Prevent Inappropriate Export of Sensitive Data
Procedures are set to stop sensitive data from being sent to foreign systems that aren't suitable.
Plain language
This control is about making sure that sensitive Australian data doesn't get sent to foreign countries or systems that aren't fully trusted. If we don't do this, there's a risk that this information could be used in ways that harm Australia's security or competitive position.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Printer ribbons in printers and MFDs are removed and destroyed.
Why it matters
Inadequate destruction of printer ribbons can expose residual print data, enabling unauthorised disclosure of sensitive information and harming national security or commercial interests.
Operational notes
Confirm printer/MFD ribbon removal after use and destroy via approved secure waste. Keep logs and perform periodic checks so spent ribbons are not left accessible in devices or bins.
Implementation tips
- IT team should establish secure data transfer protocols: They need to define who can export sensitive data and what steps are needed to ensure it's done safely. This includes using approved software and encryption for transferring data.
- Managers should train staff on data handling procedures: They should organise regular training sessions to explain what types of data are sensitive, which systems are authorised for data export, and the risks of non-compliance.
- Data owners should conduct regular checks on export activity: They need to review logs and records regularly to ensure that sensitive data isn't being exported to non-authorised systems. This involves checking export logs for anomalies or unauthorised access.
- Procurement should verify vendors' compliance with data policies: Before engaging external systems or services, ensure they meet Australian security standards for data handling. This involves reviewing contracts and conducting security audits of these systems.
- The compliance officer should maintain a list of authorised foreign systems: They should keep an up-to-date record of approved international partners and systems where sensitive data can be safely exported. This list should be regularly reviewed and updated based on changing policies or security concerns.
Audit / evidence tips
- AskThe data export policy document: Request the written policy that details procedures for exporting sensitive data GoodDocument specifies clear steps and has a recent revision date
- AskTraining records on secure data handling: Request attendance records from training sessions GoodRecord shows regular sessions with good attendance rates
- AskLogs showing all data exports for the past six months GoodLog shows no exports to non-authorised systems
- AskVendor compliance verification reports: Request reports or certificates from external vendors showing they meet Australian data handling standards GoodReport includes recent and valid certifications
- AskThe list of authorised foreign systems: Request access to the list of systems and partners approved for sensitive data export GoodList is detailed, up-to-date, and reflects current policies
Cross-framework mappings
How ISM-1534 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.12 | ISM-1534 requires a specific physical handling measure to prevent inappropriate export or leakage of sensitive data by removing and destr... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.