Methods for Destroying Magnetic Hard Disks
Magnetic hard drives must be destroyed using specific approved methods, like incinerating or degaussing.
Plain language
When it's time to get rid of old magnetic hard drives, it's important that they're destroyed in a way that permanently erases all data. If this isn't done properly, sensitive information could be recovered by someone else, leading to data breaches or identity theft. This control is about making sure that doesn't happen by using approved destruction methods.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Magnetic hard disks are destroyed using a furnace/incinerator, hammer mill, disintegrator, grinder/sander or degausser.
Why it matters
Improper destruction of magnetic hard disks can allow data recovery, causing data breaches and financial and reputational harm.
Operational notes
Confirm destruction uses approved methods (degausser, incinerator, disintegrator, grinder) and keep evidence that disks are unrecoverable.
Implementation tips
- IT team should arrange for secure transport: When old hard drives are ready for destruction, it's crucial that the IT team coordinates with a secure transport provider to ensure the drives remain safe until they reach the destruction site. This involves choosing a reputable service with a good track record in handling sensitive media.
- Office manager should document disposal procedures: The office manager should document the procedures for hard drive disposal, including the approved destruction methods like incinerator or degausser use. Make sure these documented procedures are accessible to relevant staff and are reviewed periodically.
-
Look ataccreditation from recognised bodies or compliance with local regulations such as those recommended by the Australian Cyber Security Centre (ACSC)
- IT team should conduct regular checks: Set up a routine for the IT team to check on-site data destruction equipment like degaussers or grinders to ensure they are functioning correctly. Include checking for wear and tear and that user guidelines are visibly displayed.
- Security officer should monitor processes: The security officer should oversee the entire destruction process if done in-house, or verify that all procedures are followed if outsourced. This involves ensuring all steps in the destruction process are witnessed by authorised personnel and any certificates of destruction are correctly issued and filed.
Audit / evidence tips
-
Askthe hard drive disposal policy: Request the document outlining the methods for destroying magnetic hard disks
Goodincludes detailed procedures aligned with recommended practices
-
Askvendor certificates of destruction: Request certificates from external vendors confirming that hard drives were destroyed
Goodcertificate will clearly confirm destruction, include vendor details and a contact person
-
Askequipment maintenance logs: Request the maintenance records for any in-house destruction equipment like degaussers
-
Askto see the authorisation list: Request the list of authorised personnel allowed to handle or witness the destruction of drives
Goodlist should have recent date, staff names, and roles confirmed by management
-
Asktraining records: Request proof of training for staff involved in the media destruction process
Cross-framework mappings
How ISM-1724 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-1724 requires magnetic hard disks to be destroyed using specific approved destruction methods (e.g., incineration, grinding or degaus... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.14 | ISM-1724 requires magnetic hard disks to be physically destroyed using approved methods to prevent data recovery | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.