Classify Magnetic Media After Sanitisation
After cleaning, classified magnetic media must still be treated as classified.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
S, TS
🗓️ ISM last updated
Nov 2021
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media sanitisationFollowing sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its classification.
Source: ASD Information Security Manual (ISM)
Plain language
Even after you clean data off a hard drive or USB, it still needs to be treated as classified if it was originally marked as SECRET or TOP SECRET. This is important because traces of sensitive information might linger, and handling such media carelessly can lead to information leaks that could damage national security or a company’s reputation.
Why it matters
Misclassifying sanitised SECRET/TOP SECRET magnetic media as unclassified can cause mishandling, spillage, or compromise.
Operational notes
Treat sanitised SECRET/TOP SECRET magnetic media as still classified; label and store it accordingly and brief staff to prevent mishandling.
Implementation tips
- IT security team should train staff on proper handling: Teach employees that even after removing data, media that was classified as SECRET or TOP SECRET needs careful handling, similar to when it had data. Use simple explanations to stress why it's important.
- Managers should create strict handling protocols: Define clear steps on how to store, transport, and dispose of classified media after data has been erased. Provide these steps in a written document available to all staff who handle such media.
- Security officers should use secure chains of custody: Ensure any media considered SECRET or TOP SECRET follows a documented pathway when moved or checked out. This involves signing logs that track media from one place to another with signatures of those handling it.
- Procurement teams should maintain vendor compliance: When contracting third-party vendors to handle classified media, verify that they understand and adhere to your organisation’s handling protocols and sign agreements confirming this.
- Auditors should periodically review handling procedures: Regularly conduct checks to ensure the proper processes are being followed for dealing with classified media. Use simple checklists to see if standards have been met.
Audit / evidence tips
-
Ask: the magnetic media handling protocol: Request documents detailing handling procedures for sanitised classified media
Good: a procedure document with clear, simple steps for handling and storage
-
Good: outcome is seeing complete logs without gaps or missing information
-
Ask: them to describe how they handle classified media after sanitisation
Good: is staff providing a concise, accurate description that matches documented procedures
-
Good: is seeing contracts that explicitly reference classification handling requirements
Cross-framework mappings
How ISM-0356 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 5.13 | ISM-0356 requires that after sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its classification and must continue... | |
| Annex A 7.10 | ISM-0356 requires organisations to continue treating sanitised SECRET and TOP SECRET non-volatile magnetic media as retaining its origina... | |