Use Approved Equipment for Media Destruction
Use officially approved devices for destroying media to ensure proper disposal.
Plain language
When you have old or unnecessary storage devices like hard drives or USBs, it's important to destroy them properly so that sensitive data can't be recovered by anyone else. Using equipment approved by security bodies like the Security Construction and Equipment Committee ensures that the data is absolutely unrecoverable. If you don't do this, you risk private information getting into the wrong hands, which can lead to identity theft, data breaches, or financial losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Security Construction and Equipment Committee-approved equipment or ASIO-approved equipment is used when destroying media.
Why it matters
Improper media destruction using unapproved equipment can allow sensitive data recovery, causing data breaches, legal exposure and reputational damage.
Operational notes
Maintain a register of ASIO/SCEC-approved destroyers, verify approvals before use, and train staff to operate devices per vendor guidance.
Implementation tips
- The IT team should identify all storage devices that need to be destroyed, such as old computers, hard drives, and USB drives. They can do this by conducting an inventory of all decommissioned or outdated electronic devices within the organisation.
- Managers should ensure that only officially approved media destruction equipment is used. They can do this by checking the lists of equipment approved by Australian security authorities like ASIO and ensuring these are available and used by the IT team.
- Procurement officers should only purchase media destruction equipment that is listed on the official approval lists. They can do this by consulting the Security Construction and Equipment Committee's approved equipment list before placing any orders.
- Office managers should organise periodic training sessions for staff on the importance of using approved devices for media destruction and the risks involved in improper disposal. They can arrange this by coordinating with external security experts or internal IT staff for the training.
- The IT team should document all instances of media destruction using approved equipment, including details like date, type of media destroyed, and the specific approved equipment used. They should keep these records organised and accessible for future audits.
Audit / evidence tips
- AskThe list of media destruction equipment used by the IT team GoodEquipment list matches the approved list exactly
- GoodEntries are complete and show the use of approved equipment for each destruction event
- AskThe procurement records for media destruction equipment GoodPurchases are only made from the approved equipment list and records are well documented
- AskA copy of the training materials related to media destruction GoodTraining materials clearly outline the importance of using approved equipment and include relevant lists
- AskAttendance records of media destruction training sessions GoodAll key personnel, especially those from IT and procurement, have attended relevant training sessions
Cross-framework mappings
How ISM-1361 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-1361 requires that when destroying media, organisations use SC&E Committee-approved or ASIO-approved destruction equipment | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.14 | Annex A 7.14 requires verification that data and licensed software are removed or securely overwritten before equipment is disposed of or... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.