Classification Retention After Flash Memory Sanitisation
Even after being sanitised, flash drives for SECRET and TOP SECRET still need to be treated as classified data.
Plain language
Even after you think you’ve erased data from a flash drive, certain data still needs to be handled carefully if it was ever classified as SECRET or TOP SECRET. This is important because mishandling could inadvertently expose sensitive information, risking national security or personal privacy breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media sanitisationOfficial control statement
Following sanitisation, SECRET and TOP SECRET non-volatile flash memory media retains its classification.
Why it matters
If sanitised flash media is treated as unclassified, residual SECRET/TOP SECRET data may be exposed, creating a national security risk.
Operational notes
After sanitisation, keep flash media labelled SECRET/TOP SECRET and handle/store it as such, as flash cells can retain recoverable remnants.
Implementation tips
- Security officers should conduct a risk assessment to identify flash drives previously used for SECRET or TOP SECRET data. They should list these devices and ensure they are tracked and monitored even after sanitisation.
- IT teams should implement strict control processes for sanitising flash drives. This involves using software or hardware that complies with government guidelines, ensuring that data cannot be easily recovered.
- Management should establish and enforce a policy that treats all sanitised flash memory as if it still contains classified information. This means storing or disposing of them securely like they would with classified materials.
- Asset managers should maintain a detailed inventory of all flash memory devices used for classified information. Each entry should include the current location, custodian, and sanitisation status of the device.
- Training officers should provide regular reminders and training sessions for all staff on the proper handling of sanitised flash memory. These sessions should emphasise why security practices for handling these devices still matter.
Audit / evidence tips
- AskThe risk assessment document of flash drives used for classified data: Verify that each identified device is listed with its classification history
- GoodWill include references to specific sanitisation methods and equipment used
- AskThem to explain the steps they take and verify consistency with documented procedures GoodFeatures adherence to documented processes and an understanding of the risks involved
- GoodSession or material will clearly convey the importance of ongoing secure handling
Cross-framework mappings
How ISM-0360 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.10 | ISM-0360 requires that after sanitisation, SECRET and TOP SECRET non-volatile flash memory media retains its classification and must cont... | |
| Annex A 7.14 | ISM-0360 requires that sanitised SECRET and TOP SECRET flash media still retains its classification and must continue to be treated and c... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.