Ensure Media is Sanitised Before Initial Use
Before using any media, clean it to ensure no unwanted data is present.
Plain language
Before you use any new storage like USB drives or hard disks, it's important to clean them to make sure there's no leftover data that could cause harm. If you skip this step, you might accidentally use a device that still has someone else's data on it, which could include sensitive information, putting your organisation at risk of data breaches or misuse.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Mar 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Media is sanitised before it is used for the first time.
Why it matters
Using media that has not been sanitised before first use can retain residual data or malware, causing unauthorised disclosure or compromise.
Operational notes
Sanitise all newly acquired media before first use (e.g., secure erase/format per policy) and record/verify sanitisation prior to deployment.
Implementation tips
- IT team should check all new storage devices: Before a USB drive or similar device is first used, IT should ensure it's clear of any old data. This can be done by using a software tool that securely wipes the device.
- Procurement team should buy capable devices: When purchasing new storage devices, choose ones that can easily be wiped clean. This can involve checking product reviews for secure erase features.
- Managers should create a policy: Develop a clear policy that requires cleaning of all new storage media before first use. Share this policy with everyone who might use these devices.
- System owners should oversee compliance: Regularly check that storage cleaning procedures are being followed. This can be done by scheduling monthly checks or spot audits.
- Staff should be trained: Conduct a brief training session to show employees how and why to clean new media. This can include hands-on demonstrations with common devices like USBs.
Audit / evidence tips
- AskThe storage sanitisation policy: Request the document that outlines the procedure for sanitising new media before use GoodIncludes a comprehensive policy with clear roles, procedures and consequences for non-compliance
- AskA list of newly purchased media: Request a record of newly acquired storage devices by the procurement team. Look that each device is documented with its sanitisation status before use GoodShows each device with records confirming it was wiped clean and checked
- AskA demonstration of the sanitisation process: Request IT to show how they wipe a new USB drive. Look that the process is straightforward and completed in a reasonable timeframe GoodIs the completion of a successful wipe, confirmed by a tool that shows no remaining data
- AskTraining records: Request evidence of training sessions conducted for staff on media sanitisation GoodIncludes regular training dates, consistency in attendance, and comprehensive materials
- AskIncident records regarding media use: Request any incident logs relating to uncleaned media use GoodShows an absence of incidents, or well-documented problem resolution if incidents do occur
Cross-framework mappings
How ISM-1600 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-1600 requires media to be sanitised before it is used for the first time to prevent introduction of unwanted or residual data | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.10 | ISM-1600 requires media to be sanitised before first use so it does not contain unwanted data that could create security or integrity issues | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.