← Insights
Compliance6 min read

Chain of Custody: The Answer to Every Question an Auditor Will Ever Ask About a Device

Sooner or later, someone official asks: where is this device, who has touched it, and can you prove the data on it was destroyed? There are only two possible answers — a file, or a scramble.

Every device your company has ever owned will eventually be the subject of a question from someone with authority to ask it.

An auditor doing SOC 2 fieldwork sampling your asset inventory. A privacy officer tracing which machines touched PHI. A cyber-insurance underwriter's questionnaire asking how retired media is destroyed. A customer's security review wanting your disposal procedure in writing. Occasionally, counsel asking where a specific laptop was during a specific month.

The questions are always the same three, in some order: Where is it? Who has had it? Prove the data is gone.

And there are only two possible kinds of answer. The first is a file: the serial number's record, showing every assignment, movement, storage location, and the destruction certificate at the end. The second is a scramble: emails, memories, a spreadsheet last reconciled two refreshes ago, and a growing pit in someone's stomach. Which answer you give was decided years earlier, by whether device movements were run as a custody operation or as favors and shipments.

What custody actually means

"Chain of custody" gets used loosely in IT, usually meaning "we're careful." It has a stricter, more useful meaning: an unbroken, documented record of possession — at every moment in a device's life, the record says who or what facility held it, and every transfer between holders has an artifact.

Concretely, for a device fleet, that decomposes into five disciplines:

Serialized identity. Every device is tracked as itself — this serial, not "a Dell." Counts and models tell you what you bought; serials tell you where each thing is. Audits sample serials.

Documented intake. When a device enters the operation — new from the vendor, recovered from a departure, pulled from a site — it's received against its serial, its condition recorded, its arrival timestamped. Intake is where the record starts telling the truth; skip it and everything downstream inherits the gap.

Controlled, access-logged storage. Between assignments, devices sit in a facility where access is restricted and logged — so "who could have touched it" has a short, provable answer. A supply closet with a shared key is, in audit terms, a custody hole with shelves.

Movement records. Every transfer — shipped to a hire, swapped at a site, returned from a departure, sent to the bench — generates its artifact: tracking number, recipient confirmation, check-in scan. The device is never between records.

Certified destruction. When a device is retired or re-provisioned, its data is destroyed to standard and a certificate is issued against the serial and filed. This is the artifact regulators, underwriters, and customers actually ask for by name — and the one that cannot be reconstructed after the fact. You cannot certify yesterday's wipe of a device you can't locate today.

Evidence as a byproduct, not a project

Here's the property that makes custody economical rather than bureaucratic: done properly, the evidence produces itself.

In an ad-hoc operation, audit season is an archaeology project — reconstructing device histories from shipping receipts and inbox searches, at the worst possible time, with findings as the price of every gap. In a custody operation, every record the auditor wants was generated as a side effect of doing the work: the intake scan, the movement log, the wipe certificate. Nobody "prepares evidence." The operation's exhaust is the evidence. Audit prep collapses into file retrieval.

This is also why custody can't really be bolted on afterward. The record is only as strong as its weakest link, and links are forged at the moment of movement or never. A fleet that adopts custody discipline today has clean history from today — one more reason the right time to start is before the question arrives, not after.

Who this is for, concretely

Healthcare operators carry the sharpest version: any endpoint that touched clinical systems is presumptively a PHI device, and an unaccounted-for one isn't a loose end — it's a potential reportable event. Custody records and wipe certificates are the difference between a closed question and an incident file.

Anyone holding SOC 2 or facing enterprise security reviews gets asked for asset accountability and media-disposal evidence on a schedule. Custody turns a recurring fieldwork risk into a recurring non-event.

Private equity platforms inherit fleets with no history at every close — and create disposal obligations with every integration. Starting custody at acquisition means the platform's record is clean even when the target's never was.

Everyone with a cyber-insurance renewal is watching questionnaires get longer. "Documented chain of custody with certified destruction" is the answer the form is fishing for.

The one-question self-audit

Pick a device your company retired last year. Any one. Now produce, within one business day: its full movement history and its certificate of data destruction.

If that's a file, your operation already runs on custody. If it's a scramble, you've just previewed the audit — while it's still free.

Talk to us about custody

/ Diagnose your environment

Run the diagnosis on your own environment.

Surya runs the physical device lifecycle — regional configuration and distribution, same-day swaps, serialized chain of custody — from Research Triangle Park.

Book a diagnostic call