National foreword

This British Standard is the UK implementation of EN 15713:2023. It supersedes BS EN 15713:2009, which is withdrawn.

The UK participation in its preparation was entrusted to Technical Committee GW/2, Secure storage of cash, valuables and data media.

A list of organizations represented on this committee can be obtained on request to its committee manager.

It is the UK committee’s view that destroying original size information – as described in Table 3 and Table A.1 – that may contain personal data at security levels P-1 and P-2 is acceptable. This is because in the UK some personal data is readily available in the public domain, for example on electoral registers, telephone directories and printable from social media platforms, etc. It is the responsibility of data controllers in the UK to decide which security level is appropriate for their material.

The UK committee advises users to consult BS 7858 when applying this standard. BS 7858 is recognized for the pre-employment screening of individuals working within the information destruction industry that may be given access to premises, equipment and sensitive or confidential information assets.

It is the UK committee’s view that the level of vetting required by data controllers and material owners be proportionate to the role that individuals carry out and the sensitivity of access to that material.

Contractual and legal considerations

This publication has been prepared in good faith, however no representation, warranty, assurance or undertaking (express or implied) is or will be made, and no responsibility or liability is or will be accepted by BSI in relation to the adequacy, accuracy, completeness or reasonableness of this publication. All and any such responsibility and liability is expressly disclaimed to the full extent permitted by the law.

This publication is provided as is, and is to be used at the recipient’s own risk.

The recipient is advised to consider seeking professional guidance with respect to its use of this publication.

This publication is not intended to constitute a contract. Users are responsible for its correct application.

Compliance with a British Standard cannot confer immunity from legal obligations.

This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 September 2023.

This European Standard was approved by CEN on 24 April 2023.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

European foreword

This document ( EN 15713:2023) has been prepared by Technical Committee CEN/TC 263 “Secure storage of cash, valuables and data media”, the secretariat of which is held by BSI.

This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by March 2024, and conflicting national standards shall be withdrawn at the latest by March 2024.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

This document supersedes EN 15713:2009.

In comparison with the previous edition EN 15713:2009, the following technical modifications have been made:

This document has been technically revised to provide a benchmark for the appropriate processes and procedures available for any person or organization that seeks to safely destroy confidential or sensitive material when it is no longer required.

In addition, this document is also intended to be applicable to objects requiring destruction to ensure product or brand integrity.

In this context, securely destroyed means that any object or data carrier containing confidential or sensitive data is destroyed in such a way that reproduction of the information on them is either impossible or is only possible with considerable expenditure (in terms of personnel, resources and time). Destruction outcome tables are contained in Annex A (Tables A.1 to A.7).

The process criteria are specified in Table B.1 in Annex B.

Any feedback and questions on this document should be directed to the users’ national standards body. A complete listing of these bodies can be found on the CEN website.

According to the CEN-CENELEC Internal Regulations, the national standards organisations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the United Kingdom.

1 Scope

This document provides recommendations and requirements for the procedures, processes and performance monitoring to be implemented for the management and control of the physical destruction of confidential and sensitive material to ensure that such material is disposed of securely and safely.

This document can be referenced by anyone who processes such material on behalf of others and covers the following scenarios:

on site - using mobile equipment at the location of use (destruction equipment is brought to the confidential or sensitive material);
off site - transport followed by destruction using equipment at a destruction facility (the confidential or sensitive material is brought to the destruction equipment, such as used at a dedicated external facility operated by a service provider);
use of equipment at the Data Controller’s location (confidential or sensitive material and destruction equipment co-located, such as a shredder in a building occupied by a client or clients).

Destruction by erasure (e.g. crypto erasure, data overwriting, degaussing or other forms of magnetic/electronic erasure) is not covered in this document.

2 Normative references

3 Terms, definitions and abbreviations

3.1 Terms and definitions

3.2 Abbreviations

4 Protection class

4.1 General

4.2 Determination of the protection class

5 Determination of security level

6 Increasing the security level

7 Destruction equipment

7.1 General

7.2 Use of destruction equipment

7.3 Operating instructions

7.4 Destruction outcome

7.5 Confirmation of destruction process and its completion

7.6 Maintenance and performance monitoring

7.7 Frequency of destruction equipment assessment

7.8 Redundancy of destruction equipment

8 Company destruction premises and service provider holding sites

8.1 General

8.2 Destruction premises and service provider holding site secure areas

8.3 Security

9 Controlled access to secure areas

9.1 General

9.2 Authorization for access to a secure area for company personnel

9.3 Accompanied access to a secure area for company personnel without appropriate training

9.4 Visitors and contractors (non-company personnel) access to secure area

9.5 Controlled access to secure area procedure for visitors and contractors (non- company personnel)

9.6 Secure area access level requirements for visitors and contractors (non-company personnel)

10 Contract

11 Record of process of collection through to destruction

11.1 General

11.2 Confidential and sensitive material transfer record

11.3 Certificate of destruction

12 Subcontracting

13 Company personnel

13.1 Non-disclosure agreement

13.2 Security clearance of personnel

13.3 Training of personnel

13.4 Control of company drivers

14 Collection and transport of confidential and sensitive material

14.1 General

14.2 Mobile shredding and collection vehicles

14.3 On site service – additional measures

14.4 Security containers

14.5 Security bags

15 Storage and retention of confidential and sensitive material at destruction facility

16 Business continuity planning and responding to security incidents

17 Retention of records

18 Categories of confidential and sensitive material

19 End product waste disposal

20 Supply chain

21 Information security

Bibliography

BS EN 15713:2023

Secure destruction of confidential and sensitive material. Code of practice

Current

Published:

30 Sep 2023