Supervise Media Destruction with Cleared Personnel
Ensure destroyed media is supervised by a qualified person for security purposes.
Plain language
This control ensures that when you destroy media, like old computers or hard drives, it is done under the watchful eye of someone who is trusted and has been cleared for security purposes. This is important because if disposal is not handled properly, sensitive information might end up in the wrong hands, leading to data breaches or misuse that could damage your reputation and bottom line.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
The destruction of media is performed under the supervision of at least one cleared person.
Why it matters
If media destruction isn’t supervised by a cleared person, data may not be fully destroyed, enabling recovery and unauthorised disclosure.
Operational notes
Have at least one cleared person supervise each destruction event and record date, media IDs, method used, and sign-off confirming completion.
Implementation tips
- Assign a responsible manager: A manager should designate a trusted and security-cleared staff member to oversee media destruction activities. This person must be aware of the types of sensitive data stored and the risks involved in mishandling.
- Brief the supervision process: The designated person should be briefed about what to look for during the destruction process, ensuring that the media is completely destroyed and unrecognisable. Use a checklist or guide that covers all necessary steps.
- Organise a dedicated destruction area: Arrange for a specific, secure place where media destruction takes place. It should be out of public view and have appropriate tools and equipment available to fully destroy the media.
- Record the destruction process: The supervisor should log each destruction session, noting down what was destroyed, when, and how it was supervised. This record should be signed off by the supervisor to confirm compliance.
- Review the procedure regularly: The assigned manager should periodically review the media destruction process, ensuring it aligns with current security policies and that the supervising staff maintain their clearance status.
Audit / evidence tips
-
Askthe media destruction log: Request to see the records that show which media items were destroyed, who supervised the process, and when it happened
Goodwill be a complete and timely log confirming supervision by a cleared person
-
Askthem to explain the steps they follow when overseeing media destruction, and what actions they take to ensure complete destruction
Goodwould include a procedure for verifying total data destruction and understanding of security risks involved
-
Goodexample would be all media being rendered unreadable and unrecognisable
-
Goodwill show that clearances are up-to-date and at an appropriate level for the media being disposed of
-
Askthe written policy regarding media destruction and look for sections detailing supervision requirements and personnel responsibilities
Goodwill describe a clear process with assigned roles and accountability measures
Cross-framework mappings
How ISM-0370 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 6.3 | ISM-0370 requires media destruction to be performed under the supervision of at least one cleared person to reduce the risk of mishandlin... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.