Classifying Media by Data Sensitivity
Media should be classified by the highest level of data sensitivity it contains.
Plain language
This control is about making sure that any media, like USB drives or DVDs, are labelled according to the most sensitive information they hold. If this doesn't happen, sensitive data could be accidentally exposed if the media is lost or stolen, leading to privacy breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Official control statement
Media is classified to the highest sensitivity or classification of data it stores, unless the media has been classified to a higher sensitivity or classification.
Why it matters
If media is not classified to the highest data sensitivity it stores, it may be handled too loosely, increasing the risk of disclosure if lost, stolen or accessed.
Operational notes
Classify each device, tape or drive to the highest sensitivity of any data stored, and update the label when contents change. Verify labels during audits and disposal.
Implementation tips
- IT staff should review all media regularly to check for any sensitive information stored on them. Conduct this review by scanning the contents of the media and comparing it to your organisation's data sensitivity classifications.
- The data owner should determine the classification level for the data stored on each media device. This involves identifying the highest sensitivity of the information and labelling the media accordingly with clear stickers or tags.
- Managers should train staff to understand the importance of data classification. This training involves workshops or e-learning modules that explain how to handle different types of data based on sensitivity levels.
- The IT department should implement a tracking system for all media used within the organisation. This means listing each item in a log that tracks the media's classification, assigned user, and movement.
- Security personnel should conduct regular audits to ensure compliance with this classification control. These audits involve checking random samples of media to confirm they have the correct classifications applied.
Audit / evidence tips
- AskThe media classification register: Request a document that records all media items and their assigned classifications GoodIs an up-to-date register that accurately reflects all items in use
- GoodIncludes completion certificates or records in a training log
- AskTo see physical examples of classified media: Request to inspect a sample of media to verify if they are correctly labelled GoodIs correctly labelled media items according to sensitivity
- AskThem how they ensure media is properly classified and tracked GoodIncludes a clear explanation of procedures, checks, and regular updates to the media register
- GoodShows that any past issues were addressed and improvements are in place
Cross-framework mappings
How ISM-0323 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.12 | ISM-0323 requires media to be classified to the highest sensitivity or classification of any data it stores | |
| handshake Supports (1) expand_less | ||
| Annex A 7.10 | ISM-0323 requires media to be classified to the highest sensitivity/classification of the data it stores | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.