Reset Device Settings Before Media Sanitisation
Reset hidden and configuration settings on hard drives before erasing them to ensure nothing is overlooked.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2021
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media sanitisationThe host-protected area and device configuration overlay table are reset prior to the sanitisation of non-volatile magnetic hard drives.
Source: ASD Information Security Manual (ISM)
Plain language
Before you erase a hard drive, reset all hidden and internal settings. This prevents anything from being missed, ensuring sensitive information isn’t accidentally retained and potentially accessed by someone else later on.
Why it matters
If HPA/DCO aren’t reset before sanitising a magnetic HDD, hidden areas can retain sensitive data and be recovered, causing a breach.
Operational notes
Before sanitisation, identify and reset the drive’s HPA and DCO to factory/default, then confirm full native capacity is exposed and logged.
Implementation tips
- IT team should first identify any hard drives that need to be reset. Make a list of all such devices in your organisation before any sanitisation process starts.
- Device managers should remove any hidden settings on hard drives. This means accessing the special areas where settings are stored and ensuring they are cleared or set back to default.
- The IT team should verify the resetting of each drive's hidden configurations. This involves checking both the host-protected area and device configuration overlay table to ensure all settings are properly reset.
- IT staff must use specialised software to reset and then sanitise the drives. Simple step-by-step software solutions can make it easy to navigate and properly perform these tasks.
- System owners should confirm the process is complete and no data is leftover. They can conduct a final check using available verification tools to ensure the sanitisation was thorough.
Audit / evidence tips
-
Ask: a list of all devices identified for sanitisation: Request the inventory file that lists all hard drives needing resetting and sanitisation
Good: includes a comprehensive, up-to-date inventory file
-
Ask: records of the reset process for each device: Request documented evidence showing the reset of the host-protected area and device configuration overlay
Good: includes timestamped logs or reports showing these settings were addressed
-
Ask: the software or tools used in the process: Request documentation showing what tools or software were used to reset and sanitise the drives
Good: provides legitimate and reputable tools listed for use
-
Ask: evidence of a verification check after sanitisation: Request the final check documentation
Good: includes validation reports from verification tools
-
Ask: training materials for the staff involved: Request training records or materials used to educate the IT team on performing these actions
Good: includes comprehensive training logs or registration details for relevant training sessions
Cross-framework mappings
How ISM-1065 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 7.10 | ISM-1065 requires resetting HPA and DCO on non-volatile magnetic hard drives prior to sanitisation to prevent hidden storage areas persis... | |
| Supports (2) | ||
| Annex A 7.14 | ISM-1065 requires organisations to reset the host-protected area (HPA) and device configuration overlay (DCO) on non-volatile magnetic ha... | |
| Annex A 8.10 | ISM-1065 requires resetting HPA and DCO on magnetic hard drives before sanitisation so that deletion activities apply to all addressable ... | |