Disable Unnecessary Removable Media Access
If you don't need to use removable devices for work, access to them should be blocked.
Plain language
Disabling unnecessary access to removable media like USB sticks is important to protect sensitive information. If these devices aren't needed for work, they can be a serious security risk because they can introduce viruses or allow someone to steal data easily.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Device Access ControlOfficial control statement
If there is no business requirement for reading from removable media and devices, such functionality is disabled via the use of a device access control application or by disabling external communication interfaces.
Why it matters
If removable media access isn’t disabled when unnecessary, malware can be introduced and sensitive data can be copied off-system.
Operational notes
Use device access control to block USB/removable media by default; only enable approved ports/devices when a business need exists.
Implementation tips
- System owner should assess the need: Determine if your office staff actually requires the use of USB drives for their daily tasks. If not, you can move to the next steps of preventing access.
- IT team should block USB ports: Use the office's computer management software to disable USB ports on all computers. This can be done by changing the system settings or installing specific software that controls device access.
- Manager should communicate the change: Inform all staff about the policy on USB and external device usage. Provide clear reasons why it's necessary for security, stressing the protection of customer data and business secrets.
- IT team should maintain an allowlist: Identify any users who must still use removable media through their work tasks and create a list of approved devices and users. Ensure these devices are regularly checked for security issues.
- Regularly review by manager and IT team: Both should meet quarterly to review the device access list and staff needs to ensure the policy is still suitable and being followed.
Audit / evidence tips
- AskA list of approved removable media: Request documentation showing which devices and staff are authorised to use them
- AskRecords of device management software configuration: Request reports that show how USB ports are disabled across the organisation GoodShows recent updates and specific control settings applied
- AskA communication record: Request copies of emails or meeting notes sent to staff about the removable media policy
- AskIT logs or records of checks on allowlisted devices: Request evidence of routine checks performed on approved removable media GoodSet of records demonstrates regular intervals and no significant security issues
- AskMeeting notes from quarterly reviews: Request the documentation from meetings where managers and IT staff discussed removable media access. Check the meeting frequency and the details of any decisions made or updates to the policy GoodNote set provides clear action items and a plan for continued review
Cross-framework mappings
How ISM-1418 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.15 | ISM-1418 requires disabling unnecessary removable media and device reading via device access control or disabling external interfaces | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.10 | ISM-1418 requires organisations to disable reading from removable media and devices where there is no business requirement, using device ... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.10 | ISM-1418 requires organisations to technically block removable media access when it is not needed for business | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.