Ensuring Sanitisation of IT Equipment Media
Remove or clean media from IT equipment to ensure data is not left on the device.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
IT equipment containing media is sanitised by removing the media from the IT equipment or by sanitising the media in situ.
Source: ASD Information Security Manual (ISM)
Plain language
This control ensures that any data on IT equipment is either removed or properly cleaned before the equipment leaves your control or is repurposed. This matters because leftover data can fall into the wrong hands, resulting in privacy breaches or financial loss.
Why it matters
Residual data on unsanitised media can be recovered, enabling unauthorised access and disclosure of sensitive information, with potential financial loss.
Operational notes
Verify media sanitisation or removal for each device, and record the method, date and approver to support audit and disposal assurance.
Implementation tips
- Manager: Develop a clear policy for sanitising IT equipment before disposal or repurposing. This can include steps such as identifying devices that require sanitisation and specifying the methods to be used.
- IT Team: Physically remove storage media, like hard drives or USB drives, from equipment before sending it for disposal. Ensure these components are either securely destroyed or wiped using approved software.
- Office Manager: Keep an inventory of IT equipment that requires sanitisation, tracking its movement and status from active use to disposal. Use a simple spreadsheet to log dates and responsible personnel.
- HR and IT Team: Educate staff on the importance of data sanitisation. Conduct short training sessions explaining why data needs to be removed and how mishandling can lead to data breaches.
- Procurement: When purchasing new IT equipment, ensure that proper procedures for eventual sanitisation and disposal are included in the vendor agreements to avoid data breaches in case of returns or end-of-life management.
Audit / evidence tips
-
Ask: a copy of the equipment sanitisation policy: Ensure it outlines the procedures for both physical removal and digital sanitisation of media
Good: policy is specific, dated, and includes staff responsibilities
-
Ask: them to explain the steps they take to remove or wipe data from devices
Good: includes a clear, repeatable process for different types of devices
-
Good: will show consistent and completed entries across all fields
-
Good: outcome is a rigorous adherence to the sanitisation steps documented in the policy
-
Good: contract will specify vendor responsibilities for data protection during equipment handling and disposal
Cross-framework mappings
How ISM-0311 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| Annex A 7.10 | Annex A 7.10 requires storage media to be managed securely across its lifecycle, including secure disposal consistent with classification... | |
| Annex A 8.10 | Annex A 8.10 requires deletion of information when not needed to reduce risk, while ISM-0311 mandates media sanitisation either by remova... | |
| Related (1) | ||
| Annex A 7.14 | ISM-0311 requires IT equipment containing media to be sanitised, either by removing the media or sanitising it in situ, to ensure residua... | |