Certified Services for Outsourced Media Destruction
Use certified services for destroying non-accountable material to ensure security and compliance with ASIO guidelines.
Plain language
When you're getting rid of old computers or hard drives, it's important to make sure any data on them is destroyed securely. If you hire someone to do this job, you need to use a company certified by the National Association for Information Destruction (NAID). This matters because if data isn't destroyed properly, confidential information could end up in the wrong hands, leading to security breaches or legal issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
OS, P, S
ISM last updated
May 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
When outsourcing the destruction of media storing non-accountable material, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO's Protective Security Circular-167, is used.
Why it matters
Using a non-NAID AAA/PSC-167-endorsed destruction service increases the risk of media compromise, data spills and ISM non-compliance.
Operational notes
Routinely verify vendor NAID AAA certification and PSC-167 endorsements; retain evidence (certificates) and review before each destruction engagement.
Implementation tips
- Managers should identify and choose certified destruction services for media disposal. They can do this by checking the service provider's NAID certification and endorsements listed in ASIO's guidelines, ensuring they are properly qualified.
- Procurement teams should only engage with destruction services that are NAID AAA certified. Ensure the contract specifically mentions compliance with ASIO's Protective Security Circular-167 to prevent legal and security risks.
- Office managers should verify service provider credentials before authorising media destruction. Request evidence of current NAID certification and note any specific endorsements that apply to your needs.
- IT teams should mark media for destruction and prepare it according to the certified service provider's requirements. This includes organising and securely storing items until they are picked up for destruction.
- Compliance officers should oversee the entire media destruction process to ensure adherence to guidelines. They should also keep a record of all media destroyed, including dates and certificates from the destruction service, as proof of compliance.
Audit / evidence tips
-
Askthe contract with the destruction service provider: Ensure it states NAID AAA certification and references ASIO's PSC-167
Goodshows current certification and clear compliance terms
-
Askthe destruction schedule and certificates
Goodresult contains dates, descriptions of items destroyed, and service provider signatures
-
Gooddocument is up-to-date, matches the advertised services, and has official NAID endorsement
-
Askthe internal policy on outsourcing media destruction: Check if it aligns with ASIO's guidelines and mandates the use of NAID certified providers. A strong policy will have clear steps and responsible parties outlined
-
Askrecords of media destruction assessments
Goodrecord shows thorough assessment with management approval
Cross-framework mappings
How ISM-0840 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.19 | ISM-0840 mandates use of a certified third-party destruction service for outsourced destruction of media storing non-accountable material | |
| Annex A 5.21 | ISM-0840 requires that when an organisation outsources destruction of media holding non-accountable material, it uses a specifically cert... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.10 | ISM-0840 addresses secure disposal by requiring a certified outsourced destruction service for media holding non-accountable material | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.