Skip to content
arrow_back
ISM-1059
search
ISM-1059 policy ASD Information Security Manual (ISM)

Ensure All Data on Media is Encrypted

All data stored on devices must be secure and not readable to protect it from unauthorized access.

Preventative NC OS P ASD Information Security ManualGuidelines for mediacryptographystorage media
record_voice_over

Plain language

This control means that any data stored on devices such as computers, USB sticks, or external drives should be encrypted. This is crucial because if someone unauthorised gets their hands on these devices, they can't read or misuse the data, protecting sensitive information from being exposed.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2021

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for media

Section

Media usage

Topic

Handling Media

Official control statement

All data stored on media is encrypted.
policy ASD Information Security Manual (ISM) ISM-1059
priority_high

Why it matters

If data on media isn't encrypted, a stolen or lost device could expose sensitive info, leading to data breaches and reputational damage.

settings

Operational notes

Regularly verify encryption is enabled on removable media and endpoints; enforce full-disk encryption and block unencrypted USB storage where possible.

build

Implementation tips

  • IT team: Ensure that all sensitive data on devices is encrypted by using standard encryption software. This can be achieved by installing a well-regarded encryption tool and setting it up to automatically encrypt data stored on hard drives and removable media.
  • Office manager: Educate staff about the importance of encryption and how to check if their data is being properly encrypted. Conduct a simple training session where you show them how to identify encryption symbols or labels on their files and devices.
  • System administrator: Regularly update encryption software to ensure it's using the latest security technology. Schedule regular checks to confirm that all devices are running the latest versions of the encryption tools.
  • Procurement officer: Include encryption compatibility as a criterion when purchasing new digital storage media. Work with the IT department to ensure that all newly acquired hardware can support encryption standards.
  • Data protection officer: Develop a policy outlining the handling and storage of encrypted devices. This should include guidelines on how to properly store, back up, and dispose of media while ensuring data remains encrypted throughout.
fact_check

Audit / evidence tips

  • AskThe encryption software inventory: Request a list of all encryption tools used across the organisation GoodAll tools are up-to-date with recent security patches
  • AskAn encryption implementation policy: Request to review the document outlining how encryption is applied to data at rest GoodThe policy clearly defines what tools are used, when and how encryption is applied, and who is responsible
  • AskDevice encryption verification reports: Request audit logs or reports showing devices that have been checked for encryption status GoodLogs show regular checks with no unauthorised exceptions
  • AskTraining records: Request records of staff training sessions on encryption GoodTraining is conducted regularly with comprehensive material and high attendance
  • AskProcurement guidelines: Request the documentation that outlines the criteria for purchasing digital storage devices GoodProcurement guidelines mandate encryption compatibility for all new devices
link

Cross-framework mappings

How ISM-1059 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (1) expand_less
Annex A 7.10 ISM-1059 mandates encryption of all data stored on media as a fundamental security measure
handshake Supports (1) expand_less
Annex A 5.33 Annex A 5.33 requires protection of records against unauthorised access and unauthorised release as well as loss and falsification
extension Depends on (1) expand_less
Annex A 8.24 ISM-1059 requires encryption for all data on media, implying the need for effective cryptographic key management
link Related (1) expand_less
Annex A 8.1 Annex A 8.1 requires organisations to protect information stored on, processed by, or accessible via user endpoint devices

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls