Destroy Un-sanitizable IT Equipment Safely
If IT equipment can't be cleaned properly, it must be destroyed to ensure security.
Plain language
Sometimes, old computers or gadgets can't be properly wiped clean of sensitive data. In that case, it's important to physically destroy them so nobody can retrieve personal or business data. If we don't, this information could fall into the wrong hands, leading to privacy breaches or financial harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Topic
Sanitising It EquipmentOfficial control statement
IT equipment that cannot be sanitised is destroyed.
Why it matters
Failure to destroy unsanitiseable IT equipment may expose sensitive data via recovered media, causing reportable breaches and financial loss.
Operational notes
Maintain a register of unsanitiseable assets and require vendor-certified physical destruction (e.g., shredding) with witnessed chain-of-custody records.
Implementation tips
- IT team should identify devices: The IT staff should list all devices that can no longer be cleaned properly. This involves checking devices like old computers, hard drives, and USB sticks to determine if they can be securely wiped or need destruction.
- Managers should develop a destruction policy: Managers need to create a clear policy for destroying un-sanitizable equipment. They should outline who is responsible, where destruction takes place, and how to keep records of destroyed items.
- Procurement should select a certified service provider: The procurement team should hire a professional company that specialises in destroying IT equipment safely. Choose a service provider with the necessary certifications from the Australian Cyber Security Centre (ACSC) to ensure compliance.
- Staff should conduct destruction events: Arrange regular events where identified equipment is collected and destroyed. IT staff should manage these events, ensuring the secure handling and transport of devices to the destruction site.
- IT team should log destroyed equipment: After destruction, IT staff should document the process for each item. Record details like the device type, serial number, date of destruction, and supervising staff member to maintain a secure audit trail.
Audit / evidence tips
-
Askthe destruction policy document: Request the written destruction policy from management
Goodpolicy will have clear roles, procedures, and compliant service providers listed
-
Askdestruction logs: Request the logs or records of destroyed equipment from the IT team
Goodrecord is complete and shows that no device is overlooked
-
Askservice provider contracts: Request the contract with the equipment destruction service
Goodcontract is with a provider accredited by the ACSC, proving their reliability in handling data destruction
-
Askto see a destruction event in progress: Request a demonstration or video of a destruction event
Goodevent is orderly and aligns with the policy
-
Askstaff training records: Request records of training sessions for staff on data destruction procedures
Goodrecord shows all relevant staff are trained and understand their roles
Cross-framework mappings
How ISM-1742 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.14 | ISM-1742 requires that IT equipment that cannot be sanitised is destroyed to prevent residual data compromise | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.