Develop and Maintain Media Sanitisation Procedures
Organisations must create, apply, and keep up media sanitisation methods and procedures.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media sanitisationMedia sanitisation processes, and supporting media sanitisation procedures, are developed, implemented and maintained.
Source: ASD Information Security Manual (ISM)
Plain language
To keep your business safe, it's important to securely wipe or destroy any old or unwanted data storage media, like hard drives or USB sticks, before getting rid of them. If you don’t, sensitive information could fall into the wrong hands, leading to data breaches and loss of trust in your organisation.
Why it matters
Poor media sanitisation can lead to sensitive data leaks, resulting in reputational damage, legal repercussions, and financial loss.
Operational notes
Maintain documented procedures for sanitising, verifying and recording disposal of each media type (e.g., wipe, degauss, shred), and review them regularly.
Implementation tips
- The IT team should develop a clear media sanitisation policy: This policy should outline what types of media need to be sanitised, the methods for doing so, and how records should be kept. The policy should be easy for all staff to follow and include instructions for wiping and dismantling devices.
- Managers should ensure staff are trained on media sanitisation procedures: Hold training sessions for employees to make sure everyone knows how to properly sanitise data-bearing media. Use simple language and practical demonstrations to show the correct processes.
- IT support staff should maintain an inventory of media containing data: Keep a list of all company devices and media that store data, noting when they were last sanitised or destroyed. Use a spreadsheet or software tool to track this information consistently.
- Procurement teams should include media sanitisation in vendor contracts: When contracting with suppliers for data storage or IT disposal, ensure agreements specify secure sanitisation of data. Include clear data destruction protocols in contracts to avoid leaks.
- Office managers should assign responsibility for regular checks: Have someone regularly check that media sanitisation is being done correctly. Set up quarterly reviews where responsible staff verify that sanitisation standards are being maintained across the office.
Audit / evidence tips
-
Ask: the media sanitisation policy document: Review the document to ensure it covers all types of media used in the organisation and outlines approved sanitisation methods
Good: is a comprehensive, easily understandable document signed off by management
-
Good: list should be up-to-date and cross-referenced with disposals
-
Ask: them to explain the sanitisation process they follow and how they confirm media is securely wiped or destroyed
Good: will include specific methods and tools used, and how they verify success
-
Good: record shows regular sessions with high attendance and clear instructional material
-
Good: process will be structured and result in a certificate or other confirmation that media was successfully sanitised
Cross-framework mappings
How ISM-0348 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 5.4 | ISM-0348 requires organisations to develop, implement, and maintain media sanitisation processes and procedures | |
| Annex A 5.37 | ISM-0348 requires organisations to develop, implement, and maintain media sanitisation processes and supporting procedures | |
| Partially overlaps (2) | ||
| Annex A 5.10 | ISM-0348 requires organisations to develop, implement, and maintain media sanitisation processes and supporting procedures | |
| Annex A 7.10 | ISM-0348 requires organisations to develop, implement, and maintain media sanitisation processes and supporting procedures | |