Develop and Maintain IT Equipment Sanitisation Procedures
Organisations must create and uphold processes for properly cleaning and disposing of IT equipment.
Plain language
This control is about ensuring that your organisation properly cleans and disposes of IT equipment like computers and smartphones. If you don't do this, sensitive information could be accidentally shared when old devices are discarded or sold, which could lead to data breaches and damage your business's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
IT equipment sanitisation processes, and supporting IT equipment sanitisation procedures, are developed, implemented and maintained.
Why it matters
Improper sanitisation of IT equipment can lead to data leaks, exposing sensitive information when devices are discarded, compromising business integrity.
Operational notes
Maintain documented sanitisation procedures, train staff, and verify data wiping (or destruction) is completed and recorded before disposal, resale or reuse.
Implementation tips
- The IT team should develop a clear policy for cleaning and disposing of IT equipment. They can start by listing the types of devices your organisation uses and outlining the specific steps needed to wipe each one securely before it is disposed of or recycled.
- Managers should ensure that staff responsible for equipment are trained in the sanitisation procedures. This can be done by setting up training sessions or providing easy-to-follow guides on how to clean the data from devices before they leave the organisation.
- Procurement staff should coordinate with the IT team when any equipment is being decommissioned. They should follow a checklist to ensure the devices are properly wiped and that documentation of the sanitisation process is recorded.
- HR should work with the IT department to revoke access from all departing employees promptly. They must also ensure that any devices returned by employees are added to the sanitisation schedule.
- Executive management should review and approve the IT equipment sanitisation policy annually. They can do this by consulting with the IT team and ensuring that the process remains up to date with current technology and security standards.
Audit / evidence tips
-
Askthe IT equipment sanitisation policy document: Check that it includes steps for cleaning data from devices before disposal
Goodis a detailed process describing how each device type is handled and who is responsible
-
Askthem to explain the steps taken for at least one type of device
Goodshows a clear understanding of the complete process and awareness of potential risks if not followed
-
Goodis if they follow the documented process precisely, showing that the procedure is practical and implemented
-
Goodis a comprehensive log with dates, responsible person, and written confirmation of sanitisation completion
Cross-framework mappings
How ISM-0313 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.10 | ISM-0313 requires organisations to develop, implement and maintain IT equipment sanitisation processes and procedures | |
| Annex A 7.14 | ISM-0313 requires organisations to develop, implement and maintain IT equipment sanitisation processes and procedures | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.