Destroy Unsanitizable Media Before Disposal
Media that can't be cleaned of data must be destroyed before getting rid of it.
Plain language
This control is all about securely getting rid of certain types of media like optical discs and microfilm that can't be cleaned of their data. Before you throw them out, you need to destroy them to ensure sensitive information doesn't end up in the wrong hands. If you don’t do this, private data could be exposed, leading to potential breaches and damage to your organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
The following media types are destroyed prior to their disposal: - microfiche and microfilm - optical discs - programmable read-only memory - read-only memory - other types of media that cannot be sanitised.
Why it matters
Failure to destroy unsanitised media like optical discs or microfilm before disposal can lead to data breaches, financial loss, and damage to organisational reputation.
Operational notes
Regularly audit disposal procedures to identify unsanitiseable media and ensure it is physically destroyed before disposal to prevent data exposure.
Implementation tips
- Office managers should create an inventory of all media types used in the organisation and categorise them based on their ability to be sanitised. This involves listing what types of media you have and identifying those that cannot be wiped clean, like read-only media or microfilm.
- The IT team should develop a standard procedure for the physical destruction of unsanitizable media. This can be done by acquiring a shredder capable of handling these types of materials or by contracting a certified data destruction company.
- Procurement staff should ensure contracts with disposal vendors include media destruction services that comply with the organisation's requirements. This means reviewing vendor capabilities and certifications to ensure they understand and can perform the destruction required for sensitive information.
- The security team should regularly train staff involved in media disposal on the importance of this control and the steps to correctly destroy media. This involves practical sessions showing how to handle and destroy different media types safely.
- Managers should set regular reviews every six months to ensure the destruction process is being followed and any new media types used within the organisation are evaluated for sanitisation capability. These reviews should involve checking the destruction records and assessing any changes in media usage.
Audit / evidence tips
-
Aska list of media types used in the organisation: Verify that the list includes all the media types identified in the inventory
Goodlist is comprehensive, regularly updated, and marks which items cannot be sanitised
-
Goodrecord will match the volume and types of unsanitizable media listed in the inventory
-
Askthem to explain the methods and tools used to destroy media
Goodshould include details of the equipment used or the vendor services hired, demonstrating knowledge of best practices
-
Goodincludes dates of the training, attendees' names, and a summary of the topics covered
-
Goodsession follows all safety and security protocols, ending with properly destroyed media
Cross-framework mappings
How ISM-0350 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-0350 requires organisations to destroy storage media that cannot be sanitised, including types like microfiche, microfilm, optical di... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.14 | ISM-0350 mandates destruction of media that cannot be sanitised before disposal | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.