SUMMARY: The Australian Information Security Manual (ISM) is built on four core principles – govern, protect, detect, respond – and this article shows how to put them into practice. You will learn why the national cybersecurity authority (ACSC) highlights both media sanitization and encryption and how tools such as BCWipe, BCWipe Total WipeOut and BestCrypt support ISM-aligned protection. With practical guidance and clear examples, the blog helps you strengthen your data security approach in line with Australia’s leading framework.
The Information Security Manual (ISM) represents the considered advice of the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD).
The purpose of the ISM is “to outline a cyber security framework that an organization can apply, using their risk management framework, to protect their systems and data from cyber threats.”
Who Is the ISM Intended For?
- Chief Information Security Officers (CISOs)
- Chief Information Officers
- Cybersecurity professionals
- Information technology managers
The ISM functions as a set of cybersecurity principles and guidelines that organizations are advised to follow in order to protect their data. In this blog, we will first provide an overview of the ISM’s cybersecurity principles. We will then take a look at how organizations can follow the ISM guidelines by using data encryption and wiping.
Cybersecurity Principles
The first section of the ISM consists of a set of cybersecurity principles. The purpose of these principles is to “provide strategic guidance on how an organization can protect their systems and data from cyber threats”.
The ISM’s cybersecurity principles are grouped together into 4 categories: govern, protect, detect, and respond. Here’s a summary of what each principle covers:
- Govern: Identifying and managing security risks
- Protect: Implementing security controls to reduce security risks
- Detect: Detecting and understanding cybersecurity events to identify cybersecurity incidents
- Respond: Responding to and recovering from cybersecurity incidents
Find out more information on the ISM’s cybersecurity principles here.
Australian Information Security Manual (ISM) & Data Wiping
The second part of the ISM is a series of in-depth cybersecurity guidelines that are split up into a number of subsections and security controls. The Guidelines for Media chapter outlines security controls that cover the following 4 areas: Media usage, media sanitization, media destruction, and media disposal. The media usage and media sanitization sections, in particular, provide information on the importance of data wiping.
The ‘Media sanitization processes and procedures’ subsection of the Guidelines for Media states: “Using approved methods to sanitize media provides a level of assurance that, to the extent possible, no data will be left following sanitization. The methods described in these guidelines are designed not only to prevent common data recovery practices but also to protect from those that could emerge in the future.” In the same section, Security control ISM-0348 advises: “Media sanitization processes, and supporting media sanitization procedures, are developed and implemented.”
The Guidelines for Media chapter goes on to provide more specific advice for sanitizing volatile and non-volatile types of media. There are also recommendations for sanitizing media before first use, before it is reclassified to a lower sensitivity, and when media is transferred between 2 systems.
For more detailed information from the ACSC on sanitizing media, check the ISM’s Guidelines for Media.
Australian Information Security Manual (ISM) & Encryption
Sticking with the ISM’s cybersecurity guidelines, the Guidelines for Cryptography is the chapter that offers organizations advice on using encryption. In the ‘Encrypting data at rest’ subsection, the ACSC recommends that organizations use full disk encryption as “it provides a greater level of protection than file-based encryption.” Another solution for protecting all the data on your hard drive is volume encryption, which we believe is a more secure alternative to full disk encryption.
A list of the encryption algorithms that are approved by the Australian Signals Directorate can be found in the ‘ASD-Approved Cryptographic Algorithms‘ section of the Guidelines for Cryptography. The guidelines state: “The only approved symmetric encryption algorithm is Advanced Encryption Standard (AES)“. The AES is used for encrypting data at rest, and is the default encryption algorithm used by BestCrypt Volume Encryption and BestCrypt Container Encryption.
For more detailed information from the ACSC on encryption, check the ISM’s Guidelines for Cryptography.
Use the Right Data Protection Software
The type of data that needs to be wiped and encrypted will help you decide what kind of software your organization should use. If you have sensitive data on a computer that’s no longer needed, then you should use software that’s able to wipe your entire hard drive – physically destroying the drive isn’t enough. However, if you want to be prepared in the event that one of your devices gets lost or stolen, you should secure the contents of the relevant hard drive by investing in whole disk encryption.
To help your organization comply with the ISM’s recommendations for media sanitization and encryption, Jetico offers 2 types of software:
- BCWipe Total WipeOut to erase entire hard drives + BCWipe to wipe selected files and folders
- BestCrypt Volume Encryption for superior whole disk encryption + BestCrypt Container Encryption for selected files and folders
Contact our data protection specialists to find out more.
Frequently Asked Questions (FAQs)
The ISM provides cybersecurity principles and detailed guidelines issued by the Australian Cyber Security Centre to help organizations protect systems and data from cyber threats. It serves as a structured framework that CISOs, IT managers and security teams can adopt within their own risk-management processes.
Media sanitization ensures that sensitive information can’t be recovered from devices after reuse, transfer or disposal. The ISM highlights this because unsanitized media such as drives, printers or routers can expose organizations to serious security and compliance risks.
The ACSC advises using full disk encryption and mandates support for ASD-approved cryptographic algorithms, specifically AES. Volume-based encryption such as BestCrypt Volume Encryption offers strong protection because it secures all data on a drive rather than individual files.
The ISM defines secure media sanitization as the permanent removal of data so it can’t be recovered by any means, including advanced forensic tools. Sanitization must address all residual data across the device, not just user-visible files, and should follow approved methods such as overwriting or cryptographic erasure. The ISM also expects organizations to apply sanitization before reuse, reclassification or disposal and to verify that the process was completed successfully.
For media sanitization, BCWipe Total WipeOut securely erases entire drives and BCWipe removes selected files and folders. For encryption, BestCrypt Volume Encryption protects whole disks and BestCrypt Container Encryption secures individual data sets that require more granular control.