Develop and Maintain Media Disposal Procedures
Organizations must create and uphold procedures for securely disposing of media.
Plain language
This control is all about making sure that any old or unneeded media—things like USB drives, DVDs, or even old hard drives—are disposed of safely and securely. If this isn't done properly, sensitive information could fall into the wrong hands, putting your organisation's reputation and finances at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Media disposal processes, and supporting media disposal procedures, are developed, implemented and maintained.
Why it matters
Improper media disposal can cause data breaches by exposing sensitive information from discarded devices or paper records, harming finances and reputation.
Operational notes
Regularly audit disposal processes and train staff so all media is securely destroyed or sanitised (e.g., shredding, degaussing, wiping) before disposal.
Implementation tips
- Managers should create a media disposal policy: Start by listing all types of media your office uses. Describe how each type should be handled when it's no longer needed, such as shredding CDs or using specialised software to erase data from hard drives.
- IT staff should maintain disposal logs: Every time media is disposed of, record the date, what was disposed of, and how it was done. Keep this log handy for audits and reviews to demonstrate compliance.
- The office manager should train staff on disposal procedures: Hold a short workshop to explain the importance of media disposal and walk through the steps outlined in your policy. Reinforce why following these steps protects the organisation.
- Procurement teams should work with certified disposal services: Identify companies that specialise in secure media destruction. Verify their credentials and ensure they comply with standards set by the Australian Cyber Security Centre (ACSC).
- Regularly review and update procedures: IT managers should set a schedule, perhaps annually, to review disposal processes. Update procedures based on new technologies or risks and communicate changes to all staff.
Audit / evidence tips
-
Askthe organisation's media disposal policy
Goodpolicy clearly describes how to handle all media types and aligns with industry standards
-
Goodlog shows consistent records of media disposed of, with dates and responsible staff noted
-
Askthem about the disposal process and how staff are trained. They should confidently explain the procedures and importance of secure disposal
-
Goodincludes valid, unexpired certificates from recognised authorities
Cross-framework mappings
How ISM-0374 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-0374 requires organisations to develop, implement and maintain procedures for securely disposing of media | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.14 | ISM-0374 requires organisations to develop, implement and maintain media disposal processes and supporting procedures | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.