According to requirement 9.8, when should media be destroyed?

• A. Only when legally required.
• B. After a security breach.
• C. Shred or dispose of media only for compliance reasons.
• D. Destroy media when it is no longer needed for business or legal reasons.

Answer: (D)

The idea being tested is tying media destruction to the data lifecycle: you should discard media when it’s no longer needed for business operations or to meet legal/retention requirements. This ensures you’re not holding onto data-bearing media longer than necessary, which reduces the risk of data exposure and supports proper retention practices. Destroying media only for compliance reasons would keep data longer than needed, and waiting until after a breach or only destroying after a legal trigger misses the ongoing need to minimize risk. The correct approach is to plan destruction as soon as the media no longer serves a business purpose or is no longer legally required, using appropriate methods for the media type.