destruction of equipment and drives.
Conclusion
Certifications granted by an independent body, like ADISA, can assure businesses that their products and services match their claims. In turn, businesses can maintain the quality of their products and services, comply with data protection laws like EU-GDPR and UK-DPA, gain a competitive edge over companies that lack certification, and earn customer loyalty.
BitRaser Drive Eraser and Mobile Eraser, innovations of Stellar, are ADISA-certified erasure software that wipes data permanently from drives, including HPA and DCO, and automatically generates and syncs detailed reports and certificates of destruction, which help in verifying audit trails. Businesses and ITADs can utilise such certified erasure software to demonstrate their commitment to data protection and data sanitisation.