Contact ASD for Guidance on Secure IT Disposal
Ensure secure disposal of certain IT equipment by consulting the ASD for requirements.
Plain language
When it's time to get rid of old IT gear, especially if it's been specially secured against electronic spying, you need to ask the Australian Signals Directorate (ASD) for advice on how to do it safely. This matters because if equipment isn’t properly disposed of, sensitive information could be leaked, potentially harming the organisation and breaching privacy laws.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Section
IT equipment disposalTopic
Disposal of It EquipmentOfficial control statement
When disposing of IT equipment that has been designed or modified to meet emanation security standards, ASD is contacted for requirements relating to its disposal.
Why it matters
Not contacting ASD before disposing of emanation-secure IT equipment may enable compromise of classified information or EMSEC design details.
Operational notes
Before disposing of IT equipment designed/modified for emanation security, contact ASD to confirm disposal requirements and approved handling steps.
Implementation tips
- IT managers should identify any IT equipment designed or modified to meet high-security standards. They can do this by checking inventory records or asset registers for equipment with security labels or documentation. They should list these items for special disposal procedures.
- The security officer should contact the Australian Signals Directorate (ASD) before disposing of equipment. They can reach out via email or phone with details of the equipment needing disposal. It's crucial to get specific guidance on the approved disposal method.
- Personnel responsible for IT disposal should keep detailed records of any guidance from the ASD. They should document the advice received and the actions taken, ensuring compliance with any specific instructions provided.
- The IT team should organise secure disposal methods as recommended by the ASD. This could involve specialised recycling services or secure destruction processes to ensure data cannot be recovered.
- Managers should train relevant staff about the need for secure disposal and demonstrate compliance with ASD guidelines. Regular training sessions or briefings can be conducted to update staff on the latest standards and procedures.
Audit / evidence tips
- AskThe list of IT equipment identified for special disposal GoodIncludes a comprehensive list with names and security classification details
- GoodShows clear instructions from ASD and evidence that the advice was followed
- GoodIncludes dates, methods used, and confirmation of secure disposal
- AskHow they determine when to contact ASD and how they ensure compliance GoodIncludes confident descriptions of the process and specific examples
- GoodIncludes documentation of steps like secure destruction methods or third-party certificates
Cross-framework mappings
How ISM-0321 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-0321 requires that when disposing of IT equipment designed or modified to meet emanation security standards, the organisation contact... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.14 | ISM-0321 requires the organisation to contact ASD for disposal requirements when disposing of emanation security (TEMPEST-like) equipment | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.