Return Overseas Equipment for Destruction
Sensitive IT gear overseas must be sent back to Australia for destruction if it can't be cleaned there.
Plain language
This control is about ensuring that any sensitive IT equipment, which cannot be securely wiped clean while located overseas, is safely returned to Australia for destruction. This is important because if this equipment falls into the wrong hands, it could expose highly sensitive data leading to potential national security risks or serious data breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
IT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data that cannot be sanitised in situ, is returned to Australia for destruction.
Why it matters
If overseas IT equipment or media that processed AUSTEO/AGAO cannot be sanitised is not returned, data may be exposed and compromise national security.
Operational notes
Use a documented chain of custody and approved secure courier processes to return overseas AUSTEO/AGAO equipment/media to Australia for destruction when it cannot be sanitised in situ.
Implementation tips
- The IT team should identify all equipment overseas that processes AUSTEO (Australian Eyes Only) or AGAO (Australian Government Access Only) data. Make a list and regularly update it to include details like the type of equipment and location.
- Once identified, the IT manager should assess whether the equipment can be securely wiped overseas. If not, arrange for the equipment to be securely shipped back to Australia for destruction.
- The procurement officer should liaise with a secure logistics provider to ensure the safe transportation of the equipment. Confirm the provider's credentials and protocols for handling sensitive equipment.
- The security manager should oversee the destruction process once the equipment is in Australia. Use certified e-waste destruction services that provide a certificate of destruction.
- Document the entire process for each piece of equipment: starting from identification, shipping, reception in Australia, and final destruction. Ensure records are complete and stored securely for future reference or audit.
Audit / evidence tips
- AskThe overseas equipment inventory: Request to see a list of all IT equipment held overseas that processes sensitive data GoodWill include detailed records of equipment type, data processed, and location
- GoodWill show dated shipping receipts and destruction certificates from a certified provider
- AskHow they identify equipment needing to be returned and how they coordinate this GoodIs the manager can clearly explain the criteria for return and the process followed
- GoodWill have detailed logs with dates, actions, and responsible persons' signatures
- GoodWill be a comprehensive procedure outline that aligns with best practices
Cross-framework mappings
How ISM-0312 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 7.10 | ISM-0312 mandates a specific handling outcome for overseas storage-bearing equipment that handled AUSTEO or AGAO data and cannot be sanit... | |
| Annex A 7.14 | ISM-0312 requires that overseas IT equipment (including associated media) that has processed, stored or communicated AUSTEO or AGAO data ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.