Ensure Media is Used with Authorised Systems
Media must only be used with systems that are authorised for its sensitivity level.
Plain language
This control is about ensuring that any media, like USB drives or DVDs, is only used with computers and systems that are secure enough to handle its confidentiality and importance. This matters because using sensitive media with unsecured systems can lead to information leaks or data breaches, which can damage your organisation's reputation or lead to financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Media is only used with systems that are authorised to process, store or communicate its sensitivity or classification.
Why it matters
Using sensitive media on unauthorised systems can expose classified data, breach ISM requirements, and cause incidents and reputational harm.
Operational notes
Ensure removable media is only connected to systems authorised for its sensitivity/classification; enforce controls and periodically audit connection logs.
Implementation tips
- System owners should create and maintain a list of authorised systems that can handle different sensitivity levels of media. This involves identifying which computers and devices are equipped with the necessary security measures, such as encryption, and keeping this list updated regularly.
- IT teams should set up controls to prevent unauthorised media from being used with sensitive systems. This can be done by configuring system settings to block unauthorised devices automatically and ensuring that only approved users have the rights to override these controls.
- Managers should train staff on the importance of using media only with authorised systems. This involves holding regular information sessions where employees learn about the risks of data leaks, how to identify authorised systems, and practical steps they can take to avoid using media incorrectly.
- Procurement teams should ensure the systems purchased meet security standards for handling media of varying sensitivity. This means checking the specifications to confirm that new devices have adequate protection measures in place to match the information they will handle.
- HR should incorporate guidelines on media usage within the organisational policies. This includes clearly outlining the consequences of violating these policies and ensuring every employee is aware of the protocols for handling sensitive information.
Audit / evidence tips
-
Askthe list of authorised systems: Request documentation or a database entry that shows which systems are allowed for different sensitivity levels
Goodincludes a comprehensive, regularly updated list cross-referenced with the organisation's classification standards
-
Gooddemonstrates a regular schedule with high attendance and topics focused on policy awareness and risk management
-
Askhow they configure systems to enforce media usage restrictions
Goodincludes specific technical details that ensure media is only used with authorised systems
-
Askto see if regular checks are performed on systems to verify media use compliance. Observe the process for checking compliance records
Goodinvolves witnessing a routine inspection or an audit trail of previous checks with documented results
-
Goodincludes up-to-date policies that are comprehensive and have been communicated to all employees
Cross-framework mappings
How ISM-0337 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 5.10 | ISM-0337 requires media to only be used with systems authorised to process, store or communicate the media’s sensitivity or classification | |
| extension Depends on (1) expand_less | ||
| Annex A 5.13 | ISM-0337 mandates that media be used only with systems authorised for its classification | |
| link Related (1) expand_less | ||
| Annex A 7.10 | ISM-0337 requires media to only be used with systems authorised for its classification | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.