Ensure Proper Sanitisation Before IT Maintenance
Clean IT equipment and media if maintenance is done by non-cleared technicians.
Plain language
When IT equipment needs repairs and you can't use a technician with the right security clearance, it's important to clean data from the devices first. This helps prevent sensitive information from leaking if someone accidentally or intentionally looks at the data during maintenance.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
If an appropriately cleared technician is not used to undertake maintenance or repairs of IT equipment, the IT equipment and associated media is sanitised before maintenance or repair work is undertaken.
Why it matters
If IT equipment isn’t sanitised before third‑party maintenance, non‑cleared technicians may access stored sensitive data, causing a breach and loss of trust.
Operational notes
Before handing devices/media to non‑cleared technicians, sanitise per approved method (wipe/crypto‑erase) and record evidence of sanitisation.
Implementation tips
- IT manager: Identify equipment needing maintenance and check if the technicians have security clearance. If not, ensure the equipment is sanitised by removing or securing confidential data.
- Office manager: Create a checklist for each maintenance session showing steps to remove or back up sensitive data before technicians arrive. This ensures nothing is overlooked.
- IT team: Develop a simple procedure for data sanitisation, ensuring all sensitive information is either encrypted, removed or stored securely before any equipment leaves the premises for repairs.
- Procurement officer: Update contracts with third-party maintenance providers to state that data must be sanitised before non-cleared technicians access the equipment.
- Staff in charge of equipment: Regularly review which devices store sensitive information and coordinate with IT to sanitise them when maintenance is scheduled.
Audit / evidence tips
- AskRecords of technician clearances: Review technician clearance records who perform maintenance on IT equipment GoodIncludes up-to-date clearance status for all technicians
- GoodDocument explicitly describes steps, responsible personnel, and is dated recently
- AskHow they sanitise data before maintenance GoodShows familiarity with the data sanitisation steps and relevant equipment
- GoodObservation confirms procedures are consistently followed
- GoodContract includes explicit terms regarding data handling and obligations
Cross-framework mappings
How ISM-0307 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-0307 requires sanitising IT equipment and associated media before maintenance or repairs when work is performed by a technician who i... | |
| sync_alt Partially overlaps (4) expand_less | ||
| Annex A 5.19 | ISM-0307 requires sanitising equipment and media before maintenance when an appropriately cleared technician is not used | |
| Annex A 7.13 | Annex A 7.13 requires equipment to be maintained correctly to preserve the availability, integrity and confidentiality of information | |
| Annex A 7.14 | ISM-0307 requires sanitising IT equipment and any associated media before maintenance or repair when the technician is not appropriately ... | |
| Annex A 8.10 | Annex A 8.10 mandates deletion of unnecessary information | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.