Ensuring Proper Sanitisation of Magnetic Media
Erase non-volatile magnetic media by overwriting with random data, ensuring old data cannot be accessed.
Plain language
Ensuring that magnetic media, like old hard drives, media tapes, or backup disks, are properly erased before disposal or reuse is crucial. If this isn't done thoroughly, sensitive information could be recovered by someone else, potentially leading to data breaches or privacy violations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media sanitisationOfficial control statement
Non-volatile magnetic media is sanitised by overwriting it at least once (or three times if pre-2001 or under 15 GB) in its entirety with a random pattern followed by a read back for verification.
Why it matters
Improper sanitisation of non-volatile magnetic media can expose residual sensitive data when reused, causing data breaches and reputational damage.
Operational notes
Overwrite magnetic media end-to-end with a random pattern and perform read-back verification. Use three overwrite passes for pre-2001 or <15 GB devices.
Implementation tips
- IT Manager should ensure all non-volatile magnetic media is identified: Compile a list of all media types in use, including backup tapes and spare hard drives. This helps to systematically track what needs to be cleaned.
- IT Team should perform the sanitisation process using approved software: Use data wiping tools that overwrite the magnetic media with random data at least once to make previously stored data unreadable. Check the tool's documentation to ensure it follows industry standards for data destruction.
- Procurement staff should be trained on disposal processes: Ensure they know that media cannot just be thrown away but needs to be cleaned according to this control. Provide them with a checklist of approved disposal methods.
- IT Team should verify sanitisation through read-back testing: After wiping, use a verification process to read back the data to confirm no old data remains. Document these results for each device.
- Office Manager should keep a disposal log: Maintain records of when and how each piece of media was sanitised and by whom, along with verification test results. This log can be a simple spreadsheet or database entry.
Audit / evidence tips
-
Askthe media sanitisation procedures document: Request a copy of the specific procedures used for wiping non-volatile magnetic media
Gooddescribes clear steps that align with the control requirements
-
Askthe log that tracks each piece of media purged. Check for dates, methods used, and verification signatures
Goodis a well-maintained log that matches physical media inventory records
-
Askthem to describe the process of sanitisation and verification
Goods include clear references to tools used and how verification is performed for each media
-
Askproof of training for procurement staff
Cross-framework mappings
How ISM-0354 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 7.10 | ISM-0354 requires non-volatile magnetic media to be sanitised by overwriting the entire medium with a random pattern (with specified pass... | |
| Annex A 7.14 | ISM-0354 mandates a specific, verifiable overwriting process to sanitise non-volatile magnetic media so that prior data cannot be accessed | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.