Use NSA-evaluated Degaussers for Media Destruction
Only use NSA-approved degaussers to securely erase data from storage media.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
July 2020
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
If using degaussers to destroy media, degaussers evaluated by the United States' National Security Agency are used.
Source: ASD Information Security Manual (ISM)
Plain language
This control means that when you need to erase data from things like old hard drives or tapes, you should use degaussers that the United States' National Security Agency (NSA) has evaluated. This is important because using the right equipment ensures sensitive or private information is thoroughly wiped, protecting you from data leaks and the potential legal and financial consequences that come with them.
Why it matters
Using non-NSA-evaluated degaussers risks incomplete data erasure, enabling recovery of sensitive data and causing breaches and reputational damage.
Operational notes
Maintain evidence the degausser is on the NSA Evaluated Products List and re-check model/firmware after servicing or replacement to ensure compliant destruction.
Implementation tips
- IT department: Confirm which degaussers are approved by the NSA for secure data destruction. Check the latest guidance from the NSA to get a list of approved equipment.
- Purchasing team: Buy or lease only NSA-evaluated degaussers for your organisation. Ensure the supplier provides certification that their products are NSA-evaluated before making a purchase decision.
- Operations manager: Train staff responsible for data destruction on how to properly use NSA-evaluated degaussers. Set up a training session with practical demonstrations and supporting materials, such as manuals or videos.
- IT team: Set procedures for regularly checking degaussers to ensure they're working correctly. Establish a routine maintenance schedule, and log your checks in a maintenance record.
- Manager: Document your media destruction process and the equipment used to ensure compliance. Maintain a record of all devices degaussed and staff who performed the process, along with the date and time.
Audit / evidence tips
-
Ask: equipment purchase records: Request documents showing the purchase or leasing of NSA-evaluated degaussers
Good: includes valid NSA approval documentation tied to each degasser used
-
Ask: training records: Request records of training sessions for staff using degaussers
Good: shows regular, comprehensive training aligned with current practices
-
Ask: maintenance logs: Request maintenance logs for the degaussers
Good: shows maintenance performed at recommended intervals and any repairs conducted
-
Ask: documented procedures: Request written procedures on using the degaussers
Good: includes staff roles and responsibility clearances
-
Ask: to observe the process: Request a demonstration of the degaussing process using the approved equipment
Good: shows staff following steps with ensured data destruction
Cross-framework mappings
How ISM-1160 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (3) | ||
| Annex A 7.10 | ISM-1160 specifies an approved standard for degaussing equipment when degaussing is used to destroy storage media | |
| Annex A 7.14 | Annex A 7.14 requires ensuring sensitive data is removed or securely overwritten before equipment containing storage media is disposed of... | |
| Annex A 8.10 | ISM-1160 requires that where degaussing is used as the secure destruction method, the organisation uses NSA-evaluated degaussers to ensur... | |