Ensure Media is Sanitised Before Reuse
Clean media thoroughly before using it in a new security area to prevent data leaks.
Plain language
Before using storage media, like USB drives or hard disks, in a new area with different security rules, you need to make sure all previous data is wiped clean. This is important because if old data remains, there’s a risk of exposing sensitive information to people who shouldn’t have access to it, potentially leading to data breaches and loss of trust.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Mar 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Media is sanitised before it is reused in a different security domain.
Why it matters
Reusing unsanitised media across security domains can expose residual data to unauthorised users, causing sensitive information disclosure.
Operational notes
Verify media sanitisation before reuse across security domains using approved methods, and keep records of wipe/clear outcomes to prevent data remanence.
Implementation tips
- IT staff should ensure all media is correctly wiped before reuse: Use software or hardware tools specifically designed for data sanitisation to clear drives of old data. Ensure the entire storage area of the device is overwritten and verified clean.
- Managers should have a media management policy: Create a clear set of rules outlining how media should be cleaned and tracked before it's reassigned to different departments or security zones. Include steps for sanitising and a checklist for compliance.
- Procurement officers should purchase sanitisation tools: Ensure your organisation has the necessary equipment or software to effectively erase data from multiple types of media. Compare products based on customer reviews and IT expert recommendations.
- Record keepers should document sanitisation processes: Maintain logs of when each device is sanitised, who performed the task, and the method used. Use these logs to show compliance with your organisation’s policy during audits.
- Business owners should educate staff about data erasure: Organise training sessions for employees on the importance of media sanitisation and how to properly clean devices before reuse. Provide practical demonstrations and keep training materials updated.
Audit / evidence tips
-
Askthe media sanitisation policy document: Ensure that it outlines procedures for wiping devices before reuse and specifies approved sanitisation tools
Goodincludes a detailed policy document with up-to-date procedures and assigned roles
-
Asklogs of sanitised media: Review the records of media that have been cleaned before being used in a new security zone
-
Aska demonstration of the sanitisation process: Request a live demonstration or video recording showing how a random piece of media is cleaned
Gooddemonstration follows documented procedures and verifies that data cannot be recovered
-
Askwhich tools are used for data wiping: Check that tools listed match those recommended in your organisation's policy
Goodincludes recognised and approved software or devices listed by the ACSC (Australian Cyber Security Centre)
-
Askstaff about their understanding of the media policy: Interview a few IT and non-IT staff members about the organisation’s media sanitisation policy
Goods show staff are well-informed and aligned with organisational practices
Cross-framework mappings
How ISM-1642 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.14 | ISM-1642 requires media to be sanitised before it is reused in a different security domain to prevent data leakage across domains | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.