Ensure Destruction of High Assurance IT Equipment
High assurance IT equipment must be destroyed before disposal to prevent data leaks.
Plain language
This control means that before you throw away or recycle high-security IT equipment, you must destroy it to make sure no one can get any sensitive information from it. This matters because if old computers or storage devices are not properly destroyed, someone could retrieve confidential data which could lead to identity theft, financial loss, or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
High assurance IT equipment is destroyed prior to its disposal.
Why it matters
If high assurance IT equipment is disposed of without destruction, stored sensitive data may be recovered, causing a security breach and reputational harm.
Operational notes
Verify and document destruction of high assurance devices before disposal; use approved destruction methods and periodically audit disposal records.
Implementation tips
- The IT manager should identify all high assurance equipment in the organisation. This involves creating a list of devices such as computers or storage media that store sensitive information, ensuring no device is overlooked.
- The procurement team needs to arrange for appropriate destruction services. They can do this by contacting certified data destruction companies that adhere to security standards and ensuring they provide certificates of destruction.
- The office manager should ensure a secure collection process for devices marked for destruction. They can set up a locked bin or room where outdated devices are stored before collection.
- The IT team should be responsible for removing data from devices before destruction. This can involve running data-wiping software to make data retrieval impossible and noting the process in their records.
- HR should train staff on the importance of high assurance device destruction. They can organise regular awareness sessions to explain why this process is critical and how staff can help identify devices that need to be destroyed.
Audit / evidence tips
-
Askthe equipment inventory list: Request the latest document listing all high assurance equipment scheduled for destruction
Goodis a list updated regularly with all items accounted for
-
Goodshows matching details with the internal inventory records
-
Askthem to explain the steps taken to ensure data is irretrievable before device disposal
Goodincludes a clear, step-by-step procedure they follow
-
Goodis a locked and monitored area with a logbook of access
-
Askevidence of training sessions conducted about the importance of device destruction
Goodis documentation showing regular training sessions with most staff attending
Cross-framework mappings
How ISM-0315 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.10 | ISM-0315 requires physical destruction of high assurance IT equipment before disposal to prevent residual data exposure | |
| Annex A 7.14 | ISM-0315 requires that high assurance IT equipment is destroyed prior to disposal to prevent any data leakage | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.