Reclassify Media to Higher Sensitivity
Media connected to more sensitive systems is upgraded to match the highest security level.
Plain language
This control is about ensuring that any storage media, like USB drives or external hard drives, matches the security level of the most sensitive system it connects to. This matters because if you fail to update the security level, sensitive information could be accessed by someone who shouldn't have it, potentially leading to data breaches or reputational damage.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Mar 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Any media connected to a system with a higher sensitivity or classification than the media is reclassified to the higher sensitivity or classification, unless the media is read-only or the system has a mechanism through which read-only access can be ensured.
Why it matters
If media isn’t reclassified after connection to a higher-sensitivity system, it may be handled at too low a level, exposing data.
Operational notes
Reclassify any connected media to the system’s highest sensitivity, unless it is read-only or read-only access is technically enforced.
Implementation tips
- System owners should ensure that any media connected to their systems are assessed for sensitivity. They should set up a checklist to verify the classification level of each piece of media and compare it to the system it's connected to.
- IT teams should configure systems to automatically log connections with media to track and audit their classification levels. Use system settings or software tools that can record and alert responsible staff when media connects to a sensitive system.
- Managers should train staff on recognising the sensitivity levels and handling media accordingly. Organise regular training sessions and convey the risks of mishandling sensitive media, like data breaches and third-party access.
- Procurement staff should engage vendors to verify the options for making media read-only where appropriate. This involves checking with suppliers if the media can be set to 'read-only' mode either physically or via software.
- HR should establish a policy that details the process for media classification and reclassification. This policy should be regularly updated and easily accessible to all staff to ensure compliance and understanding.
Audit / evidence tips
- AskRecords of media classification: Request a log or spreadsheet showing the security classification of media that connects to each system GoodShows that each entry is reviewed and updated in a timely manner
- GoodIncludes consistent use of logs and procedures to identify and reclassify media promptly when needed
- GoodAn automatic prompt for classification verification or a lockdown if classifications do not match
- AskTo see training materials and attendance records related to media classification training sessions
- GoodA clearly outlined process for classifying and reclassifying media with roles and responsibilities identified
Cross-framework mappings
How ISM-0325 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-0325 requires reclassifying media to the higher sensitivity/classification when it is connected to a more sensitive system, with an e... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.12 | ISM-0325 requires that any media connected to a higher-classified/sensitivity system be reclassified up to that higher level (unless read... | |
| Annex A 8.12 | ISM-0325 reduces the risk of mishandling by ensuring connected media is treated at the highest sensitivity/classification of the system i... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.