Skip to content

Writing ISO-Compliant Policy on Media Sanitization Based on NIST 800-88 Guidelines and NSA Media Destruction Guidance


This tutorial will guide you through the process of creating an ISO-compliant media sanitization policy, based on the NIST 800-88 Guidelines for Media Sanitization and the National Security Agency (NSA) Media Destruction Guidance.

By following this tutorial, your organization can effectively protect sensitive data by implementing best practices for the secure disposal of electronic media.

Step 1: Understand the guidelines and scope

Start by familiarizing yourself with the NIST 800-88 Guidelines and NSA Media Destruction Guidance.

Both documents provide extensive information on media sanitization and destruction techniques for various types of media, including hard drives, solid-state drives, mobile devices, and more.

Understand that the purpose of this policy is to prevent unauthorized access to sensitive information by properly sanitizing and disposing of electronic media.

Step 2: Define the scope of your policy

Determine the scope of your policy by identifying the types of media and information that will be covered. This may include:

  • Storage devices such as hard drives, SSDs, and USB drives
  • Mobile devices like smartphones and tablets
  • Optical media such as CDs and DVDs
  • Backup tapes and other removable media

Step 3: Establish clear roles and responsibilities

Your policy should define the roles and responsibilities of the individuals involved in the media sanitization process. This may include:

  • Information security officers
  • IT personnel responsible for media sanitization
  • Department heads or supervisors responsible for overseeing media sanitization
  • Employees handling sensitive data

Step 4: Determine the appropriate sanitization methods

Based on the NIST 800-88 Guidelines and NSA Media Destruction Guidance, determine the appropriate sanitization methods for each type of media.

These methods can include:

  • Clearing: Overwriting data using software or hardware techniques to replace sensitive data with non-sensitive data
  • Purging: Applying techniques like cryptographic erase or degaussing to remove data more securely than clearing
  • Destroying: Physically destroying the media, rendering it unreadable (e.g., shredding, crushing, or incinerating)

Step 5: Define the sanitization process

Create a step-by-step process for media sanitization that ensures compliance with the guidelines. This should include:

  • Identifying the type of media and appropriate sanitization method
  • Logging the details of the media, including its owner, serial number, and sanitization method
  • Performing the sanitization process, following the recommended techniques from NIST 800-88 and NSA Media Destruction Guidance
  • Verifying the sanitization, either through visual inspection or using tools to confirm the data has been removed
  • Documenting the completion of the sanitization process, including date, personnel involved, and verification results
  • Disposing of the sanitized media following applicable environmental regulations

Step 6: Train employees

Educate all relevant employees on the media sanitization policy and their responsibilities. Ensure they understand the importance of secure data disposal and the steps they must follow to comply with the policy.

Step 7: Monitor and review the policy

Regularly review and update your media sanitization policy to ensure it remains compliant with the latest guidelines and best practices. Conduct periodic audits to verify that the policy is being properly implemented.


By following this tutorial and creating a robust, ISO-compliant media sanitization policy, your organization can effectively protect sensitive information and reduce the risk of data breaches.

Implementing a well-documented sanitization policy and process will not only provide a secure method for media disposal but also demonstrate your organization's commitment to information security.