Methods for Destructing Optical Disks
Optical disks should be destroyed using various methods like incineration or grinding to ensure data is unreadable.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2022
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Optical disks are destroyed using a furnace/incinerator, hammer mill, disintegrator, grinder/sander or by cutting.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure that old or unwanted optical disks, like CDs or DVDs, are disposed of in a way that any data on them can't be read anymore. This is important because if someone finds a disk you threw away, they might access sensitive information, which could lead to financial loss, embarrassment, or legal troubles.
Why it matters
If optical disks are not physically destroyed (e.g., cut, disintegrated or incinerated), data may be recovered, causing compromise and reportable breaches.
Operational notes
Use approved methods (furnace/incinerator, hammer mill, disintegrator, grinder/sander or cutting) and record disposal details, including method and date, for traceability.
Implementation tips
- Office managers should gather all old optical disks that are no longer needed. You can do this by setting a specific place in the office where everyone can drop off disks they want destroyed.
- Procurement staff should ensure the organisation has the right tools for disk destruction. This might involve buying or hiring access to a device like a grinder or arranging with a specialised service that can burn or shred disks.
- IT teams should coordinate the actual destruction of the disks. Clearly schedule a regular time, like the end of every quarter, for destroying accumulated disks using the furnace, grinder, or cutter.
- Security officers should document the disk destruction process. This includes keeping a list of each disk destroyed, the method used, and the date of destruction, helping track and verify the process.
- Management should communicate with staff about the importance of proper media destruction. Hold a short training or send a memo explaining why disks need to be destroyed and ensuring everyone knows the procedure for depositing unwanted disks.
Audit / evidence tips
-
Ask: the media destruction log: Request the documentation that records each destroyed disk, the method used, and who performed the destruction
Good: log clearly shows disks are regularly and thoroughly destroyed
-
Ask: to see the destruction equipment: Physically check the grinder, furnace, or other equipment used for disk destruction
-
Ask: evidence of training or communication: Request records of memos or meetings that inform staff about media destruction processes
-
Ask: to witness a destruction session: If possible, observe an actual disk destruction process
Good: process is smooth, follows the guidelines, and results in unreadable, destroyed disks
-
Ask: service contracts if using a third-party: Check contracts with external services for media destruction
Good: contract ensures secure, regular, and accountable destruction service
Cross-framework mappings
How ISM-1726 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 7.10 | ISM-1726 requires secure end-of-life handling by physically destroying optical disks using approved destruction methods | |
| Annex A 7.14 | ISM-1726 requires optical disks to be physically destroyed using specific methods (e.g | |