Classify Magnetic Media After Sanitisation
After cleaning, classified magnetic media must still be treated as classified.
Plain language
Even after you clean data off a hard drive or USB, it still needs to be treated as classified if it was originally marked as SECRET or TOP SECRET. This is important because traces of sensitive information might linger, and handling such media carelessly can lead to information leaks that could damage national security or a company’s reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media sanitisationOfficial control statement
Following sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its classification.
Why it matters
Misclassifying sanitised SECRET/TOP SECRET magnetic media as unclassified can cause mishandling, spillage, or compromise.
Operational notes
Treat sanitised SECRET/TOP SECRET magnetic media as still classified; label and store it accordingly and brief staff to prevent mishandling.
Implementation tips
- IT security team should train staff on proper handling: Teach employees that even after removing data, media that was classified as SECRET or TOP SECRET needs careful handling, similar to when it had data. Use simple explanations to stress why it's important.
- Managers should create strict handling protocols: Define clear steps on how to store, transport, and dispose of classified media after data has been erased. Provide these steps in a written document available to all staff who handle such media.
- Security officers should use secure chains of custody: Ensure any media considered SECRET or TOP SECRET follows a documented pathway when moved or checked out. This involves signing logs that track media from one place to another with signatures of those handling it.
- Procurement teams should maintain vendor compliance: When contracting third-party vendors to handle classified media, verify that they understand and adhere to your organisation’s handling protocols and sign agreements confirming this.
- Auditors should periodically review handling procedures: Regularly conduct checks to ensure the proper processes are being followed for dealing with classified media. Use simple checklists to see if standards have been met.
Audit / evidence tips
-
Askthe magnetic media handling protocol: Request documents detailing handling procedures for sanitised classified media
Gooda procedure document with clear, simple steps for handling and storage
-
Goodoutcome is seeing complete logs without gaps or missing information
-
Askthem to describe how they handle classified media after sanitisation
Goodis staff providing a concise, accurate description that matches documented procedures
-
Goodis seeing contracts that explicitly reference classification handling requirements
Cross-framework mappings
How ISM-0356 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.13 | ISM-0356 requires that after sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its classification and must continue... | |
| Annex A 7.10 | ISM-0356 requires organisations to continue treating sanitised SECRET and TOP SECRET non-volatile magnetic media as retaining its origina... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.