Ensuring Media Particles Are No Larger Than 9 mm
Destroy media so resulting particles are no bigger than 9 mm to prevent data recovery.
Plain language
This control is about making sure that any physical media like CDs, hard drives, or USB sticks are broken down into pieces no larger than 9 millimetres. This is important because if the pieces are bigger, someone might be able to recover the data that was on them, which could lead to private information being exposed.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Media destroyed using a hammer mill, disintegrator, grinder/sander or by cutting results in media waste particles no larger than 9 mm.
Why it matters
If media destruction particles exceed 9 mm, data recovery becomes possible, risking confidential information exposure and potential breaches.
Operational notes
Regularly verify hammer mill/disintegrator/grinder or cutting settings so output particles are ≤9 mm; sample and measure waste periodically, and record results.
Implementation tips
- The office manager should ensure all outdated media is collected and stored securely until destruction. Use locked storage cabinets in a secure room to prevent unauthorised access until the media can be properly destroyed.
- The procurement officer needs to hire a reliable service that uses a hammer mill, disintegrator, or grinder to destroy media. Check that the service provider is certified and guarantees particle sizes no larger than 9mm.
- IT staff should conduct an internal destruction process using appropriate tools if external services aren't used. Follow manufacturer instructions for shredder settings and safety procedures to achieve the correct particle size.
- The compliance officer should update records to specify destruction methods and compliance with the particle size requirement. Maintain a log of destruction dates, methods used, and names of personnel responsible.
- The security officer should educate all staff about the importance of this control. Hold a short training session explaining how small particles make it almost impossible to recover data and why that's critical for privacy protection.
Audit / evidence tips
- AskThe destruction log: Request the documentation outlining dates, methods, and personnel responsible for media destruction GoodIncludes logs with specific destruction dates, methods, and particle size confirmation
- AskThem to describe the destruction process and tool settings GoodIncludes correctly naming the tools used and describing how they ensure compliance with particle size
- GoodSign is consistent use of specified destruction tools and immediate verification of particle size post-destruction
- AskTo see the contract or agreement with an external destruction service GoodAgreement specifies 9mm compliance and regular service intervals
- GoodSet includes clear, understandable reasons and instructions about the destruction process
Cross-framework mappings
How ISM-0368 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 7.10 | ISM-0368 requires media destruction to a defined particle size (≤9 mm) as an anti-recovery measure | |
| Annex A 7.14 | ISM-0368 requires physical destruction of media such that waste particles are no larger than 9 mm to prevent data recovery | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.