Develop and Maintain Media Destruction Processes
Ensure your organisation creates and follows proper media destruction procedures to securely dispose of data.
Plain language
This control is about making sure you properly dispose of your old storage devices and documents so no one can access the data you don't need anymore. If you don't have a clear process for getting rid of these items safely, your confidential information could fall into the wrong hands, leading to privacy breaches or fraud.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media destructionOfficial control statement
Media destruction processes, and supporting media destruction procedures, are developed, implemented and maintained.
Why it matters
Inadequate media destruction can leave residual data on disposed or reused media, enabling unauthorised access, data breaches and regulatory non-compliance.
Operational notes
Document approved destruction/sanitisation methods by media type, maintain chain-of-custody records, and routinely audit any third-party destruction provider for compliance.
Implementation tips
- Office Manager: Develop a clear written policy that outlines how different types of media-like old computers, USB drives, and paper documents-should be securely destroyed. Work with IT to ensure that this policy is simple for all staff to understand and follow.
- IT Team: Create a step-by-step procedure for securely wiping data from digital storage devices before disposal. This can include using specific software tools for data removal and documenting that the task has been completed.
- HR Department: Train staff on the importance of media destruction and the processes your organisation has in place. Use practical sessions to demonstrate how to handle and dispose of media, and keep a record of who has completed this training.
- Facilities Manager: Arrange regular pickups or drop-off points for secure media disposal services, such as shredding companies. Make sure that the service provider complies with security standards by checking their accreditation or certifications.
- Procurement Officer: Include media destruction requirements in contracts with third-party service providers. Ensure that contracts specify how and when data should be destroyed and require proof that proper destruction has been carried out.
Audit / evidence tips
- AskThe media destruction policy: Request the document that explains how data is supposed to be destroyed at your organisation GoodPolicy will leave no room for misunderstanding about how data should be securely destroyed
- AskThem to describe how they carry out data wiping from digital devices. Listen for details on specific tools they use and steps they take GoodWill include mention of industry-standard software and a recorded process of confirmation
- AskTo witness a session of secure paper shredding or electronic media wiping
- AskEvidence that staff have been trained in media destruction procedures GoodResult is evidence of regular training sessions that are up-to-date and appropriately attended
Cross-framework mappings
How ISM-0363 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-0363 requires organisations to establish and maintain media destruction processes and procedures to securely dispose of data-bearing ... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.14 | ISM-0363 requires media destruction processes and supporting procedures to be developed, implemented and maintained so media is securely ... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.10 | Annex A 8.10 mandates that unused information be securely deleted, while ISM-0363 requires documented procedures for media destruction, s... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.