Classification Retention for Sanitised EPROM and EEPROM
Even after erasure, certain memory devices stay classified as SECRET or TOP SECRET.
Plain language
After you securely erase certain types of computer memory called EPROM and EEPROM, they still must be treated as holding secret information, like classified government documents. This is crucial because without this caution, sensitive information could be mishandled, leading to privacy breaches or even national security risks.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media sanitisationOfficial control statement
Following sanitisation, SECRET and TOP SECRET non-volatile EPROM and EEPROM media retains its classification.
Why it matters
If sanitised EPROM/EEPROM isn’t still treated as SECRET/TOP SECRET, residual data may be exposed, causing serious national security and legal impacts.
Operational notes
After sanitisation, keep EPROM/EEPROM at its original SECRET/TOP SECRET classification: retain markings, store in approved containers, and control custody/access.
Implementation tips
- IT team should ensure proper disposal processes: Develop a procedure for securely collecting and storing sanitised EPROM and EEPROM devices, even after erasure. Use a locked, secure bin specifically labelled for classified media.
- Managers must train staff on classification retention: Conduct regular training sessions for team members to help them understand that sanitized EPROM and EEPROM devices still hold their classification. Use examples to show how improper handling can result in serious data leaks.
- Procurement should track classified media: Create a log to document all instances of EPROM and EEPROM devices being sanitised and retained. Include details like serial numbers, the date of sanitisation, and current storage status.
- IT security staff should audit storage environments: Regularly check physical storage locations for these devices to ensure they are secure and that access is controlled. Make a schedule to perform these checks monthly.
- Compliance officers need to review classification policies: Regularly review and update your organisation's classification policies to ensure they align with this control. Consult with the Australian Signals Directorate (ASD) guidelines for any updates.
Audit / evidence tips
- AskThe device sanitisation log: Request to see records of all sanitised EPROM and EEPROM devices that still hold classifications of SECRET or TOP SECRET GoodIncludes a tracked list showing consistent entries for all applicable devices
- GoodIs evidence of regular training sessions with high attendance and clear educational content
- GoodShows robust physical measures preventing unauthorised access
- AskIT team members how they handle and ensure security of sanitised EPROM and EEPROM devices GoodIs detailed and aligns with written procedures
- GoodIncludes regularly updated documents with signs of recent reviews
Cross-framework mappings
How ISM-0358 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-0358 requires that after any sanitisation attempt, SECRET and TOP SECRET non-volatile EPROM/EEPROM media must still be handled as ret... | |
| handshake Supports (3) expand_less | ||
| Annex A 5.10 | ISM-0358 requires that sanitised SECRET/TOP SECRET EPROM/EEPROM media continues to be handled as classified, affecting how staff may stor... | |
| Annex A 5.12 | ISM-0358 mandates a specific classification outcome: sanitised EPROM/EEPROM that previously held SECRET or TOP SECRET information must co... | |
| Annex A 5.13 | ISM-0358 requires continued SECRET/TOP SECRET handling for sanitised EPROM/EEPROM media, meaning the asset should not be treated as uncla... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.