Methods for Destroying Magnetic Hard Disks
Magnetic hard drives must be destroyed using specific approved methods, like incinerating or degaussing.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Magnetic hard disks are destroyed using a furnace/incinerator, hammer mill, disintegrator, grinder/sander or degausser.
Source: ASD Information Security Manual (ISM)
Plain language
When it's time to get rid of old magnetic hard drives, it's important that they're destroyed in a way that permanently erases all data. If this isn't done properly, sensitive information could be recovered by someone else, leading to data breaches or identity theft. This control is about making sure that doesn't happen by using approved destruction methods.
Why it matters
Improper destruction of magnetic hard disks can allow data recovery, causing data breaches and financial and reputational harm.
Operational notes
Confirm destruction uses approved methods (degausser, incinerator, disintegrator, grinder) and keep evidence that disks are unrecoverable.
Implementation tips
- IT team should arrange for secure transport: When old hard drives are ready for destruction, it's crucial that the IT team coordinates with a secure transport provider to ensure the drives remain safe until they reach the destruction site. This involves choosing a reputable service with a good track record in handling sensitive media.
- Office manager should document disposal procedures: The office manager should document the procedures for hard drive disposal, including the approved destruction methods like incinerator or degausser use. Make sure these documented procedures are accessible to relevant staff and are reviewed periodically.
-
Look at: accreditation from recognised bodies or compliance with local regulations such as those recommended by the Australian Cyber Security Centre (ACSC)
- IT team should conduct regular checks: Set up a routine for the IT team to check on-site data destruction equipment like degaussers or grinders to ensure they are functioning correctly. Include checking for wear and tear and that user guidelines are visibly displayed.
- Security officer should monitor processes: The security officer should oversee the entire destruction process if done in-house, or verify that all procedures are followed if outsourced. This involves ensuring all steps in the destruction process are witnessed by authorised personnel and any certificates of destruction are correctly issued and filed.
Audit / evidence tips
-
Ask: the hard drive disposal policy: Request the document outlining the methods for destroying magnetic hard disks
Good: includes detailed procedures aligned with recommended practices
-
Ask: vendor certificates of destruction: Request certificates from external vendors confirming that hard drives were destroyed
Good: certificate will clearly confirm destruction, include vendor details and a contact person
-
Ask: equipment maintenance logs: Request the maintenance records for any in-house destruction equipment like degaussers
-
Ask: to see the authorisation list: Request the list of authorised personnel allowed to handle or witness the destruction of drives
Good: list should have recent date, staff names, and roles confirmed by management
-
Ask: training records: Request proof of training for staff involved in the media destruction process
Cross-framework mappings
How ISM-1724 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 7.10 | ISM-1724 requires magnetic hard disks to be destroyed using specific approved destruction methods (e.g., incineration, grinding or degaus... | |
| Partially overlaps (1) | ||
| Annex A 7.14 | ISM-1724 requires magnetic hard disks to be physically destroyed using approved methods to prevent data recovery | |