Proper Sanitisation of Non-Volatile Flash Memory
Non-volatile flash memory is wiped by overwriting it twice with random data, then checked to ensure it's clean.
Plain language
This control is about making sure that the data stored on non-volatile flash memory is completely erased before disposing of the device or repurposing it. This is important because if old data isn't properly wiped, sensitive information could fall into the wrong hands, leading to privacy breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media sanitisationOfficial control statement
Non-volatile flash memory media is sanitised by overwriting it at least twice in its entirety with a random pattern followed by a read back for verification.
Why it matters
If flash memory isn’t overwritten twice with random patterns and verified, sensitive data may remain recoverable when devices are reused or disposed of.
Operational notes
Overwrite the entire flash medium at least twice with random patterns, then perform a full read-back verification to confirm the overwrite completed successfully.
Implementation tips
- IT team should develop a sanitisation procedure: Ensure there is a clear step-by-step process to overwrite non-volatile flash memory twice with random data. Use reliable software tools designed for data destruction to execute this process.
- System administrator looks after regular verification: After data has been overwritten, the system administrator should perform a read-back process to verify that no original data is left. Use data verification software to confirm the memory is clean.
- Procurement officer manages equipment lifecycle: Before disposing or selling off devices with non-volatile memory, the procurement officer should ensure the sanitisation process has been completed. Keep a record of this verification for future audits.
- Staff training by IT manager: Train staff responsible for handling storage media on how to carry out the sanitisation process properly. Use training sessions or workshops with practical demonstrations using real devices.
- Compliance officer conducts regular checks: The compliance officer should periodically review and audit sanitisation efforts to ensure procedures are effectively protecting data. Include spot-checks during the gear disposal or repurposing process.
Audit / evidence tips
- AskThe sanitisation procedure document: Request the written procedure that outlines how non-volatile flash memory is overwritten and verified GoodIncludes an up-to-date document with clear responsibilities and methods
- GoodShows logs with past dates and successful verifications
- AskThem to explain how the memory sanitisation process is conducted and verified GoodIs when staff confidently describe the overwriting and verification process and know where the procedure is documented
- GoodDemonstrates exact following of the procedure
- GoodIncludes well-organised records with all necessary details and authorisations
Cross-framework mappings
How ISM-0359 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 7.10 | ISM-0359 mandates a specific sanitisation technique for non-volatile flash memory (double random overwrite plus read-back verification) | |
| Annex A 8.10 | ISM-0359 specifies how to sanitise non-volatile flash memory by overwriting it twice with random data and verifying via read-back | |
| handshake Supports (1) expand_less | ||
| Annex A 7.14 | ISM-0359 offers a detailed approach for flash memory sanitisation, supporting the overall data removal goals of Annex A 7.14 | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.