Ensure All Data on Media is Encrypted
All data stored on devices must be secure and not readable to protect it from unauthorized access.
Plain language
This control means that any data stored on devices such as computers, USB sticks, or external drives should be encrypted. This is crucial because if someone unauthorised gets their hands on these devices, they can't read or misuse the data, protecting sensitive information from being exposed.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
All data stored on media is encrypted.
Why it matters
If data on media isn't encrypted, a stolen or lost device could expose sensitive info, leading to data breaches and reputational damage.
Operational notes
Regularly verify encryption is enabled on removable media and endpoints; enforce full-disk encryption and block unencrypted USB storage where possible.
Implementation tips
- IT team: Ensure that all sensitive data on devices is encrypted by using standard encryption software. This can be achieved by installing a well-regarded encryption tool and setting it up to automatically encrypt data stored on hard drives and removable media.
- Office manager: Educate staff about the importance of encryption and how to check if their data is being properly encrypted. Conduct a simple training session where you show them how to identify encryption symbols or labels on their files and devices.
- System administrator: Regularly update encryption software to ensure it's using the latest security technology. Schedule regular checks to confirm that all devices are running the latest versions of the encryption tools.
- Procurement officer: Include encryption compatibility as a criterion when purchasing new digital storage media. Work with the IT department to ensure that all newly acquired hardware can support encryption standards.
- Data protection officer: Develop a policy outlining the handling and storage of encrypted devices. This should include guidelines on how to properly store, back up, and dispose of media while ensuring data remains encrypted throughout.
Audit / evidence tips
-
Askthe encryption software inventory: Request a list of all encryption tools used across the organisation
GoodAll tools are up-to-date with recent security patches
-
Askan encryption implementation policy: Request to review the document outlining how encryption is applied to data at rest
GoodThe policy clearly defines what tools are used, when and how encryption is applied, and who is responsible
-
Askdevice encryption verification reports: Request audit logs or reports showing devices that have been checked for encryption status
GoodLogs show regular checks with no unauthorised exceptions
-
Asktraining records: Request records of staff training sessions on encryption
GoodTraining is conducted regularly with comprehensive material and high attendance
-
Askprocurement guidelines: Request the documentation that outlines the criteria for purchasing digital storage devices
GoodProcurement guidelines mandate encryption compatibility for all new devices
Cross-framework mappings
How ISM-1059 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-1059 mandates encryption of all data stored on media as a fundamental security measure | |
| handshake Supports (1) expand_less | ||
| Annex A 5.33 | Annex A 5.33 requires protection of records against unauthorised access and unauthorised release as well as loss and falsification | |
| extension Depends on (1) expand_less | ||
| Annex A 8.24 | ISM-1059 requires encryption for all data on media, implying the need for effective cryptographic key management | |
| link Related (1) expand_less | ||
| Annex A 8.1 | Annex A 8.1 requires organisations to protect information stored on, processed by, or accessible via user endpoint devices | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.