Decide on Public Release of Data Storage Media
After data is erased or destroyed, a formal decision allows media to be sent to the public.
Plain language
When you delete or destroy data stored on media like hard drives or USB sticks, you need to make a formal decision about whether it's safe to let those items go into the public. This matters because if data isn't completely erased or destroyed, someone could retrieve sensitive information, leading to potential privacy breaches or data theft.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Following sanitisation, destruction or declassification, a formal administrative decision is made to release media, or its waste, into the public domain.
Why it matters
Without a documented administrative decision to release sanitised/destroyed media (or waste) to the public domain, residual data may be exposed, causing privacy breaches and theft.
Operational notes
Record a formal, authorised release decision (including scope: media vs waste) after confirming sanitisation/destruction and declassification results; retain approvals and evidence before public disposal.
Implementation tips
- Managers should establish a policy for data disposal: Clearly outline when and how data storage media can be released to the public after sanitisation. This could be a simple rule book that everyone in the organisation follows.
- IT staff should perform data erasure verification: Before releasing any data storage media, IT should use software tools to confirm that data has been fully erased. Conduct tests to ensure there are no data remnants left.
- System owners should document the sanitisation process: Keep records of what data was on the device, how it was erased or destroyed, and the date and person responsible for the action. Use a standardised template for consistency.
- Security officers should review disposal decisions: They should verify that any release of storage media doesn't inadvertently expose sensitive data. This involves checking that the media was correctly classified and sanctioned for public release.
- Procurement leaders should ensure secure disposal contracts: Contracts with recycling or disposal vendors should include requirements for ensuring data erasure and verification. Confirm that the vendors have adequate certifications and processes in place.
Audit / evidence tips
-
Askcopies of disposal policies and procedures
Goodpolicy will clearly define the sanitisation process and have formal approval from senior management
-
Goodincludes clear documentation of successful data erasure with dates and responsible persons noted
-
Askthem to describe the steps they take to ensure all data is removed before media is released
Goodis a clear understanding of the erasure process and the tools used
-
Askcontracts with disposal vendors
Goodcontract outlines vendor responsibilities, including providing proof of data destruction
Cross-framework mappings
How ISM-0375 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-0375 requires a formal administrative decision to release storage media or its waste into the public domain following sanitisation, d... | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.14 | ISM-0375 requires that after sanitisation, destruction or declassification, an authorised administrative decision is formally made before... | |
| Annex A 8.10 | ISM-0375 requires an authorised administrative decision before media (or its waste) can be released publicly after sanitisation, destruct... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.