Develop and Maintain Media Sanitisation Procedures
Organisations must create, apply, and keep up media sanitisation methods and procedures.
Plain language
To keep your business safe, it's important to securely wipe or destroy any old or unwanted data storage media, like hard drives or USB sticks, before getting rid of them. If you don’t, sensitive information could fall into the wrong hands, leading to data breaches and loss of trust in your organisation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media sanitisationOfficial control statement
Media sanitisation processes, and supporting media sanitisation procedures, are developed, implemented and maintained.
Why it matters
Poor media sanitisation can lead to sensitive data leaks, resulting in reputational damage, legal repercussions, and financial loss.
Operational notes
Maintain documented procedures for sanitising, verifying and recording disposal of each media type (e.g., wipe, degauss, shred), and review them regularly.
Implementation tips
- The IT team should develop a clear media sanitisation policy: This policy should outline what types of media need to be sanitised, the methods for doing so, and how records should be kept. The policy should be easy for all staff to follow and include instructions for wiping and dismantling devices.
- Managers should ensure staff are trained on media sanitisation procedures: Hold training sessions for employees to make sure everyone knows how to properly sanitise data-bearing media. Use simple language and practical demonstrations to show the correct processes.
- IT support staff should maintain an inventory of media containing data: Keep a list of all company devices and media that store data, noting when they were last sanitised or destroyed. Use a spreadsheet or software tool to track this information consistently.
- Procurement teams should include media sanitisation in vendor contracts: When contracting with suppliers for data storage or IT disposal, ensure agreements specify secure sanitisation of data. Include clear data destruction protocols in contracts to avoid leaks.
- Office managers should assign responsibility for regular checks: Have someone regularly check that media sanitisation is being done correctly. Set up quarterly reviews where responsible staff verify that sanitisation standards are being maintained across the office.
Audit / evidence tips
- AskThe media sanitisation policy document: Review the document to ensure it covers all types of media used in the organisation and outlines approved sanitisation methods GoodIs a comprehensive, easily understandable document signed off by management
- GoodList should be up-to-date and cross-referenced with disposals
- AskThem to explain the sanitisation process they follow and how they confirm media is securely wiped or destroyed GoodWill include specific methods and tools used, and how they verify success
- GoodRecord shows regular sessions with high attendance and clear instructional material
- GoodProcess will be structured and result in a certificate or other confirmation that media was successfully sanitised
Cross-framework mappings
How ISM-0348 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.4 | ISM-0348 requires organisations to develop, implement, and maintain media sanitisation processes and procedures | |
| Annex A 5.37 | ISM-0348 requires organisations to develop, implement, and maintain media sanitisation processes and supporting procedures | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.10 | ISM-0348 requires organisations to develop, implement, and maintain media sanitisation processes and supporting procedures | |
| Annex A 7.10 | ISM-0348 requires organisations to develop, implement, and maintain media sanitisation processes and supporting procedures | |
| handshake Supports (1) expand_less | ||
| Annex A 8.10 | Annex A 8.10 requires organisations to ensure information is deleted when no longer required | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.