Methods for Destructing Optical Disks
Optical disks should be destroyed using various methods like incineration or grinding to ensure data is unreadable.
Plain language
This control is about making sure that old or unwanted optical disks, like CDs or DVDs, are disposed of in a way that any data on them can't be read anymore. This is important because if someone finds a disk you threw away, they might access sensitive information, which could lead to financial loss, embarrassment, or legal troubles.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Optical disks are destroyed using a furnace/incinerator, hammer mill, disintegrator, grinder/sander or by cutting.
Why it matters
If optical disks are not physically destroyed (e.g., cut, disintegrated or incinerated), data may be recovered, causing compromise and reportable breaches.
Operational notes
Use approved methods (furnace/incinerator, hammer mill, disintegrator, grinder/sander or cutting) and record disposal details, including method and date, for traceability.
Implementation tips
- Office managers should gather all old optical disks that are no longer needed. You can do this by setting a specific place in the office where everyone can drop off disks they want destroyed.
- Procurement staff should ensure the organisation has the right tools for disk destruction. This might involve buying or hiring access to a device like a grinder or arranging with a specialised service that can burn or shred disks.
- IT teams should coordinate the actual destruction of the disks. Clearly schedule a regular time, like the end of every quarter, for destroying accumulated disks using the furnace, grinder, or cutter.
- Security officers should document the disk destruction process. This includes keeping a list of each disk destroyed, the method used, and the date of destruction, helping track and verify the process.
- Management should communicate with staff about the importance of proper media destruction. Hold a short training or send a memo explaining why disks need to be destroyed and ensuring everyone knows the procedure for depositing unwanted disks.
Audit / evidence tips
- AskThe media destruction log: Request the documentation that records each destroyed disk, the method used, and who performed the destruction GoodLog clearly shows disks are regularly and thoroughly destroyed
- AskTo see the destruction equipment: Physically check the grinder, furnace, or other equipment used for disk destruction
- AskEvidence of training or communication: Request records of memos or meetings that inform staff about media destruction processes
- AskTo witness a destruction session: If possible, observe an actual disk destruction process GoodProcess is smooth, follows the guidelines, and results in unreadable, destroyed disks
- AskService contracts if using a third-party: Check contracts with external services for media destruction GoodContract ensures secure, regular, and accountable destruction service
Cross-framework mappings
How ISM-1726 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 7.10 | ISM-1726 requires secure end-of-life handling by physically destroying optical disks using approved destruction methods | |
| Annex A 7.14 | ISM-1726 requires optical disks to be physically destroyed using specific methods (e.g | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.