KGS Logo type

Business

KGS Pte Ltd

©2026 KGS Pte Ltd. All Rights Reserved.

BlogResources

Disposing of old computers? Here’s what KGS’s ISO 27001 certification means for your company

Andrew TayPublished: 03 Jul 2026Last updated: 06 Jul 2026
Disposing of old computers? Here’s what KGS’s ISO 27001 certification means for your company

Last updated: 3 July 2026 · Written by the KGS team. KGS is an NEA-licensed e-waste recycler, founded in Singapore in 2016.

KGS is certified to ISO/IEC 27001:2022, the leading international standard for information security. In plain terms: an independent auditor has inspected how we protect the data on the equipment you send us for disposal, confirmed it meets the standard, and will keep coming back to check. If you’re the person tasked with finding a company to take away your office’s old laptops, servers or hard drives, here is why that matters to you.

The problem: your old computers remember everything

Pressing “delete” does not actually remove files from a computer. It only removes the signpost pointing to them; the files themselves sit on the drive until someone destroys it properly, and free software can recover them. This is not a rare mishap. Researchers at the University of Hertfordshire bought 200 second-hand hard drives and found 59% still held the previous owner’s files: payroll records, passport scans, bank statements. Most sellers had tried to erase the drives. They just hadn’t done it properly.

For a company, the stakes are higher than embarrassment. Under Singapore’s Personal Data Protection Act (PDPA), your company stays responsible for personal data even after you hand equipment to a vendor. If data leaks because a disposal contractor was careless, the regulator comes to you. Since October 2022, fines can reach 10% of your annual Singapore turnover for larger companies, or S$1 million. And IBM’s 2025 report puts the average cost of a data breach at US$4.44 million worldwide.

So the real question when choosing a disposal vendor is not “who can take these boxes away?” It is “who can prove the data on them will be destroyed?”

What is ISO 27001, in plain English?

ISO 27001 is an international standard for how an organisation protects information, covering its people, its processes, its buildings and its record-keeping. To become certified, a company cannot simply declare itself secure. An independent certification body sends auditors to inspect how things actually work, and only issues a certificate if the standard is met. The auditors then return every year, and the certificate can be withdrawn if standards slip.

Think of it like a kitchen hygiene grade for a restaurant. Any restaurant can say its kitchen is clean. The grade on the wall means an inspector has been inside and confirmed it, and will be back.

What the certificate covers

Here is what each part means for you:

What the certificate saysWhat it means when you use KGS
Physical data destructionThe way we destroy hard drives and other data-bearing devices, degaussing (a powerful magnetic wipe), crushing and shredding at our Tuas facility. It is checked by independent auditors to ensure compliance.

What this changes when you hand over your equipment

The question you’d want to askKGS
How do I know your security claims are true?An independent auditor has verified them, and re-checks every year
Who handles my equipment, and are they vetted?Staff vetting and training are part of the audited system
What happens if something goes wrong?Incident response is a required part of the standard
Will standards slip next year?The certificate lapses if they do

A vendor without the certificate is not automatically careless. But without it, checking their security becomes your homework, and under the PDPA, the consequences of getting it wrong are yours too.

The honest fine print

A little honesty, because it builds better decisions than marketing does. ISO 27001 certifies our overall system, not each individual hard drive, so for every job, you should still receive a Certificate of Destruction listing what was destroyed, which KGS issues as standard. The certification also doesn’t shift your PDPA responsibility onto us; no vendor arrangement can do that. What it does is give you strong, independently verified evidence that you chose your vendor carefully, which is exactly what you’d want on file if anyone ever asks.

A simple checklist for choosing any disposal vendor

Ask for their NEA licence. In Singapore, e-waste collection and treatment requires one. No licence, no deal.

Ask to see the ISO 27001 certificate itself, not a logo on a website. Check the dates are current.

Read the scope line. It should mention data destruction or disposal operations, not just office IT.

Verify it. Look the company up on IAF CertSearch, a free global register, or ask the certification body directly.

Ask for a sample Certificate of Destruction. For every job, you should get one listing the destroyed items by serial number.

KGS will happily provide all five, ask us before you sign anything, not after.

Why companies pick KGS

The short version: one vendor, fully licensed and audited on both sides of the job. Data security is covered by ISO 27001. The recycling itself is covered by our NEA General Waste Collector and Disposal Facility licences. Quality, environmental and workplace safety management are covered by ISO 9001, ISO 14001 and ISO 45001. Whether you need full IT asset disposal, data destruction on its own, or a data centre decommissioned, the process ends with paperwork you can file and forget: a Certificate of Destruction for your records.

Frequently asked questions

Do we need to erase our computers before KGS collects them?+

No. Destroying the data is our job, done with industrial equipment that makes it unrecoverable. Unlike the DIY erasing that failed in the studies above. If your IT team prefers to wipe drives first as an extra layer, that’s fine too.

Is ISO 27001 compulsory for disposal vendors in Singapore?+

No. Only the NEA licence is compulsory. That’s exactly why the certificate is a useful filter: it shows a vendor that invested in audited security before any rule forced it to.

Does the PDPA require us to use an ISO 27001-certified vendor?+

No, the law doesn’t name any standard. It requires “reasonable security arrangements” for personal data. But if you ever need to show you took disposal seriously, “we chose an independently certified vendor and kept the certificates” is a much easier story to tell. This is general information, not legal advice.

What’s the difference between ISO 27001 and a Certificate of Destruction?+

ISO 27001 says the vendor’s security is sound in general, the system is trustworthy. A Certificate of Destruction says your items, listed by serial number, were destroyed on a specific date. You want both, and with KGS you get both.

How exactly is the data destroyed?+

Magnetic hard drives are degaussed (a magnetic pulse that erases everything at once), then media is crushed or shredded at our NEA-licensed facility at 8 Tuas South Lane. These methods follow NIST SP 800-88, the most widely used international guideline for making data unrecoverable.

What happens to the equipment after the data is destroyed?+

It’s processed for recycling, metals and plastics are recovered at our facility and through downstream partners, in line with our NEA licences. You clear your storeroom, your data risk ends, and the materials go back into use instead of landfill.

Sign up for exclusive offers, events and more.