You manage thousands of assets, tight timelines, and strict audits. The wrong IT Asset Disposition provider can expose data, stall audits, or lose recovery value. Use this guide to spot seven common mistakes and apply a simple fix for each. Every fix aligns with work you can document with an R2v3 certified provider.
Undefined data sanitization specs
The mistake
Teams hand off mixed media without a written sanitization method. Field staff may run a basic wipe on some drives and shred others with no proof. Auditors will ask which method was applied to which serial, and no record exists.
Why it matters
Data exposure risk, audit delays, and rework. Insurance claims can fail without precise controls.
How to avoid it
Set a control plan before pickup. Specify NIST SP 800-88 methods by asset class. Clear for SSDs that pass verification, Purge or physical destruction for fails. Require that certificates be serialized per unit within 48 hours of receipt. Align the scope with your provider’s Data Destruction SOP and the R2v3 data requirements. Link the certificates to your CMDB record.
Measure it
Certificate turnaround within 48 hours. Verification sample rate documented, for example, 5 percent per batch. Zero unmatched serials.
Weak chain of custody
The mistake
Devices leave the site on open pallets or mixed with other clients’ material. No tamper evidence. No scans at handoff. The manifest is a spreadsheet, not a serial log.
Why it matters
You cannot prove custody. A missing device becomes a data incident.
How to avoid it
Adopt serialized custody from the point of collection. Use sealed bins or pallet wraps with tamper-evident IDs. Scan each unit or container at every handoff, dock, truck, and facility intake. Require GPS-tracked transport and signed transfer records. Store all documents in a central folder.
Measure it
Serial match rate at 99 percent or higher. Zero unscanned handoffs. Photo evidence at pickup and intake.
Incomplete asset inventory
The mistake
Teams schedule a pickup with rough counts. Hidden drives, peripheral media, and network gear get missed. The scope expands on-site, and the quote no longer fits.
Why it matters
Budget variance and longer timelines. Missed media can bypass sanitization.
How to avoid it
Run a quick discovery before you book transport. Use a one-page checklist that covers device types, attached media, racks, and access limits. Confirm power and safety controls, including lockout/tagout per OSHA 1910.147. Attach photos. Share the package with your provider.
Measure it
Variance between estimated and actual units under 10 percent. No uncovered media found post-pickup.
“Recycle first” habits that erase recovery value
The mistake
Everything goes straight to the shredder. Working units that pass testing and can be reused are destroyed.
Why it matters
You lose remarketing revenue and raise disposal costs. ESG reporting suffers because reuse is the highest form of circularity.
How to avoid it
Test first, recycle second. Direct your provider to triage by serial and condition. Working devices go to remarketing. Non-working or failed data sanitization units are sent for certified recycling. Set floor prices or a share model you can audit. Report recovery value by lot and month.
Measure it
Percent of assets reused versus recycled. Recovery dollars returned against the original device value, targeting a defined band based on your mix.
No downstream due diligence
The mistake
You accept a vendor’s green logo without proof. You do not review downstreams for focus materials. You assume international shipments are fine.
Why it matters
You own the outcome. Improper downstreams create compliance risk.
How to avoid it
Verify R2v3 certification and current scope. Request the downstream due diligence summary that maps outbound flows for batteries, displays, and other focus materials. Confirm export controls. Keep evidence on file. Review annually. Learn what R2v3 requires at the SERI R2v3 Standard.
Measure it
Downstream documentation on file for each focus stream. Annual review logged.
Missing SLAs and weak communication
The mistake
Projects run without defined response times or reporting windows. Issues get discovered late.
Why it matters
Schedules slip. Audits stall. Stakeholders lose trust.
How to avoid it
Write the SLAs into your SOW. Pickup response time, for example, is 5 business days. Intake confirmation, same day. Certificate delivery, within 48 hours. Final reporting, within 10 business days. Hold a weekly status call with a risk-and-action log. Store updates with the job record. See our approach to SLAs within IT Asset Disposition Services.
Measure it
SLA hit rate at or above 95 percent. Aging tickets under a set threshold.
Gaps in security, safety, and insurance
The mistake
No site access protocol for vendor staff. No daily safety brief. No proof of insurance beyond a COI from years ago.
Why it matters
You raise physical and financial risk.
How to avoid it
Adopt a simple control set. Require background-checked staff, documented training, and a daily safety brief. Validate insurance limits and endorsements that cover cyber, environmental, and general liability. Confirm alignment of information security and log each proof with renewal dates.
Measure it
Zero recordable incidents. Current COIs on file. Access logs are complete.
How to put this into action this quarter
- Complete a discovery plan and use a decommissioning checklist.
- Document your data sanitization plan. Map NIST 800-88 methods to each device class.
- Update SLAs and change control in your SOW.
- Confirm R2v3 scope, downstreams, and insurance with your provider. Review R2v3 and Certifications.
- Shift to test-first workflows to unlock reuse. Coordinate with remarketing.
- Launch a custody audit on your next pickup. Compare serials at each handoff.
- Centralize artifacts, photos, manifests, certificates, and recovery statements in one folder tied to your CMDB.
If you want help configuring these controls, contact us.
Example controls you can copy into your SOW
Data sanitization
All devices receive NIST SP 800-88 methods aligned to the device class. Verification at a 5 percent sample rate per lot. Certificates are delivered within 48 hours of intake.
Chain of custody
Serialized custody from pickup to intake. Tamper-evident seals on containers. Scans at the dock, truck, and facility. GPS on all long-haul vehicles. Photo evidence at pickup and intake.
Reuse before recycle
Functional devices tested and cleared for reuse. Non-functional or failed sanitization devices processed for certified recycling with documented downstreams.
Reporting
Intake confirmation, same day. Daily status during active projects. Final report within 10 business days with inventory, certificates, downstream summary, and recovery value.
Insurance and compliance
Current R2v3, NAID, ISO 14001, and RIOS. COIs provided with required endorsements.
FAQs
What is the quickest way to prove data was destroyed?
Require serialized certificates that map each device to the method used: Clear, Purge, or physical destruction per NIST SP 800-88. Set a 48-hour delivery SLA. Store certificates with the job record.
Does R2v3 certification guarantee secure data handling?
R2v3 sets strong requirements for data handling and downstream controls. You still need to confirm scope, methods, and SLAs. Ask for current certificates and a summary of downstreams.
How do we maintain the chain of custody during transport?
Use tamper-evident containers, serial scans at each handoff, GPS-tracked trucks, and signed manifests. Your provider should share photos from pickup and intake. Review our Chain of Custody and Reporting.
Can we recover value without raising risk?
Yes. Test first. Send passing devices to remarketing. Apply NIST-aligned sanitization and transparent reporting. Recycle only units that fail testing or sanitization.
What should our SLAs include?
Pickup response, intake confirmation, certificate delivery, and final report windows. Example: pickup within five business days, intake same day, certificates within 48 hours, final report within 10 business days.
How often should we review downstream partners?
At least once per year or after a significant change. Keep written evidence of due diligence on file. Confirm compliance with R2v3 for batteries, displays, and other focus materials.