Maintain and Verify a Removable Media Register
Ensure a log of removable media is kept, updated and checked regularly.
Plain language
This control is about keeping track of all removable media, like USB sticks or external hard drives, that are used in your organisation. It matters because these items can easily be lost or stolen, leading to sensitive information getting into the wrong hands.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
A removable media register is developed, implemented, maintained and verified on a regular basis.
Why it matters
If the removable media register isn’t maintained and verified, untracked media can be lost or stolen, enabling data exfiltration and undermining accountability for sensitive information.
Operational notes
Monthly, reconcile the removable media register with physical inventory; investigate missing/unregistered items, update entries, and record verification results and remedial actions.
Implementation tips
- Office managers should create a list to log every instance of removable media being used in the organisation. Use a spreadsheet or a simple notebook where each device is recorded along with details like who is using it, when it was issued, and for what purpose.
- IT teams should regularly update this register with new entries each time a media device is introduced or checked out. This can be done by establishing a procedure where employees have to inform the IT team whenever they need to use or return removable media.
- Managers should assign a responsible person to physically verify the inventory of all registered removable media at least once a month, ensuring that all items are accounted for. This can be as simple as matching the physical devices with the list entries.
- Company owners should ensure that staff understand the importance of this register by conducting brief training sessions. Explain the risks associated with data loss and how maintaining this register helps protect the business.
- HR or administrative personnel should set up a reminder system for periodic reviews of the register. They could use calendar alerts to ensure the individual responsible remembers to check the register at regular intervals.
Audit / evidence tips
- AskThe removable media register: Request to see the document or file that logs the use of all removable media in the organisation
- GoodIncludes a detailed record that is updated regularly, showing no significant gaps or missing entries, and a protocol for how and when the register is reviewed
- AskA policy document on removable media handling: Request the organisation's policy or procedures regarding the use and management of removable media
- GoodIs an up-to-date policy that matches the register entries and addresses security measures
- AskEvidence of register verification: See proof that regular physical checks of the media are occurring
- GoodIncludes regular verification records with few discrepancies or well-documented resolutions of any issues found
- AskTraining records: Request documentation or attendance sheets detailing staff training on media security awareness
- GoodIs recent records showing comprehensive staff understanding of the register and policy requirements
Cross-framework mappings
How ISM-1713 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.9 | Annex A 5.9 requires an inventory of information and associated assets, including ownership, to be developed and maintained | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.