Skip to content
Control Stack logo Control Stack
ISM-0337 ASD Information Security Manual (ISM)

Ensure Media is Used with Authorised Systems

Media must only be used with systems that are authorised for its sensitivity level.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET Storage mediaASD Information Security ManualGovernance

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Nov 2021

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for media

Section

Media usage

Topic

Classifying Media
Official control statement
Media is only used with systems that are authorised to process, store or communicate its sensitivity or classification.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about ensuring that any media, like USB drives or DVDs, is only used with computers and systems that are secure enough to handle its confidentiality and importance. This matters because using sensitive media with unsecured systems can lead to information leaks or data breaches, which can damage your organisation's reputation or lead to financial loss.

Why it matters

Using sensitive media on unauthorised systems can expose classified data, breach ISM requirements, and cause incidents and reputational harm.

Operational notes

Ensure removable media is only connected to systems authorised for its sensitivity/classification; enforce controls and periodically audit connection logs.

Implementation tips

  • System owners should create and maintain a list of authorised systems that can handle different sensitivity levels of media. This involves identifying which computers and devices are equipped with the necessary security measures, such as encryption, and keeping this list updated regularly.
  • IT teams should set up controls to prevent unauthorised media from being used with sensitive systems. This can be done by configuring system settings to block unauthorised devices automatically and ensuring that only approved users have the rights to override these controls.
  • Managers should train staff on the importance of using media only with authorised systems. This involves holding regular information sessions where employees learn about the risks of data leaks, how to identify authorised systems, and practical steps they can take to avoid using media incorrectly.
  • Procurement teams should ensure the systems purchased meet security standards for handling media of varying sensitivity. This means checking the specifications to confirm that new devices have adequate protection measures in place to match the information they will handle.
  • HR should incorporate guidelines on media usage within the organisational policies. This includes clearly outlining the consequences of violating these policies and ensuring every employee is aware of the protocols for handling sensitive information.

Audit / evidence tips

  • Ask: the list of authorised systems: Request documentation or a database entry that shows which systems are allowed for different sensitivity levels

    Good: includes a comprehensive, regularly updated list cross-referenced with the organisation's classification standards

  • Good: demonstrates a regular schedule with high attendance and topics focused on policy awareness and risk management

  • Ask: how they configure systems to enforce media usage restrictions

    Good: includes specific technical details that ensure media is only used with authorised systems

  • Ask: to see if regular checks are performed on systems to verify media use compliance. Observe the process for checking compliance records

    Good: involves witnessing a routine inspection or an audit trail of previous checks with documented results

  • Good: includes up-to-date policies that are comprehensive and have been communicated to all employees

Cross-framework mappings

How ISM-0337 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Supports (1)
Annex A 5.10 ISM-0337 requires media to only be used with systems authorised to process, store or communicate the media’s sensitivity or classification
Depends on (1)
Annex A 5.13 ISM-0337 mandates that media be used only with systems authorised for its classification
Related (1)
Annex A 7.10 ISM-0337 requires media to only be used with systems authorised for its classification

Mapping detail

Mapping

Direction

Controls