Ensuring Sanitisation of IT Equipment Media
Remove or clean media from IT equipment to ensure data is not left on the device.
Plain language
This control ensures that any data on IT equipment is either removed or properly cleaned before the equipment leaves your control or is repurposed. This matters because leftover data can fall into the wrong hands, resulting in privacy breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Topic
Sanitising It EquipmentOfficial control statement
IT equipment containing media is sanitised by removing the media from the IT equipment or by sanitising the media in situ.
Why it matters
Residual data on unsanitised media can be recovered, enabling unauthorised access and disclosure of sensitive information, with potential financial loss.
Operational notes
Verify media sanitisation or removal for each device, and record the method, date and approver to support audit and disposal assurance.
Implementation tips
- Manager: Develop a clear policy for sanitising IT equipment before disposal or repurposing. This can include steps such as identifying devices that require sanitisation and specifying the methods to be used.
- IT Team: Physically remove storage media, like hard drives or USB drives, from equipment before sending it for disposal. Ensure these components are either securely destroyed or wiped using approved software.
- Office Manager: Keep an inventory of IT equipment that requires sanitisation, tracking its movement and status from active use to disposal. Use a simple spreadsheet to log dates and responsible personnel.
- HR and IT Team: Educate staff on the importance of data sanitisation. Conduct short training sessions explaining why data needs to be removed and how mishandling can lead to data breaches.
- Procurement: When purchasing new IT equipment, ensure that proper procedures for eventual sanitisation and disposal are included in the vendor agreements to avoid data breaches in case of returns or end-of-life management.
Audit / evidence tips
-
Aska copy of the equipment sanitisation policy: Ensure it outlines the procedures for both physical removal and digital sanitisation of media
Goodpolicy is specific, dated, and includes staff responsibilities
-
Askthem to explain the steps they take to remove or wipe data from devices
Goodincludes a clear, repeatable process for different types of devices
-
Goodwill show consistent and completed entries across all fields
-
Goodoutcome is a rigorous adherence to the sanitisation steps documented in the policy
-
Goodcontract will specify vendor responsibilities for data protection during equipment handling and disposal
Cross-framework mappings
How ISM-0311 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.10 | Annex A 7.10 requires storage media to be managed securely across its lifecycle, including secure disposal consistent with classification... | |
| Annex A 8.10 | Annex A 8.10 requires deletion of information when not needed to reduce risk, while ISM-0311 mandates media sanitisation either by remova... | |
| link Related (1) expand_less | ||
| Annex A 7.14 | ISM-0311 requires IT equipment containing media to be sanitised, either by removing the media or sanitising it in situ, to ensure residua... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.