Ensure Proper Supervision of Media Destruction
Staff must oversee media destruction to ensure it is done correctly and completely.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2021
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Personnel supervising the destruction of media supervise its handling to the point of destruction and ensure that the destruction is completed successfully.
Source: ASD Information Security Manual (ISM)
Plain language
To ensure confidential information doesn't fall into the wrong hands, it's crucial that whenever you destroy old or unused media like hard drives or documents, someone responsible should be there to ensure it's done properly. If not supervised, there's a risk that sensitive data might accidentally get leaked or stolen, leading to potential privacy breaches or financial loss.
Why it matters
If media destruction isn’t supervised through to completion, media may be removed or destruction may fail, exposing sensitive data and causing loss.
Operational notes
Ensure a supervisor maintains custody from handling to final destruction, witnesses completion, and records date, method, serial/asset ID, and witness.
Implementation tips
- The office manager should designate a responsible staff member to oversee media destruction. This person should be trained to understand the importance of securely destroying media and follow a clear checklist for the destruction process.
- The IT team should schedule regular media destruction days and notify the responsible staff member. They should prepare the media to be destroyed and ensure appropriate tools and services are available during the process.
- The procurement officer should engage a certified secure destruction service provider if needed. Ensure that the provider is reputable and their methods are compliant with all relevant standards and regulations.
- The responsible staff member should physically witness the destruction of media. Whether done internally or by a service provider, they should verify that all media is completely destroyed without leaving any traceable data.
- The manager should document every destruction event, including the date, type of media destroyed, method used, and the supervising staff member. This record should be securely stored for future reference or audits.
Audit / evidence tips
-
Ask: the media destruction log: Request to see the record that documents each destruction event
Good: clear records showing complete and supervised destruction events
-
Ask: them about their understanding of the destruction process and their role in supervising it
Good: is a clear explanation of procedures and why supervision is important
-
Good: is a structured process with active supervision from start to finish
-
Ask: any certificates or documentation from the destruction service provider
Good: up-to-date certifications proving secure and proper destruction methods
-
Good: is updated records showing the staff are adequately trained to oversee destructions
Cross-framework mappings
How ISM-0371 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 7.10 | ISM-0371 requires organisations to supervise media destruction end-to-end, ensuring the media is controlled to the point of destruction a... | |
| Partially overlaps (2) | ||
| Annex A 7.14 | ISM-0371 requires personnel to supervise the handling of media through to destruction and verify that destruction is completed successfully | |
| Annex A 8.10 | ISM-0371 requires supervised handling of media up to the point of destruction and confirmation that destruction completes successfully | |
| Supports (1) | ||
| Annex A 5.33 | Annex A 5.33 requires records to be protected from unauthorised access and unauthorised release, including during end-of-life handling | |