
Last updated: 3 July 2026 · Written by the KGS team. KGS is an NEA-licensed e-waste recycler, founded in Singapore in 2016.
KGS is certified to ISO/IEC 27001:2022, the leading international standard for information security. In plain terms: an independent auditor has inspected how we protect the data on the equipment you send us for disposal, confirmed it meets the standard, and will keep coming back to check. If you’re the person tasked with finding a company to take away your office’s old laptops, servers or hard drives, here is why that matters to you.
Pressing “delete” does not actually remove files from a computer. It only removes the signpost pointing to them; the files themselves sit on the drive until someone destroys it properly, and free software can recover them. This is not a rare mishap. Researchers at the University of Hertfordshire bought 200 second-hand hard drives and found 59% still held the previous owner’s files: payroll records, passport scans, bank statements. Most sellers had tried to erase the drives. They just hadn’t done it properly.
For a company, the stakes are higher than embarrassment. Under Singapore’s Personal Data Protection Act (PDPA), your company stays responsible for personal data even after you hand equipment to a vendor. If data leaks because a disposal contractor was careless, the regulator comes to you. Since October 2022, fines can reach 10% of your annual Singapore turnover for larger companies, or S$1 million. And IBM’s 2025 report puts the average cost of a data breach at US$4.44 million worldwide.
So the real question when choosing a disposal vendor is not “who can take these boxes away?” It is “who can prove the data on them will be destroyed?”
ISO 27001 is an international standard for how an organisation protects information, covering its people, its processes, its buildings and its record-keeping. To become certified, a company cannot simply declare itself secure. An independent certification body sends auditors to inspect how things actually work, and only issues a certificate if the standard is met. The auditors then return every year, and the certificate can be withdrawn if standards slip.
Think of it like a kitchen hygiene grade for a restaurant. Any restaurant can say its kitchen is clean. The grade on the wall means an inspector has been inside and confirmed it, and will be back.
Here is what each part means for you:
| What the certificate says | What it means when you use KGS |
|---|---|
| Physical data destruction | The way we destroy hard drives and other data-bearing devices, degaussing (a powerful magnetic wipe), crushing and shredding at our Tuas facility. It is checked by independent auditors to ensure compliance. |
| The question you’d want to ask | KGS |
|---|---|
| How do I know your security claims are true? | An independent auditor has verified them, and re-checks every year |
| Who handles my equipment, and are they vetted? | Staff vetting and training are part of the audited system |
| What happens if something goes wrong? | Incident response is a required part of the standard |
| Will standards slip next year? | The certificate lapses if they do |
A vendor without the certificate is not automatically careless. But without it, checking their security becomes your homework, and under the PDPA, the consequences of getting it wrong are yours too.
A little honesty, because it builds better decisions than marketing does. ISO 27001 certifies our overall system, not each individual hard drive, so for every job, you should still receive a Certificate of Destruction listing what was destroyed, which KGS issues as standard. The certification also doesn’t shift your PDPA responsibility onto us; no vendor arrangement can do that. What it does is give you strong, independently verified evidence that you chose your vendor carefully, which is exactly what you’d want on file if anyone ever asks.
Ask for their NEA licence. In Singapore, e-waste collection and treatment requires one. No licence, no deal.
Ask to see the ISO 27001 certificate itself, not a logo on a website. Check the dates are current.
Read the scope line. It should mention data destruction or disposal operations, not just office IT.
Verify it. Look the company up on IAF CertSearch, a free global register, or ask the certification body directly.
Ask for a sample Certificate of Destruction. For every job, you should get one listing the destroyed items by serial number.
KGS will happily provide all five, ask us before you sign anything, not after.
The short version: one vendor, fully licensed and audited on both sides of the job. Data security is covered by ISO 27001. The recycling itself is covered by our NEA General Waste Collector and Disposal Facility licences. Quality, environmental and workplace safety management are covered by ISO 9001, ISO 14001 and ISO 45001. Whether you need full IT asset disposal, data destruction on its own, or a data centre decommissioned, the process ends with paperwork you can file and forget: a Certificate of Destruction for your records.
No. Destroying the data is our job, done with industrial equipment that makes it unrecoverable. Unlike the DIY erasing that failed in the studies above. If your IT team prefers to wipe drives first as an extra layer, that’s fine too.
No. Only the NEA licence is compulsory. That’s exactly why the certificate is a useful filter: it shows a vendor that invested in audited security before any rule forced it to.
No, the law doesn’t name any standard. It requires “reasonable security arrangements” for personal data. But if you ever need to show you took disposal seriously, “we chose an independently certified vendor and kept the certificates” is a much easier story to tell. This is general information, not legal advice.
ISO 27001 says the vendor’s security is sound in general, the system is trustworthy. A Certificate of Destruction says your items, listed by serial number, were destroyed on a specific date. You want both, and with KGS you get both.
Magnetic hard drives are degaussed (a magnetic pulse that erases everything at once), then media is crushed or shredded at our NEA-licensed facility at 8 Tuas South Lane. These methods follow NIST SP 800-88, the most widely used international guideline for making data unrecoverable.
It’s processed for recycling, metals and plastics are recovered at our facility and through downstream partners, in line with our NEA licences. You clear your storeroom, your data risk ends, and the materials go back into use instead of landfill.
Sign up for exclusive offers, events and more.