Establish and Maintain Removable Media Policy
Organisations must create and uphold a policy for using removable media safely.
Plain language
Having a policy for using removable media, like USB sticks and external hard drives, helps keep your organisation's data safe. Without clear rules, staff might accidentally introduce viruses or lose important information, which could harm your business and break privacy laws.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
A removable media usage policy is developed, implemented and maintained.
Why it matters
No removable media policy increases the chance of malware via USBs and uncontrolled copying of sensitive data off-network.
Operational notes
Maintain a removable media policy covering approved devices, encryption, scanning, labelling, secure storage, and disposal; review at least annually.
Implementation tips
- Managers should draft a policy on removable media usage to outline allowed devices and approved software for managing these devices. Use simple language to ensure everyone understands what devices can be used and for what purposes.
- The IT team should conduct regular training sessions for all staff on the correct usage of removable media. Use real-life examples and how-to guides to ensure employees know how to use these devices safely and securely.
- HR should ensure that new employees receive a copy of the removable media policy during onboarding. Provide a checklist to confirm they understand and accept this policy as part of their employment conditions.
- The IT department should implement technical controls to enforce the policy, such as blocking unapproved devices from connecting to the network. Use endpoint security software that can automatically detect and block any unapproved devices.
- System owners should review and update the removable media policy at least annually. Set a reminder to assess new technologies and threats, ensuring the policy remains relevant and comprehensive.
Audit / evidence tips
-
Askthe written removable media usage policy: Request the specific document that outlines the rules for using removable media
Gooda clearly defined policy with specific rules and procedures dated within the last year
-
Askrecords of training sessions on removable media usage: Request details or logs of recent training activities
Goodattendance logs and training materials that match the policy requirements
-
Askevidence of new employee onboarding procedures: Request a checklist or induction pack that includes the removable media policy
Gooddocumented evidence that new employees have received and understood the policy
-
Asktechnical enforcement reports: Request data or logs that show technical controls are monitoring removable media
Goodup-to-date reports showing active monitoring and no unauthorized device breaches
-
Askthe latest policy review and update process: Request documentation of policy reviews, including who was involved and what changes were made
Gooda review document that shows the policy is updated annually with input from different stakeholders
Cross-framework mappings
How ISM-1359 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.1 | ISM-1359 requires an organisation to develop, implement and maintain a topic-specific policy covering removable media usage | |
| Annex A 5.10 | ISM-1359 requires an organisation to develop, implement and maintain a removable media usage policy to manage the risks of using removabl... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.7 | ISM-1359 requires an organisation to establish and maintain a removable media usage policy covering safe handling and use of removable st... | |
| handshake Supports (3) expand_less | ||
| Annex A 5.4 | ISM-1359 requires an organisation to establish and maintain a removable media usage policy so personnel know how removable media can be u... | |
| Annex A 5.36 | ISM-1359 requires an organisation to develop, implement and maintain a removable media usage policy to manage removable media risks | |
| Annex A 5.37 | ISM-1359 requires an organisation to implement and maintain a removable media usage policy to control how removable media is used and han... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.