Ensure Proper Handling of Sensitive Media
Handle media carefully based on its sensitivity to keep information safe.
Plain language
This control is about making sure that things like USB drives, DVDs, or even printed documents are handled carefully based on how sensitive the information they contain is. This matters because if these items fall into the wrong hands, they could expose personal information, harm your business reputation, or lead to legal trouble.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Official control statement
Media is handled in a manner suitable for its sensitivity or classification.
Why it matters
Mishandling classified or sensitive media (loss, theft or improper disposal) can cause data compromise, legal breaches and reputational harm.
Operational notes
Label and track sensitive media, store in approved secure containers, control access during transport, and sanitise or destroy media per its classification.
Implementation tips
- Office managers should categorise all media based on the sensitivity of the information it contains. Do this by reviewing the type of information, such as financial or personal details, and labelling the media accordingly with clear tags like 'Confidential' or 'Public'.
- Staff responsible for media should secure sensitive items in locked cabinets or secure electronic systems. This can be done by establishing a secure storage area with access controls, ensuring only authorised personnel can access sensitive materials.
- Managers should train employees on proper media handling procedures. Offer a simple workshop on recognising sensitive information and the appropriate steps to secure it, including how to transport sensitive media safely and destroy it when no longer needed.
- IT teams should implement encryption for digital media that contains sensitive information. This means using software tools to scramble data, making it unreadable to anyone who doesn’t have the correct passcode or key to unlock it.
- Human Resources should develop and enforce a media handling policy. Create a clear set of rules and guidelines covering how all employees should handle, use, and dispose of sensitive media, and ensure everyone is aware of these policies through regular reminders and updates.
Audit / evidence tips
- AskThe company policy on media handling GoodIncludes detailed guidelines with clear responsibilities and actions
- GoodShows regular training sessions with comprehensive attendance
- GoodIs a well-documented list of who has access and how security is maintained
- GoodIs a report detailing findings and actions taken to correct any problems
- AskA demonstration of the disposal process for sensitive media. Verify steps are taken to ensure media is correctly destroyed, like shredding papers or erasing and physically destroying digital storage devices GoodDemonstrates understanding and proper use of destruction methods
Cross-framework mappings
How ISM-0831 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.7 | ISM-0831 requires media to be handled in a manner appropriate to its sensitivity or classification | |
| Annex A 8.33 | Annex A 8.33 requires test information to be selected, protected and managed to prevent exposure of sensitive data | |
| handshake Supports (1) expand_less | ||
| Annex A 5.13 | ISM-0831 requires media to be handled in accordance with its sensitivity or classification to protect information | |
| extension Depends on (1) expand_less | ||
| Annex A 5.12 | ISM-0831 requires media to be handled according to its sensitivity or classification | |
| link Related (1) expand_less | ||
| Annex A 7.10 | ISM-0831 requires media to be handled in a manner suitable for its sensitivity or classification | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.