Classification Retention for Sanitised EPROM and EEPROM
Even after erasure, certain memory devices stay classified as SECRET or TOP SECRET.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Responsive
🔐 Classifications
S, TS
🗓️ ISM last updated
Nov 2021
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Following sanitisation, SECRET and TOP SECRET non-volatile EPROM and EEPROM media retains its classification.
Source: ASD Information Security Manual (ISM)
Plain language
After you securely erase certain types of computer memory called EPROM and EEPROM, they still must be treated as holding secret information, like classified government documents. This is crucial because without this caution, sensitive information could be mishandled, leading to privacy breaches or even national security risks.
Why it matters
If sanitised EPROM/EEPROM isn’t still treated as SECRET/TOP SECRET, residual data may be exposed, causing serious national security and legal impacts.
Operational notes
After sanitisation, keep EPROM/EEPROM at its original SECRET/TOP SECRET classification: retain markings, store in approved containers, and control custody/access.
Implementation tips
- IT team should ensure proper disposal processes: Develop a procedure for securely collecting and storing sanitised EPROM and EEPROM devices, even after erasure. Use a locked, secure bin specifically labelled for classified media.
- Managers must train staff on classification retention: Conduct regular training sessions for team members to help them understand that sanitized EPROM and EEPROM devices still hold their classification. Use examples to show how improper handling can result in serious data leaks.
- Procurement should track classified media: Create a log to document all instances of EPROM and EEPROM devices being sanitised and retained. Include details like serial numbers, the date of sanitisation, and current storage status.
- IT security staff should audit storage environments: Regularly check physical storage locations for these devices to ensure they are secure and that access is controlled. Make a schedule to perform these checks monthly.
- Compliance officers need to review classification policies: Regularly review and update your organisation's classification policies to ensure they align with this control. Consult with the Australian Signals Directorate (ASD) guidelines for any updates.
Audit / evidence tips
-
Ask: the device sanitisation log: Request to see records of all sanitised EPROM and EEPROM devices that still hold classifications of SECRET or TOP SECRET
Good: includes a tracked list showing consistent entries for all applicable devices
-
Good: is evidence of regular training sessions with high attendance and clear educational content
-
Good: shows robust physical measures preventing unauthorised access
-
Ask: IT team members how they handle and ensure security of sanitised EPROM and EEPROM devices
Good: is detailed and aligns with written procedures
-
Good: includes regularly updated documents with signs of recent reviews
Cross-framework mappings
How ISM-0358 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 7.10 | ISM-0358 requires that after any sanitisation attempt, SECRET and TOP SECRET non-volatile EPROM/EEPROM media must still be handled as ret... | |
| Supports (3) | ||
| Annex A 5.10 | ISM-0358 requires that sanitised SECRET/TOP SECRET EPROM/EEPROM media continues to be handled as classified, affecting how staff may stor... | |
| Annex A 5.12 | ISM-0358 mandates a specific classification outcome: sanitised EPROM/EEPROM that previously held SECRET or TOP SECRET information must co... | |
| Annex A 5.13 | ISM-0358 requires continued SECRET/TOP SECRET handling for sanitised EPROM/EEPROM media, meaning the asset should not be treated as uncla... | |