Develop and Maintain Media Management Policy
Create and update a policy to manage media handling effectively.
Plain language
A media management policy is like a rulebook for how everyone in your organisation should handle items such as USB drives, CDs, or DVDs that store information. It matters because without proper guidance, sensitive information could be lost, damaged, or stolen, leading to serious problems like data breaches or reputational harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
A media management policy is developed, implemented and maintained.
Why it matters
Without a media management policy, removable media (e.g., USBs) may be used or disposed of insecurely, causing data leakage and reputational harm.
Operational notes
Review and reissue the media management policy at least annually, covering approved media types, labelling, storage, transport, sanitisation and disposal.
Implementation tips
- The IT manager should draft a media management policy detailing how different types of media should be handled, stored, and disposed of. They can start by listing the various types of media the organisation uses and outlining acceptable uses and handling requirements for each type.
- The HR department should assist in training employees on the new media management policy. This could involve organising group sessions or online courses that explain the policy in easy-to-understand language and why it's important to follow it.
- The operations manager should ensure secure storage is available for media when it's not in use. They can set up a designated locked area or secure cabinets within the office where media is stored safely.
- The IT team should establish procedures for regularly reviewing and updating the media management policy to keep it relevant. They should schedule a review every 12 months or whenever there is a significant change in technology or business operations.
- The system owners should implement a check-in and check-out system for media to maintain accountability. This can be a simple logbook or software that records who is taking media out and when it must be returned.
Audit / evidence tips
-
Askthe media management policy document: Request the most recent version of the organisation's media management policy
Goodincludes specific instructions for different types of media and is dated within the last year
-
Goodis a complete list showing most or all employees trained within the last year
-
Askto see the secure storage area for media: Request a demonstration or photos of where the media is securely stored
Goodis a well-secured area with evidence of controlled access
-
Askthe schedule or calendar showing planned reviews of the media management policy
Goodis a calendar with entries showing reviews conducted annually or as needed
-
Askthe media usage log: Request to see logs of media being checked in and out
Goodis a comprehensive log with most recent entries showing proper usage tracking and accountability
Cross-framework mappings
How ISM-1549 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.1 | ISM-1549 requires an organisation to develop, implement, and maintain a media management policy for how media is handled and controlled | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.4 | Annex A 5.4 requires management to require personnel to apply information security consistent with established policies and procedures | |
| Annex A 5.10 | Annex A 5.10 requires acceptable use rules and handling procedures for information and associated assets to be documented and implemented | |
| handshake Supports (2) expand_less | ||
| Annex A 5.36 | ISM-1549 requires an organisation to develop, implement, and maintain a media management policy | |
| Annex A 5.37 | ISM-1549 requires an organisation to develop, implement, and maintain a media management policy | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.