Supervise and Certify Accountable Material Destruction
Supervisors ensure accountable material is destroyed properly and sign a certificate to confirm it.
Plain language
This control is about making sure that sensitive materials, like documents or old computer disks that contain important data, are properly destroyed when they’re no longer needed. If we don't do this right, there’s a risk that private information might be leaked, which can harm your business’s reputation or even lead to legal troubles.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media destructionOfficial control statement
Personnel supervising the destruction of media storing accountable material supervise its handling to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards.
Why it matters
Failure to certify accountable material destruction can enable unrecoverable data compromise, regulatory breach and legal liability.
Operational notes
Supervise accountable material from custody to destruction, confirm the method completed, and sign and retain a destruction certificate.
Implementation tips
- Managers should designate responsible personnel to oversee material destruction. They should assign a trusted employee who is aware of what materials need to be destroyed and ensure they follow through from start to finish.
- The designated supervisor needs to be equipped with a destruction checklist. This list should have detailed steps on how to properly destroy each type of material and ensure nothing is skipped.
- Employees responsible for destruction should employ only approved methods, like shredders for paper or professional services for electronics. They must follow the procedure exactly as specified to ensure complete destruction.
- After destruction, the supervising person should complete a destruction certificate. This certificate should detail what was destroyed, the method used, and it needs to be signed to verify accuracy.
- Keep records of all destruction certificates securely filed. This will help in future audits and ensure there is a clear trail of accountability for all destroyed materials.
Audit / evidence tips
- AskThe list of materials designated for destruction: Review the list for completeness, ensuring sensitive items are clearly indicated GoodIs a comprehensive list with item descriptions and their classification
- AskTo see a completed destruction certificate GoodDemonstrates completeness and clarity in documenting the destruction process
- AskThem about their understanding of the destruction process and how they ensure compliance GoodReflects a clear understanding of procedures and the importance of each step in the process
- GoodIncludes secure, organised, and accessible records that match the number of signed destruction certificates
Cross-framework mappings
How ISM-0373 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.14 | ISM-0373 requires personnel supervising destruction of media storing accountable material to supervise handling through to destruction, v... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.33 | Annex A 5.33 requires records be protected from loss, destruction, falsification, unauthorised access and unauthorised release across the... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.