Ensure Proper Supervision of Media Destruction
Staff must oversee media destruction to ensure it is done correctly and completely.
Plain language
To ensure confidential information doesn't fall into the wrong hands, it's crucial that whenever you destroy old or unused media like hard drives or documents, someone responsible should be there to ensure it's done properly. If not supervised, there's a risk that sensitive data might accidentally get leaked or stolen, leading to potential privacy breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Personnel supervising the destruction of media supervise its handling to the point of destruction and ensure that the destruction is completed successfully.
Why it matters
If media destruction isn’t supervised through to completion, media may be removed or destruction may fail, exposing sensitive data and causing loss.
Operational notes
Ensure a supervisor maintains custody from handling to final destruction, witnesses completion, and records date, method, serial/asset ID, and witness.
Implementation tips
- The office manager should designate a responsible staff member to oversee media destruction. This person should be trained to understand the importance of securely destroying media and follow a clear checklist for the destruction process.
- The IT team should schedule regular media destruction days and notify the responsible staff member. They should prepare the media to be destroyed and ensure appropriate tools and services are available during the process.
- The procurement officer should engage a certified secure destruction service provider if needed. Ensure that the provider is reputable and their methods are compliant with all relevant standards and regulations.
- The responsible staff member should physically witness the destruction of media. Whether done internally or by a service provider, they should verify that all media is completely destroyed without leaving any traceable data.
- The manager should document every destruction event, including the date, type of media destroyed, method used, and the supervising staff member. This record should be securely stored for future reference or audits.
Audit / evidence tips
-
Askthe media destruction log: Request to see the record that documents each destruction event
Goodclear records showing complete and supervised destruction events
-
Askthem about their understanding of the destruction process and their role in supervising it
Goodis a clear explanation of procedures and why supervision is important
-
Goodis a structured process with active supervision from start to finish
-
Askany certificates or documentation from the destruction service provider
Goodup-to-date certifications proving secure and proper destruction methods
-
Goodis updated records showing the staff are adequately trained to oversee destructions
Cross-framework mappings
How ISM-0371 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-0371 requires organisations to supervise media destruction end-to-end, ensuring the media is controlled to the point of destruction a... | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.14 | ISM-0371 requires personnel to supervise the handling of media through to destruction and verify that destruction is completed successfully | |
| Annex A 8.10 | ISM-0371 requires supervised handling of media up to the point of destruction and confirmation that destruction completes successfully | |
| handshake Supports (1) expand_less | ||
| Annex A 5.33 | Annex A 5.33 requires records to be protected from unauthorised access and unauthorised release, including during end-of-life handling | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.