Sanitising Non-volatile EPROM Media
Erase and overwrite EPROM with UV exposure and a random pattern to ensure data is completely removed.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2021
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Non-volatile EPROM media is sanitised by applying three times the manufacturer's specified ultraviolet erasure time and then overwriting it at least once in its entirety with a random pattern followed by a read back for verification.
Source: ASD Information Security Manual (ISM)
Plain language
Sanitising non-volatile EPROM media involves making sure old data is completely erased so it can't be recovered. This matters because if confidential or sensitive information isn't fully removed, it might be disclosed without permission, leading to privacy breaches or financial loss.
Why it matters
Failing to apply 3x UV erasure and random overwrite on EPROM could leave recoverable remnants, enabling sensitive data exposure.
Operational notes
Apply 3x the manufacturer UV erase time, then overwrite the entire EPROM once with a random pattern and perform read-back verification.
Implementation tips
- IT personnel should follow manufacturer guidelines for UV erasure: Check the EPROM's manual for the specified ultraviolet light (UV) exposure time and apply it three times in a controlled environment. Use a UV eraser device as specified by the instructions.
- After UV exposure, IT should fully overwrite the EPROM: Use a software tool to write a random pattern of data across the entire EPROM chip, ensuring no trace of the original data remains.
- Technical staff should verify the overwriting process: Use a reading device to check that the random data pattern is correctly written across the whole chip, confirming the overwriting was successful.
- System administrators should securely dispose of unnecessary EPROMs: After successful sanitisation, ensure that EPROMs are either securely archived or disposed of according to your organisation's waste management policy for electronic devices.
- Managers should document the sanitisation process: Maintain a log that details each sanitisation event, including dates, personnel involved, methods used, and verification results, to ensure a clear audit trail.
Audit / evidence tips
-
Ask: the sanitisation process log: Request the detailed log of EPROM sanitisation events, including the dates and the methods used
Good: will include detailed records with confirmation of complete data removal
-
Good: will show the equipment is regularly maintained and still under operational condition
-
Ask: them to describe how they overwrite EPROMs after UV exposure
Good: shows they confidently explain and follow the process
-
Good: is appropriately labelled or tagged EPROMs with matching log entries
-
Good: is detailed disposal logs showing secure and environmentally responsible methods
Cross-framework mappings
How ISM-0357 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (3) | ||
| Annex A 7.10 | ISM-0357 requires a precise EPROM sanitisation procedure to ensure data is irrecoverable, including verification by read back | |
| Annex A 7.14 | ISM-0357 requires a specific sanitisation method for non-volatile EPROM media, including extended UV erasure and a full overwrite with ve... | |
| Annex A 8.10 | ISM-0357 mandates a specific secure-erasure technique for non-volatile EPROM media (extended UV exposure, overwrite, and verification) | |