Develop and Maintain a Digital Preservation Policy
Organisations must create and keep up-to-date a policy for preserving digital information.
Plain language
This control is about having a plan for making sure important digital information stays accessible and safe over time. Without a plan, you risk losing valuable data to technology changes, degradation, or mistakes, which can hurt your business operations and reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
Data backup and restorationOfficial control statement
A digital preservation policy is developed, implemented and maintained.
Why it matters
Without a digital preservation policy, information can be lost or become unreadable as formats and platforms age, disrupting operations and retention obligations.
Operational notes
Maintain and review the digital preservation policy to cover formats, metadata, migration steps and storage media refresh so records remain accessible and secure.
Implementation tips
- Business owners should work with their IT team to outline all the types of digital data their organisation creates and holds. This can be done by listing files, documents, and records, and by having a meeting to discuss how each is used and its importance.
- The IT team should draft a digital preservation policy that covers how to keep, store, and protect digital information. This can be done by using online templates or guidelines from sources like the ACSC (Australian Cyber Security Centre) and adapting them to fit the specific needs of the organisation.
- Managers should ensure all employees are trained on the new digital preservation policy. This involves holding a workshop or briefing session where the policy is explained, allowing staff to ask questions, and providing written copies or summaries.
- The IT team should set up a schedule to review and update the digital preservation policy regularly. This could mean setting a date every six months to check the policy against new technology changes or new security threats, making adjustments as needed.
- System owners should get feedback from employees who interact with digital data regularly to improve the preservation practices. They can do this by conducting surveys or feedback sessions to understand practical challenges and opportunities for policy improvement.
Audit / evidence tips
-
Askthe current digital preservation policy document: Request a copy and note the date it was last updated
Goodwill include details on data types, storage strategies, and a recent review date
-
Askmeeting records or notes from policy development discussions: Request evidence of staff and stakeholder involvement in creating the policy
Goodcontains dated records with participant names and key discussion points
-
Askstaff training records related to digital preservation: Request documentation that details who attended the training and what content was covered
Goodhas a list of trained employees and their roles, with evidence of training materials used
-
Askthe schedule outlining regular reviews of the digital preservation policy: Request documentation or reminders sent to staff about upcoming reviews
Goodincludes a clear, documented schedule with past review dates and planned future ones
-
Askto see results of feedback activities from employees about the preservation practices: Request results or summaries of surveys or discussions held with staff
Goodincludes feedback reports, potential policy adjustments, and response plans to address concerns raised
Cross-framework mappings
How ISM-1510 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 5.4 | ISM-1510 requires an organisation to develop, implement and maintain a digital preservation policy so preservation expectations are defin... | |
| link Related (1) expand_less | ||
| Annex A 5.1 | Annex A 5.1 requires an organisation to establish and manage various security policies | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.