Reset Device Settings Before Media Sanitisation
Reset hidden and configuration settings on hard drives before erasing them to ensure nothing is overlooked.
Plain language
Before you erase a hard drive, reset all hidden and internal settings. This prevents anything from being missed, ensuring sensitive information isn’t accidentally retained and potentially accessed by someone else later on.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media sanitisationOfficial control statement
The host-protected area and device configuration overlay table are reset prior to the sanitisation of non-volatile magnetic hard drives.
Why it matters
If HPA/DCO aren’t reset before sanitising a magnetic HDD, hidden areas can retain sensitive data and be recovered, causing a breach.
Operational notes
Before sanitisation, identify and reset the drive’s HPA and DCO to factory/default, then confirm full native capacity is exposed and logged.
Implementation tips
- IT team should first identify any hard drives that need to be reset. Make a list of all such devices in your organisation before any sanitisation process starts.
- Device managers should remove any hidden settings on hard drives. This means accessing the special areas where settings are stored and ensuring they are cleared or set back to default.
- The IT team should verify the resetting of each drive's hidden configurations. This involves checking both the host-protected area and device configuration overlay table to ensure all settings are properly reset.
- IT staff must use specialised software to reset and then sanitise the drives. Simple step-by-step software solutions can make it easy to navigate and properly perform these tasks.
- System owners should confirm the process is complete and no data is leftover. They can conduct a final check using available verification tools to ensure the sanitisation was thorough.
Audit / evidence tips
- AskA list of all devices identified for sanitisation: Request the inventory file that lists all hard drives needing resetting and sanitisation GoodIncludes a comprehensive, up-to-date inventory file
- AskRecords of the reset process for each device: Request documented evidence showing the reset of the host-protected area and device configuration overlay GoodIncludes timestamped logs or reports showing these settings were addressed
- AskThe software or tools used in the process: Request documentation showing what tools or software were used to reset and sanitise the drives GoodProvides legitimate and reputable tools listed for use
- AskEvidence of a verification check after sanitisation: Request the final check documentation GoodIncludes validation reports from verification tools
- AskTraining materials for the staff involved: Request training records or materials used to educate the IT team on performing these actions GoodIncludes comprehensive training logs or registration details for relevant training sessions
Cross-framework mappings
How ISM-1065 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-1065 requires resetting HPA and DCO on non-volatile magnetic hard drives prior to sanitisation to prevent hidden storage areas persis... | |
| handshake Supports (2) expand_less | ||
| Annex A 7.14 | ISM-1065 requires organisations to reset the host-protected area (HPA) and device configuration overlay (DCO) on non-volatile magnetic ha... | |
| Annex A 8.10 | ISM-1065 requires resetting HPA and DCO on magnetic hard drives before sanitisation so that deletion activities apply to all addressable ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.