Formal Decision on IT Equipment Disposal
Before IT equipment is publicly released, it must be sanitised and authorised after a formal decision.
Plain language
When a business needs to get rid of old computers or electronic devices, it's essential to ensure all data is wiped clean and authorised for disposal. If this isn't done, sensitive information could end up in the wrong hands, leading to privacy breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Section
IT equipment disposalTopic
Disposal of It EquipmentOfficial control statement
Following sanitisation, destruction or declassification, a formal administrative decision is made to release IT equipment, or its waste, into the public domain.
Why it matters
Without a formal release decision after sanitisation/destruction, IT equipment or waste may be released publicly while still sensitive, causing data exposure and reputational harm.
Operational notes
Record a formal administrative release decision (approver, date, asset IDs, sanitisation/destruction evidence) before IT equipment or waste is released into the public domain.
Implementation tips
- The IT team should document a sanitisation process: This involves writing down a clear step-by-step method for wiping data from all devices, such as computers or smartphones. They can do this by using software tools that meet Australian Government standards for data destruction.
- Managers should review the sanitisation checklist: Before any equipment leaves the organisation, managers should ensure all devices have been through the data-wiping process by checking off each item on a checklist to avoid errors.
- The IT team should conduct a final approval meeting: Before releasing any equipment, hold a meeting with the authorising officer to confirm every device has been properly cleaned and documented, gaining their sign-off for disposal.
- Procurement staff should track disposal authorisations: Keep a log or spreadsheet of each device, including details of data cleaning and authorisation signatures, to create a clear audit trail.
- Arrange for secure transfer of equipment after approval: Once devices are cleared, the procurement team should organise transport to a disposal facility, using a vendor who complies with ASD security standards.
Audit / evidence tips
- AskThe equipment disposal records: Request documents that list each device, its sanitisation status, and authorisation for disposal GoodShows completeness with no missing entries
- AskThem to describe the sanitisation process used on devices before disposal GoodIncludes clear, accurate steps aligning with written policies
- GoodObservation shows adherence to the process without shortcuts
- GoodIncludes valid certifications and adherence to agreements
- AskTo see the document that details who authorised the release of equipment GoodContains signatures and no delays or mismatches in dates
Cross-framework mappings
How ISM-0316 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-0316 requires a formal administrative decision to release IT equipment into the public domain after sanitisation, destruction or decl... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.14 | ISM-0316 requires that, after sanitisation, destruction or declassification, a formal administrative decision authorises releasing IT equ... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.33 | Annex A 5.33 requires records to be protected from unauthorised release and from loss/destruction across their lifecycle | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.