Return Overseas Equipment for Destruction
Sensitive IT gear overseas must be sent back to Australia for destruction if it can't be cleaned there.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Responsive
🔐 Classifications
S, TS
🗓️ ISM last updated
May 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
IT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data that cannot be sanitised in situ, is returned to Australia for destruction.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about ensuring that any sensitive IT equipment, which cannot be securely wiped clean while located overseas, is safely returned to Australia for destruction. This is important because if this equipment falls into the wrong hands, it could expose highly sensitive data leading to potential national security risks or serious data breaches.
Why it matters
If overseas IT equipment or media that processed AUSTEO/AGAO cannot be sanitised is not returned, data may be exposed and compromise national security.
Operational notes
Use a documented chain of custody and approved secure courier processes to return overseas AUSTEO/AGAO equipment/media to Australia for destruction when it cannot be sanitised in situ.
Implementation tips
- The IT team should identify all equipment overseas that processes AUSTEO (Australian Eyes Only) or AGAO (Australian Government Access Only) data. Make a list and regularly update it to include details like the type of equipment and location.
- Once identified, the IT manager should assess whether the equipment can be securely wiped overseas. If not, arrange for the equipment to be securely shipped back to Australia for destruction.
- The procurement officer should liaise with a secure logistics provider to ensure the safe transportation of the equipment. Confirm the provider's credentials and protocols for handling sensitive equipment.
- The security manager should oversee the destruction process once the equipment is in Australia. Use certified e-waste destruction services that provide a certificate of destruction.
- Document the entire process for each piece of equipment: starting from identification, shipping, reception in Australia, and final destruction. Ensure records are complete and stored securely for future reference or audit.
Audit / evidence tips
-
Ask: the overseas equipment inventory: Request to see a list of all IT equipment held overseas that processes sensitive data
Good: will include detailed records of equipment type, data processed, and location
-
Good: will show dated shipping receipts and destruction certificates from a certified provider
-
Ask: how they identify equipment needing to be returned and how they coordinate this
Good: is the manager can clearly explain the criteria for return and the process followed
-
Good: will have detailed logs with dates, actions, and responsible persons' signatures
-
Good: will be a comprehensive procedure outline that aligns with best practices
Cross-framework mappings
How ISM-0312 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 7.10 | ISM-0312 mandates a specific handling outcome for overseas storage-bearing equipment that handled AUSTEO or AGAO data and cannot be sanit... | |
| Annex A 7.14 | ISM-0312 requires that overseas IT equipment (including associated media) that has processed, stored or communicated AUSTEO or AGAO data ... | |