Secure destruction of confidential and sensitive material - Code of practice

This document provides recommendations and requirements for the procedures, processes and performance monitoring to be implemented for the management and control of the physical destruction of confidential and sensitive material to ensure that such material is disposed of securely and safely.
This document can be referenced by anyone who processes such material on behalf of others and covers the following scenarios:
-   on site - using mobile equipment at the location of use (destruction equipment is brought to the confidential or sensitive material);
-   off site - transport followed by destruction using equipment at a destruction facility (the confidential or sensitive material is brought to the destruction equipment, such as used at a dedicated external facility operated by a service provider);
-   use of equipment at the Data Controller’s location (confidential or sensitive material and destruction equipment co-located, such as a shredder in a building occupied by a client or clients).
Destruction by erasure (e.g. crypto erasure, data overwriting, degaussing or other forms of magnetic/electronic erasure) is not covered in this document.

Sichere Vernichtung von vertraulichen Unterlagen - Verfahrensregeln

Dieses Dokument gibt Empfehlungen und Anforderungen für die Verfahren, Prozesse und Leistungsüberwachung, die für die Durchführung und Überwachung der physischen Vernichtung von vertraulichen und sensiblen Unterlagen eingeführt werden, um sicherzustellen, dass diese Unterlagen zuverlässig und sicher entsorgt werden.
Dieses Dokument kann von jedem, der solche Unterlagen im Auftrag anderer verarbeitet, herangezogen werden und es behandelt die folgenden Szenarien:
   vor Ort – mithilfe mobiler Ausrüstung am Ort der Verwendung (Vernichtungseinrichtung wird zu den vertraulichen oder sensiblen Unterlagen gebracht);
   an einem anderen Ort – Transport und anschließende Vernichtung mithilfe von Ausrüstungen in einer Vernichtungsanlage (die vertraulichen und sensiblen Unterlagen werden zur Vernichtungseinrichtung gebracht, wie es in einer von einem Dienstleister betriebenen spezialisierten externen Einrichtung üblich ist);
   Einsatz von Ausrüstung am Standort des Datenbeauftragten (vertrauliche und sensible Unterlagen sowie Vernichtungseinrichtung befinden sich an einem Ort, wie z. B. ein Schredder in einem von einem oder mehreren Auftraggebern belegten Gebäude).
Die Vernichtung durch Löschung (z. B. kryptographische Löschung, Überschreiben von Daten, Entmagnetisierung oder andere Arten der magnetischen/elektronischen Löschung) wird nicht in diesem Dokument behandelt.

Destruction sécurisée de documents confidentiels - Code d'usages

Le présent document fournit des recommandations et des exigences concernant les procédures, les processus et le suivi des performances à mettre en œuvre pour la gestion et le contrôle de la destruction physique de documents ou matériels confidentiels et sensibles afin d'en assurer une élimination fiable et sécurisée.
Le présent document peut servir de référence à toute personne ayant à traiter ce type de document ou matériel pour le compte d'autrui, et couvre les scénarios suivants :
-   sur site - recours à un équipement mobile sur le lieu d'utilisation (l'équipement de destruction est amené à l'endroit où se trouvent les documents ou matériels confidentiels ou sensibles) ;
-   hors site - transport suivi d'une destruction dans un équipement d'une installation de destruction (les documents ou matériels confidentiels ou sensibles sont amenés jusqu'à l'équipement de destruction, tel qu'il est utilisé dans une installation externe dédiée, exploitée par un prestataire de services) ;
-   recours à des équipements sur le site du responsable du traitement des données (documents ou matériels confidentiels ou sensibles et équipements de destruction regroupés sur un même site, par exemple, déchiqueteuse installée dans un bâtiment occupé par un ou plusieurs clients).
La destruction par effacement (par exemple effacement cryptographique, écrasement des données, démagnétisation ou d'autres formes d'effacement magnétique/électronique) n'est pas traitée dans le présent document.

Varno uničevanje zaupnega in občutljivega gradiva - Pravila ravnanja

Ta dokument podaja priporočila in zahteve za postopke, procese in spremljanje učinkovitosti, ki veljajo za vodstvo, in za nadzor mehanskega uničevanja ter s tem zanesljivega in varnega odstranjevanja zaupnega in občutljivega gradiva.
Na ta dokument se lahko sklicuje vsakdo, ki obdeluje tovrstna gradiva za lastne potrebe ali v imenu drugih, zajema pa naslednje scenarije:
-   na kraju samem – uporaba mobilne opreme na kraju uporabe (oprema za uničenje je pripeljana na kraj zaupnega ali občutljivega gradiva);
-   zunaj kraja – prevoz po uničenju, pri čemer se uporablja oprema za uničenje (zaupno ali občutljivo gradivo je pripeljano k opremi za uničenje, če se npr. uporablja v namenskem zunanjem objektu, ki ga upravlja ponudnik storitve);
-   uporaba statične opreme na kraju uporabe (zaupno ali občutljivo gradivo in oprema za uničenje sta na istem kraju, npr. uničevalnik dokumentov v stavbi stranke ali strank).
Uničevanje z brisanjem v tem dokumentu ni zajeto.

General Information

Status
Published
Publication Date
05-Sep-2023
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Start Date
06-Sep-2023
Due Date
18-Apr-2022
Completion Date
06-Sep-2023

Relations

Buy Standard

Standard
EN 15713:2023
English language
51 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-december-2023
Varno uničevanje zaupnega in občutljivega gradiva - Pravila ravnanja
Secure destruction of confidential and sensitive material - Code of practice
Sichere Vernichtung von vertraulichen Unterlagen - Verfahrensregeln
Destruction sécurisée de documents confidentiels - Code d'usages
Ta slovenski standard je istoveten z: EN 15713:2023
ICS:
13.310 Varstvo pred kriminalom Protection against crime
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EN 15713
EUROPEAN STANDARD
NORME EUROPÉENNE
September 2023
EUROPÄISCHE NORM
ICS 13.310 Supersedes EN 15713:2009
English Version
Secure destruction of confidential and sensitive material -
Code of practice
Destruction sécurisée de documents confidentiels - Sichere Vernichtung von vertraulichen Unterlagen -
Code d'usages Verfahrensregeln
This European Standard was approved by CEN on 24 April 2023.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2023 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 15713:2023 E
worldwide for CEN national Members.

Contents Page
European foreword . 4
1 Scope . 5
2 Normative references . 5
3 Terms, definitions and abbreviations . 6
3.1 Terms and definitions . 6
3.2 Abbreviations . 9
4 Protection class . 10
4.1 General . 10
4.2 Determination of the protection class . 10
5 Determination of security level . 11
6 Increasing the security level . 11
7 Destruction equipment . 12
7.1 General . 12
7.2 Use of destruction equipment . 12
7.3 Operating instructions . 12
7.4 Destruction outcome . 13
7.5 Confirmation of destruction process and its completion . 13
7.6 Maintenance and performance monitoring . 13
7.7 Frequency of destruction equipment assessment . 14
7.8 Redundancy of destruction equipment . 14
8 Company destruction premises and service provider holding sites . 15
8.1 General . 15
8.2 Destruction premises and service provider holding site secure areas . 15
8.3 Security . 15
9 Controlled access to secure areas . 16
9.1 General . 16
9.2 Authorization for access to a secure area for company personnel . 17
9.3 Accompanied access to a secure area for company personnel without appropriate
training . 17
9.4 Visitors and contractors (non-company personnel) access to secure area . 17
9.5 Controlled access to secure area procedure for visitors and contractors (non-
company personnel) . 18
9.6 Secure area access level requirements for visitors and contractors (non-company
personnel) . 18
10 Contract . 19
11 Record of process of collection through to destruction . 19
11.1 General . 19
11.2 Confidential and sensitive material transfer record . 19
11.3 Certificate of destruction . 20
12 Subcontracting . 21
13 Company personnel . 21
13.1 Non-disclosure agreement . 21
13.2 Security clearance of personnel . 21
13.3 Training of personnel . 22
13.4 Control of company drivers . 23
14 Collection and transport of confidential and sensitive material . 23
14.1 General . 23
14.2 Mobile shredding and collection vehicles . 23
14.3 On site service – additional measures . 24
14.4 Security containers . 24
14.5 Security bags . 25
15 Storage and retention of confidential and sensitive material at destruction facility . 25
16 Business continuity planning and responding to security incidents . 25
17 Retention of records . 25
18 Categories of confidential and sensitive material . 26
19 End product waste disposal . 27
20 Supply chain . 27
21 Information security . 27
Annex A (normative) Destruction outcomes tables . 28
Annex B (normative) Secure destruction process . 35
Bibliography . 51

European foreword
This document (EN 15713:2023) has been prepared by Technical Committee CEN/TC 263 “Secure
storage of cash, valuables and data media”, the secretariat of which is held by BSI.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by March 2024, and conflicting national standards shall be
withdrawn at the latest by March 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN 15713:2009.
In comparison with the previous edition EN 15713:2009, the following technical modifications have been
made:
This document has been technically revised to provide a benchmark for the appropriate processes and
procedures available for any person or organization that seeks to safely destroy confidential or sensitive
material when it is no longer required.
In addition, this document is also intended to be applicable to objects requiring destruction to ensure
product or brand integrity.
In this context, securely destroyed means that any object or data carrier containing confidential or
sensitive data is destroyed in such a way that reproduction of the information on them is either
impossible or is only possible with considerable expenditure (in terms of personnel, resources and time).
Destruction outcome tables are contained in Annex A (Tables A.1 to A.7).
The process criteria are specified in Table B.1 in Annex B.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organisations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia,
Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland,
Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North
Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the United
Kingdom.
1 Scope
This document provides recommendations and requirements for the procedures, processes and
performance monitoring to be implemented for the management and control of the physical destruction
of confidential and sensitive material to ensure that such material is disposed of securely and safely.
This document can be referenced by anyone who processes such material on behalf of others and covers
the following scenarios:
— on site - using mobile equipment at the location of use (destruction equipment is brought to the
confidential or sensitive material);
— off site - transport followed by destruc
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.