Proper Sanitisation and Reclassification of Media
Before lowering media classification, it must be cleaned or destroyed and a formal decision made.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Before reclassifying media to a lower sensitivity or classification, the media is sanitised or destroyed, and a formal administrative decision is made to reclassify it.
Source: ASD Information Security Manual (ISM)
Plain language
Before deciding to treat sensitive media as less sensitive, it's crucial to either thoroughly clean it or completely destroy it if necessary. This matters because if sensitive information isn't properly sanitised, it might fall into the wrong hands, leading to data breaches or misuse that can damage trust and incur significant costs.
Why it matters
Improper media sanitisation before downgrading can expose classified data, causing breaches, legal/contractual impacts and financial loss.
Operational notes
Before downgrading media, sanitise or destroy it using approved methods and record a formal administrative decision authorising the reclassification.
Implementation tips
- Managers should establish clear procedures for media sanitisation: Develop a documented process for how different types of media should be cleaned or destroyed before their classification is lowered. Involve IT staff to ensure the process is practical and achievable.
- IT teams need to implement the sanitisation process: Use approved tools and methods (e.g., secure data wipe software) to clean electronic media. For physical media like paper, shredding can be effective. Ensure staff are trained in these methods.
- HR should oversee staff training on media classification: Ensure all employees understand the importance of this control and how to handle media appropriately in line with their classification. Provide regular training sessions and updates.
- Procurement teams should ensure sanitisation tools are available and updated: Purchase and maintain appropriate software and hardware for media sanitisation. Review and update these tools regularly to ensure they comply with the latest security standards.
- System owners need to make formal reclassification decisions: After sanitisation, formally document the decision to reclassify media to a lower sensitivity level, with appropriate authorisation. Use a standard form or system for consistency.
Audit / evidence tips
-
Ask: the organisation's media sanitisation policy: Review the document to ensure it outlines steps for cleaning or destroying media before reclassification
Good: includes detailed procedures and roles for those responsible
-
Ask: logs of media sanitisation actions
-
Ask: how they ensure media is properly sanitised before reclassification
Good: is a clear explanation with examples of tools and methods used and compliance with the policy
-
Good: practice is the correct application of the documented procedures, showing effective and secure handling
Cross-framework mappings
How ISM-0330 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 7.10 | ISM-0330 requires that before media is reclassified to a lower sensitivity or classification, it is sanitised or destroyed and a formal a... | |
| Partially overlaps (2) | ||
| Annex A 7.14 | ISM-0330 requires that before media is reclassified to a lower sensitivity or classification, it is sanitised or destroyed and a formal a... | |
| Annex A 8.10 | ISM-0330 requires that before media is reclassified to a lower sensitivity or classification, it is sanitised or destroyed and a formal a... | |