Establish and Maintain Removable Media Policy
Organisations must create and uphold a policy for using removable media safely.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
A removable media usage policy is developed, implemented and maintained.
Source: ASD Information Security Manual (ISM)
Plain language
Having a policy for using removable media, like USB sticks and external hard drives, helps keep your organisation's data safe. Without clear rules, staff might accidentally introduce viruses or lose important information, which could harm your business and break privacy laws.
Why it matters
No removable media policy increases the chance of malware via USBs and uncontrolled copying of sensitive data off-network.
Operational notes
Maintain a removable media policy covering approved devices, encryption, scanning, labelling, secure storage, and disposal; review at least annually.
Implementation tips
- Managers should draft a policy on removable media usage to outline allowed devices and approved software for managing these devices. Use simple language to ensure everyone understands what devices can be used and for what purposes.
- The IT team should conduct regular training sessions for all staff on the correct usage of removable media. Use real-life examples and how-to guides to ensure employees know how to use these devices safely and securely.
- HR should ensure that new employees receive a copy of the removable media policy during onboarding. Provide a checklist to confirm they understand and accept this policy as part of their employment conditions.
- The IT department should implement technical controls to enforce the policy, such as blocking unapproved devices from connecting to the network. Use endpoint security software that can automatically detect and block any unapproved devices.
- System owners should review and update the removable media policy at least annually. Set a reminder to assess new technologies and threats, ensuring the policy remains relevant and comprehensive.
Audit / evidence tips
-
Ask: the written removable media usage policy: Request the specific document that outlines the rules for using removable media
Good: a clearly defined policy with specific rules and procedures dated within the last year
-
Ask: records of training sessions on removable media usage: Request details or logs of recent training activities
Good: attendance logs and training materials that match the policy requirements
-
Ask: evidence of new employee onboarding procedures: Request a checklist or induction pack that includes the removable media policy
Good: documented evidence that new employees have received and understood the policy
-
Ask: technical enforcement reports: Request data or logs that show technical controls are monitoring removable media
Good: up-to-date reports showing active monitoring and no unauthorized device breaches
-
Ask: the latest policy review and update process: Request documentation of policy reviews, including who was involved and what changes were made
Good: a review document that shows the policy is updated annually with input from different stakeholders
Cross-framework mappings
How ISM-1359 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 5.1 | ISM-1359 requires an organisation to develop, implement and maintain a topic-specific policy covering removable media usage | |
| Annex A 5.10 | ISM-1359 requires an organisation to develop, implement and maintain a removable media usage policy to manage the risks of using removabl... | |
| Partially overlaps (1) | ||
| Annex A 7.7 | ISM-1359 requires an organisation to establish and maintain a removable media usage policy covering safe handling and use of removable st... | |
| Supports (3) | ||
| Annex A 5.4 | ISM-1359 requires an organisation to establish and maintain a removable media usage policy so personnel know how removable media can be u... | |
| Annex A 5.36 | ISM-1359 requires an organisation to develop, implement and maintain a removable media usage policy to manage removable media risks | |
| Annex A 5.37 | ISM-1359 requires an organisation to implement and maintain a removable media usage policy to control how removable media is used and han... | |