Sanitising Non-volatile EPROM Media
Erase and overwrite EPROM with UV exposure and a random pattern to ensure data is completely removed.
Plain language
Sanitising non-volatile EPROM media involves making sure old data is completely erased so it can't be recovered. This matters because if confidential or sensitive information isn't fully removed, it might be disclosed without permission, leading to privacy breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media sanitisationOfficial control statement
Non-volatile EPROM media is sanitised by applying three times the manufacturer's specified ultraviolet erasure time and then overwriting it at least once in its entirety with a random pattern followed by a read back for verification.
Why it matters
Failing to apply 3x UV erasure and random overwrite on EPROM could leave recoverable remnants, enabling sensitive data exposure.
Operational notes
Apply 3x the manufacturer UV erase time, then overwrite the entire EPROM once with a random pattern and perform read-back verification.
Implementation tips
- IT personnel should follow manufacturer guidelines for UV erasure: Check the EPROM's manual for the specified ultraviolet light (UV) exposure time and apply it three times in a controlled environment. Use a UV eraser device as specified by the instructions.
- After UV exposure, IT should fully overwrite the EPROM: Use a software tool to write a random pattern of data across the entire EPROM chip, ensuring no trace of the original data remains.
- Technical staff should verify the overwriting process: Use a reading device to check that the random data pattern is correctly written across the whole chip, confirming the overwriting was successful.
- System administrators should securely dispose of unnecessary EPROMs: After successful sanitisation, ensure that EPROMs are either securely archived or disposed of according to your organisation's waste management policy for electronic devices.
- Managers should document the sanitisation process: Maintain a log that details each sanitisation event, including dates, personnel involved, methods used, and verification results, to ensure a clear audit trail.
Audit / evidence tips
-
Askthe sanitisation process log: Request the detailed log of EPROM sanitisation events, including the dates and the methods used
Goodwill include detailed records with confirmation of complete data removal
-
Goodwill show the equipment is regularly maintained and still under operational condition
-
Askthem to describe how they overwrite EPROMs after UV exposure
Goodshows they confidently explain and follow the process
-
Goodis appropriately labelled or tagged EPROMs with matching log entries
-
Goodis detailed disposal logs showing secure and environmentally responsible methods
Cross-framework mappings
How ISM-0357 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 7.10 | ISM-0357 requires a precise EPROM sanitisation procedure to ensure data is irrecoverable, including verification by read back | |
| Annex A 7.14 | ISM-0357 requires a specific sanitisation method for non-volatile EPROM media, including extended UV erasure and a full overwrite with ve... | |
| Annex A 8.10 | ISM-0357 mandates a specific secure-erasure technique for non-volatile EPROM media (extended UV exposure, overwrite, and verification) | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.