Use NSA-evaluated Degaussers for Media Destruction
Only use NSA-approved degaussers to securely erase data from storage media.
Plain language
This control means that when you need to erase data from things like old hard drives or tapes, you should use degaussers that the United States' National Security Agency (NSA) has evaluated. This is important because using the right equipment ensures sensitive or private information is thoroughly wiped, protecting you from data leaks and the potential legal and financial consequences that come with them.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
July 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
If using degaussers to destroy media, degaussers evaluated by the United States' National Security Agency are used.
Why it matters
Using non-NSA-evaluated degaussers risks incomplete data erasure, enabling recovery of sensitive data and causing breaches and reputational damage.
Operational notes
Maintain evidence the degausser is on the NSA Evaluated Products List and re-check model/firmware after servicing or replacement to ensure compliant destruction.
Implementation tips
- IT department: Confirm which degaussers are approved by the NSA for secure data destruction. Check the latest guidance from the NSA to get a list of approved equipment.
- Purchasing team: Buy or lease only NSA-evaluated degaussers for your organisation. Ensure the supplier provides certification that their products are NSA-evaluated before making a purchase decision.
- Operations manager: Train staff responsible for data destruction on how to properly use NSA-evaluated degaussers. Set up a training session with practical demonstrations and supporting materials, such as manuals or videos.
- IT team: Set procedures for regularly checking degaussers to ensure they're working correctly. Establish a routine maintenance schedule, and log your checks in a maintenance record.
- Manager: Document your media destruction process and the equipment used to ensure compliance. Maintain a record of all devices degaussed and staff who performed the process, along with the date and time.
Audit / evidence tips
-
Askequipment purchase records: Request documents showing the purchase or leasing of NSA-evaluated degaussers
Goodincludes valid NSA approval documentation tied to each degasser used
-
Asktraining records: Request records of training sessions for staff using degaussers
Goodshows regular, comprehensive training aligned with current practices
-
Askmaintenance logs: Request maintenance logs for the degaussers
Goodshows maintenance performed at recommended intervals and any repairs conducted
-
Askdocumented procedures: Request written procedures on using the degaussers
Goodincludes staff roles and responsibility clearances
-
Askto observe the process: Request a demonstration of the degaussing process using the approved equipment
Goodshows staff following steps with ensured data destruction
Cross-framework mappings
How ISM-1160 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 7.10 | ISM-1160 specifies an approved standard for degaussing equipment when degaussing is used to destroy storage media | |
| Annex A 7.14 | Annex A 7.14 requires ensuring sensitive data is removed or securely overwritten before equipment containing storage media is disposed of... | |
| Annex A 8.10 | ISM-1160 requires that where degaussing is used as the secure destruction method, the organisation uses NSA-evaluated degaussers to ensur... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.