Methods for Sanitising Network Device Memory
Network device memory is cleaned by following specific guidance or doing a reset and reinstalling firmware.
Plain language
This control is about thoroughly erasing any sensitive information that might be stored in the memory of network devices, like routers or switches, before they are disposed of or reused. If this isn't done properly, there's a risk that unauthorised people could access your data, potentially leading to data breaches or privacy violations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Memory in network devices is sanitised using the following processes, in order of preference: - following device-specific guidance provided in evaluation documentation - following vendor sanitisation guidance - loading a dummy configuration file, performing a factory reset and then reinstalling firmware.
Why it matters
If network device memory isn’t sanitised, residual configs, credentials or keys may be recovered, enabling unauthorised access and data compromise.
Operational notes
Sanitise device memory before disposal/transfer: use evaluation docs first, then vendor guidance; otherwise load a dummy config, factory reset, and reinstall firmware.
Implementation tips
- IT team should gather the device-specific documentation: First, the IT team should find and review any instructions provided by the device manufacturer for sanitising memory. This is usually found in the technical manual or support section of the manufacturer's website.
- IT team should consult vendor guidelines: If device-specific instructions are unavailable, the IT team should check for any broader vendor guidelines on memory sanitisation. They might need to reach out to the vendor support or check their online resources.
- System owners should load a dummy configuration: As a precaution, system owners should load a harmless, blank configuration file onto the device. This ensures that the memory no longer contains active configuration data.
- IT team should perform a factory reset: The IT team should reset the device to its original factory settings. This can typically be done through the device's menu options or using a special reset button or combination.
- IT team should reinstall the latest firmware: After a reset, the IT team should reinstall the latest firmware. This ensures the device is up-to-date and doesn't retain any old, potentially exploitable software versions.
Audit / evidence tips
- AskDevice-specific sanitisation records: Request records or logs that detail the sanitisation process for each device GoodIncludes date-stamped records that clearly outline the steps taken for sanitisation
- AskTo see dummy configuration documentation: Verify documentation that shows the dummy configuration file used GoodIs a simple, clear file that contains no sensitive data
- AskEvidence of factory resets: Request to see records or logs indicating a factory reset was performed GoodIs a log or report that notes the reset date and any checks completed post-reset
- AskFirmware reinstallation records: Request a document showing that firmware was reinstalled after the reset GoodIncludes current version details and recent dates that coincide with the resets
- AskAbout vendor communication logs: Request copies of any communication with vendors regarding sanitisation processes GoodContains correspondence detailing verified sanitisation practices recommended by the vendor
Cross-framework mappings
How ISM-1223 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.14 | ISM-1223 requires network device memory to be sanitised using device-specific evaluation guidance, vendor sanitisation guidance, or a dum... | |
| link Related (1) expand_less | ||
| Annex A 8.10 | Annex A 8.10 requires organisations to delete information from devices and storage media when it is no longer needed | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.