Supervision of Media Destruction Procedures
Media destruction must be overseen by at least two security-cleared staff members.
Plain language
This control ensures that any time you destroy media (like hard drives, USB sticks, or old computers) that has important or sensitive information on it, at least two trusted employees have to watch over the process. This is important because if media ends up in the wrong hands, it could lead to your sensitive information being accessed or misused, potentially harming your business's reputation and finances.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
07 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media destructionOfficial control statement
The destruction of media storing accountable material is performed under the supervision of at least two cleared personnel.
Why it matters
Without two cleared staff supervising destruction of accountable media, material may be removed or not destroyed, causing unauthorised disclosure and breach reporting.
Operational notes
Before destruction, confirm two cleared personnel are present and record their names/time; stop the process if either leaves until supervision is restored.
Implementation tips
- Managers should establish a protocol for media destruction, assigning at least two security-cleared staff members to oversee the process. Start by choosing trustworthy employees with security clearance and train them on the destruction procedure to ensure they know what to do and why it matters.
- The IT team should create a list of all media that needs destroying and organise regular destruction sessions. They can do this by maintaining an inventory of outdated or obsolete media and scheduling monthly or quarterly sessions to manage it securely and efficiently.
- HR managers should ensure all staff involved in the destruction process have the necessary security clearance. This can be done by regularly reviewing staff clearances and updating them as needed, ensuring compliance with organisational security policies.
- The office manager should set up a secure area for the destruction process that can be easily monitored. This might involve setting aside a locked room where media can be destroyed using shredding tools or devices, with access limited to authorised personnel.
- Compliance officers should document the destruction process by preparing a report that includes the date, time, and personnel involved. They can use a simple form for staff to fill out during each session, logging details like types of media destroyed and who was present, to maintain an audit trail.
Audit / evidence tips
- AskDocumented media destruction procedures: Request a written protocol that outlines how media destruction is handled GoodIncludes detailed roles and procedures ensuring compliance with the control
- GoodSession involves staff following documented steps and securely handling media throughout the process
- AskThem to explain the destruction steps and why two people are needed. Listen for clear, confident explanations that follow established protocols GoodDemonstrate understanding of security risks and adherence to procedures
- AskTo see past destruction logs and reports: Request documentation showing past sessions and involved personnel
Cross-framework mappings
How ISM-0372 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.37 | ISM-0372 mandates a specific operational safeguard for media disposal: two cleared personnel must supervise destruction of media holding ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.