Destroy Unsanitised Media Before Disposal
Media that can't be safely sanitised should be destroyed before being thrown away.
Plain language
Before throwing away old or unusable media like computer hard drives, CDs, or USB sticks, they need to be completely destroyed if they can't be safely wiped clean. If someone finds your discarded media and can still access the information on them, your business might suffer from data breaches that could lead to privacy violations or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for mediaSection
Media sanitisationOfficial control statement
Media that cannot be successfully sanitised is destroyed prior to its disposal.
Why it matters
If unsanitised media is disposed of without destruction, attackers may recover sensitive data, causing breaches, legal action and financial loss.
Operational notes
Identify unsanitised media, quarantine it, and destroy it via approved shredding or degaussing before disposal; keep destruction records.
Implementation tips
- The office manager should identify all types of media used in the organisation, such as hard drives, USBs, and DVDs, and make a list of those that cannot be sanitised. They should class unsanitised media based on their usefulness or obsolescence and then plan for their destruction.
- The IT team should safely destroy unsanitised media. They can do this by using a shredder designed for electronics, degaussing (which involves scrambling the data with a powerful magnet), or physically breaking the media beyond repair.
- The IT team should set up a regular schedule for media destruction. How: Once a month, they should collect all unsanitised media marked for destruction and process them using the appropriate methods. This keeps your media disposal strategy consistent and secure.
- An office manager or designated staff should coordinate with a professional destruction service if in-house destruction isn't possible. How: Contact a specialist service, check credentials, arrange pick-up, and get certification of destruction for record-keeping.
- Training should be provided by the HR or security officer to staff on identifying sensitive media types and the procedures for their destruction. How: Include guidelines in onboarding sessions and refreshers in annual security training to ensure everyone knows not to dispose of unsanitised media in regular trash.
Audit / evidence tips
-
Askthe list of media that have been marked for destruction: Request to see a log that details each item with its identification number
Goodsign is a detailed list showing regular activity and items being processed as expected
-
Goodoutcome: certificates that match up with internal records and are recent
-
Aska demonstration or explanation of the media destruction process to understand how it's carried out
-
Askthe schedule of media destruction events. Look to see that they are frequent enough to prevent the build-up of unused media
Goodpractice: a regular schedule, like monthly or quarterly, that matches the organisation’s needs
-
Goodindicator: comprehensive training material that explains how and why to handle unsanitised media safely
Cross-framework mappings
How ISM-1735 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.10 | ISM-1735 requires that media which cannot be successfully sanitised is physically destroyed before disposal | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.14 | ISM-1735 requires that media which cannot be successfully sanitised is destroyed prior to disposal | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.