Disabling Unnecessary Access to Removable Media
Disable writing to removable media unless it's necessary for business.
Plain language
This control is about stopping people from saving data onto USB sticks and other removable drives unless it's needed for work. It's important because if this isn't controlled, sensitive information could easily fall into the wrong hands if the device is lost or stolen.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Device Access ControlOfficial control statement
If there is no business requirement for writing to removable media and devices, such functionality is disabled via the use of a device access control application or by disabling external communication interfaces.
Why it matters
Allowing write access to removable media enables data exfiltration and malware transfer via USB devices, risking disclosure of sensitive information.
Operational notes
Use device access control to block removable media write access (allow read/approved devices only) or disable USB storage interfaces, and review exceptions regularly.
Implementation tips
- IT team should identify all devices that can connect with USB ports and other removable media interfaces. They can do this by conducting a scan of the organisational systems and create a list of all such devices in use.
- Managers should assess which employees actually need to use removable media for their roles. This can be done by meeting with teams to understand their needs and documenting those who truly need access.
- The IT team should use software to restrict USB and other removable media access on company computers. They can install device access control applications that can turn off or limit writing to removable media devices.
- System administrators should explore settings on computers to manually disable USB writing capabilities if software isn't available. This can be done through adjusting operating system settings or using group policies in a Windows environment.
- HR and IT teams should work together to update the company's policy to clearly outline when writing to removable media is acceptable and make staff aware through training sessions. This ensures everyone understands the rules and why they exist.
Audit / evidence tips
- AskThe list of authorised users and devices allowed to write to removable media: Check the document for names, roles, and justification for access GoodIs a tidy document listing specific individuals with legitimate reasons noted
- AskThem about their understanding of the policy on removable media use GoodIs that they know who can use removable devices and when it's permissible
- GoodObservation shows staff following protocol with no unauthorised devices being used
Cross-framework mappings
How ISM-0343 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | ISM-0343 requires organisations to disable write access to removable media where there is no business requirement, using device access co... | |
| Annex A 8.3 | ISM-0343 requires organisations to disable write access to removable media and devices where there is no business requirement, implemente... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.10 | ISM-0343 requires organisations to disable write functionality to removable media unless there is a clear business requirement, reducing ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.