Prohibit Outsourcing of Media Destruction
Do not allow external companies to destroy media with sensitive data.
Plain language
This control means you shouldn't allow outside businesses to destroy old equipment or data storage like hard drives that contain sensitive information. It's important because if this data gets into the wrong hands, it could lead to identity theft, financial loss, or damage to your business reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
The destruction of media storing accountable material is not outsourced.
Why it matters
Outsourcing media destruction can lead to leaks of sensitive data, resulting in identity theft, financial loss, or reputational damage.
Operational notes
Do not outsource destruction of media holding accountable material; perform it in-house with authorised staff, logging serials, chain-of-custody and destruction outcomes.
Implementation tips
- Managers should ensure their staff understand the importance of keeping sensitive information protected by not outsourcing its destruction. Conduct training sessions explaining how mishandled data can lead to breaches. Make sure everyone is aware of the policies regarding data handling.
- The IT team should develop and implement a secure media destruction process internally. Identify all types of media that contain sensitive data and set up a secure method for destroying them, such as shredding or degaussing in a controlled environment.
- Office managers should regularly audit their media destruction practices. Conduct spot checks to ensure that only authorised personnel are involved in the media destruction process and that it takes place in-house.
- Procurement should vet any third-party services involved in handling equipment disposal without data destruction. Ensure contracts clearly specify that the third party will not be responsible for destroying any data storage devices.
- The security officer should oversee the development of a clear policy on media destruction. Draft a policy document outlining the steps and tools used for in-house destruction and ensure it's easily accessible to all staff members for reference.
Audit / evidence tips
- AskRecords of any media destruction activities: Request documentation showing details about destroyed media, including dates and methods used GoodIs a comprehensive log showing dates, responsible personnel, and methods used
- AskTo see internal training materials: Request to view the training materials used to educate staff on data protection and media destruction GoodIncludes detailed guides and attendance records from training sessions
- AskPolicy documents on media destruction: Request to view the formal policy document governing internal media destruction processes GoodIs a policy that is up-to-date, comprehensive, and easily understood
- AskInternal audits or reports on media handling: Request any reports on assessments of media destruction processes GoodIncludes documented assessments with findings and improvement actions
- AskStaff sign-off sheets: Request sheets signed by staff acknowledging their understanding of the internal media destruction process GoodIs records showing regular sign-offs from employees involved in media handling
Cross-framework mappings
How ISM-0839 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-0839 requires that destruction of media storing accountable material is not outsourced, keeping media destruction under the organisat... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.14 | ISM-0839 requires that the destruction of media storing accountable material is not outsourced | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.