Proper Sanitisation and Reclassification of Media
Before lowering media classification, it must be cleaned or destroyed and a formal decision made.
Plain language
Before deciding to treat sensitive media as less sensitive, it's crucial to either thoroughly clean it or completely destroy it if necessary. This matters because if sensitive information isn't properly sanitised, it might fall into the wrong hands, leading to data breaches or misuse that can damage trust and incur significant costs.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Before reclassifying media to a lower sensitivity or classification, the media is sanitised or destroyed, and a formal administrative decision is made to reclassify it.
Why it matters
Improper media sanitisation before downgrading can expose classified data, causing breaches, legal/contractual impacts and financial loss.
Operational notes
Before downgrading media, sanitise or destroy it using approved methods and record a formal administrative decision authorising the reclassification.
Implementation tips
- Managers should establish clear procedures for media sanitisation: Develop a documented process for how different types of media should be cleaned or destroyed before their classification is lowered. Involve IT staff to ensure the process is practical and achievable.
- IT teams need to implement the sanitisation process: Use approved tools and methods (e.g., secure data wipe software) to clean electronic media. For physical media like paper, shredding can be effective. Ensure staff are trained in these methods.
- HR should oversee staff training on media classification: Ensure all employees understand the importance of this control and how to handle media appropriately in line with their classification. Provide regular training sessions and updates.
- Procurement teams should ensure sanitisation tools are available and updated: Purchase and maintain appropriate software and hardware for media sanitisation. Review and update these tools regularly to ensure they comply with the latest security standards.
- System owners need to make formal reclassification decisions: After sanitisation, formally document the decision to reclassify media to a lower sensitivity level, with appropriate authorisation. Use a standard form or system for consistency.
Audit / evidence tips
- AskThe organisation's media sanitisation policy: Review the document to ensure it outlines steps for cleaning or destroying media before reclassification GoodIncludes detailed procedures and roles for those responsible
- AskLogs of media sanitisation actions
- AskHow they ensure media is properly sanitised before reclassification GoodIs a clear explanation with examples of tools and methods used and compliance with the policy
- GoodPractice is the correct application of the documented procedures, showing effective and secure handling
Cross-framework mappings
How ISM-0330 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-0330 requires that before media is reclassified to a lower sensitivity or classification, it is sanitised or destroyed and a formal a... | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.14 | ISM-0330 requires that before media is reclassified to a lower sensitivity or classification, it is sanitised or destroyed and a formal a... | |
| Annex A 8.10 | ISM-0330 requires that before media is reclassified to a lower sensitivity or classification, it is sanitised or destroyed and a formal a... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.