Sanitise Overseas IT Equipment Handling Sensitive Data
Overseas IT equipment with sensitive data must be sanitised where it is located.
Plain language
When your business uses IT equipment overseas that handles very sensitive Australian data, it's important to clean out or 'sanitise' that data before the equipment leaves its location. This matters because if this data is not properly removed, it could fall into the wrong hands, leading to data breaches that can harm your business's reputation and result in legal consequences.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
IT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data, is sanitised in situ.
Why it matters
Without in-situ sanitisation overseas, AUSTEO/AGAO data on equipment or media may be recovered, enabling unauthorised disclosure and damaging Australian interests.
Operational notes
Ensure overseas equipment/media that handled AUSTEO/AGAO is sanitised in situ before reuse, repair, return or disposal, and keep records of the method, date and verifier.
Implementation tips
- The IT team should develop a data sanitisation plan for overseas equipment. This plan should include steps on how to securely erase data using software or methods recommended by the Australian Cyber Security Centre (ACSC). Make sure the plan is clear and includes who will carry out each step.
- System owners should identify which pieces of overseas IT equipment store sensitive data. They can do this by reviewing inventory records and talking to staff who use the equipment. Document which devices require sanitisation according to the plan.
- Managers should ensure staff are trained on the importance of data sanitisation. Organise training sessions that explain why cleaning data is necessary and what could happen if data is leaked. Use examples of real-world data breaches to illustrate the risks.
- Procurement officers must check any service contracts with overseas partners or suppliers to ensure they include data sanitisation obligations. Review all contracts and update them if they don’t meet the required standards laid out by the ACSC.
- The IT team should verify data is properly erased from the overseas equipment before it is reused or disposed of. Use software that provides a data erasure certificate, and ensure that verification is documented as proof that data sanitisation took place.
Audit / evidence tips
-
Askthe data sanitisation plan: Request the documented process that outlines how data is removed from overseas IT equipment
Goodwill be a comprehensive plan with clear roles, responsibilities, and procedures
-
Asktraining records: Request the schedule and attendance records for staff training on data sanitisation
-
Askcontract reviews: Request documents showing reviews of contracts with overseas suppliers or partners
Goodincludes identified and updated contracts to ensure compliance with data handling standards
-
Askproof of sanitised devices: Request logs or certificates that show data has been erased from equipment
-
Askinventory lists: Request the list of overseas IT equipment handling AUSTEO or AGAO data. Check that the list matches with the items that underwent data sanitisation
Goodlist should be current, detailed, and correspond to sanitisation logs
Cross-framework mappings
How ISM-1218 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.14 | ISM-1218 requires IT equipment (and associated media) located overseas that has handled AUSTEO or AGAO data to be sanitised in situ | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.