EN 15713:2023

SLOVENSKI STANDARD
01-december-2023
Varno uničevanje zaupnega in občutljivega gradiva - Pravila ravnanja
Secure destruction of confidential and sensitive material - Code of practice
Sichere Vernichtung von vertraulichen Unterlagen - Verfahrensregeln
Destruction sécurisée de documents confidentiels - Code d'usages
Ta slovenski standard je istoveten z: EN 15713:2023
ICS:
13.310 Varstvo pred kriminalom Protection against crime
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EN 15713
EUROPEAN STANDARD
NORME EUROPÉENNE
September 2023
EUROPÄISCHE NORM
ICS 13.310 Supersedes EN 15713:2009
English Version
Secure destruction of confidential and sensitive material -
Code of practice
Destruction sécurisée de documents confidentiels - Sichere Vernichtung von vertraulichen Unterlagen -
Code d'usages Verfahrensregeln
This European Standard was approved by CEN on 24 April 2023.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2023 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 15713:2023 E
worldwide for CEN national Members.

Contents Page
European foreword . 4
1 Scope . 5
2 Normative references . 5
3 Terms, definitions and abbreviations . 6
3.1 Terms and definitions . 6
3.2 Abbreviations . 9
4 Protection class . 10
4.1 General . 10
4.2 Determination of the protection class . 10
5 Determination of security level . 11
6 Increasing the security level . 11
7 Destruction equipment . 12
7.1 General . 12
7.2 Use of destruction equipment . 12
7.3 Operating instructions . 12
7.4 Destruction outcome . 13
7.5 Confirmation of destruction process and its completion . 13
7.6 Maintenance and performance monitoring . 13
7.7 Frequency of destruction equipment assessment . 14
7.8 Redundancy of destruction equipment . 14
8 Company destruction premises and service provider holding sites . 15
8.1 General . 15
8.2 Destruction premises and service provider holding site secure areas . 15
8.3 Security . 15
9 Controlled access to secure areas . 16
9.1 General . 16
9.2 Authorization for access to a secure area for company personnel . 17
9.3 Accompanied access to a secure area for company personnel without appropriate
training . 17
9.4 Visitors and contractors (non-company personnel) access to secure area . 17
9.5 Controlled access to secure area procedure for visitors and contractors (non-
company personnel) . 18
9.6 Secure area access level requirements for visitors and contractors (non-company
personnel) . 18
10 Contract . 19
11 Record of process of collection through to destruction . 19
11.1 General . 19
11.2 Confidential and sensitive material transfer record . 19
11.3 Certificate of destruction . 20
12 Subcontracting . 21
13 Company personnel . 21
13.1 Non-disclosure agreement . 21
13.2 Security clearance of personnel . 21
13.3 Training of personnel . 22
13.4 Control of company drivers . 23
14 Collection and transport of confidential and sensitive material . 23
14.1 General . 23
14.2 Mobile shredding and collection vehicles . 23
14.3 On site service – additional measures . 24
14.4 Security containers . 24
14.5 Security bags . 25
15 Storage and retention of confidential and sensitive material at destruction facility . 25
16 Business continuity planning and responding to security incidents . 25
17 Retention of records . 25
18 Categories of confidential and sensitive material . 26
19 End product waste disposal . 27
20 Supply chain . 27
21 Information security . 27
Annex A (normative) Destruction outcomes tables . 28
Annex B (normative) Secure destruction process . 35
Bibliography . 51

European foreword
This document (EN 15713:2023) has been prepared by Technical Committee CEN/TC 263 “Secure
storage of cash, valuables and data media”, the secretariat of which is held by BSI.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by March 2024, and conflicting national standards shall be
withdrawn at the latest by March 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN 15713:2009.
In comparison with the previous edition EN 15713:2009, the following technical modifications have been
made:
This document has been technically revised to provide a benchmark for the appropriate processes and
procedures available for any person or organization that seeks to safely destroy confidential or sensitive
material when it is no longer required.
In addition, this document is also intended to be applicable to objects requiring destruction to ensure
product or brand integrity.
In this context, securely destroyed means that any object or data carrier containing confidential or
sensitive data is destroyed in such a way that reproduction of the information on them is either
impossible or is only possible with considerable expenditure (in terms of personnel, resources and time).
Destruction outcome tables are contained in Annex A (Tables A.1 to A.7).
The process criteria are specified in Table B.1 in Annex B.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organisations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia,
Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland,
Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North
Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the United
Kingdom.
1 Scope
This document provides recommendations and requirements for the procedures, processes and
performance monitoring to be implemented for the management and control of the physical destruction
of confidential and sensitive material to ensure that such material is disposed of securely and safely.
This document can be referenced by anyone who processes such material on behalf of others and covers
the following scenarios:
— on site - using mobile equipment at the location of use (destruction equipment is brought to the
confidential or sensitive material);
— off site - transport followed by destruction using equipment at a destruction facility (the confidential
or sensitive material is brought to the destruction equipment, such as used at a dedicated external
facility operated by a service provider);
— use of equipment at the Data Controller’s location (confidential or sensitive material and destruction
equipment co-located, such as a shredder in a building occupied by a client or clients).
Destruction by erasure (e.g. crypto erasure, data overwriting, degaussing or other forms of
magnetic/electronic erasure) is not covered in this document.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN 50131-1 , Alarm systems — Intrusion and hold-up systems — Part 1: System requirements
EN 62676-4, Video surveillance systems for use in security applications — Part 4: Application guidelines
ISO/IEC 21964-2:2018, Information technology — Destruction of data carriers — Part 2: Requirements for
equipment for destruction of data carriers
EN 1627, Pedestrian doorsets, windows, curtain walling, grilles and shutters — Burglar resistance —
Requirements and classification
EN 1628, Pedestrian doorsets, windows, curtain walling, grilles and shutters — Burglar resistance — Test
method for the determination of resistance under static loading
EN 1629, Pedestrian doorsets, windows, curtain walling, grilles and shutters — Burglar resistance — Test
method for the determination of resistance under dynamic loading
EN 1630, Pedestrian doorsets, windows, curtain walling, grilles and shutters — Burglar resistance — Test
method for the determination of resistance to manual burglary attempts

As impacted by EN 50131-1:2006/A1:2009, EN 50131-1:2006/A2:2017 and EN 50131-1:2006/A3:2020.
3 Terms, definitions and abbreviations
3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— IEC Electropedia: available at https://www.electropedia.org/
— ISO Online browsing platform: available at https://www.iso.org/obp
3.1.1
access to documents or materials
ability to obtain or retrieve confidential or sensitive materials
3.1.2
access to secure area
ability to physically enter a secure area
3.1.3
authorized person
individual granted unaccompanied access to confidential or sensitive material in accordance with the
needs of their job who has been security cleared to the prevailing national standard or specified
requirement, to the extent applicable
Note 1 to entry: An authorized person must not be given access to confidential or sensitive material of protection
class HS.
3.1.4
Certificate of Destruction
confirmation that the confidential and sensitive material recorded on the Certificate of Destruction has
been through the destruction process and the material has been destroyed
3.1.5
client
owner of confidential or sensitive material who retains a company to provide destruction services in
accordance with an agreed contract
3.1.6
company
entity employed by the client designated as a service provider offering one or more capabilities, typically
on a commercial basis, to whom the client has delegated one or more tasks relating to the destruction
process
3.1.7
competent person
individual with necessary knowledge and skill gained through relevant experience, training and
qualification
3.1.8
confidential information
examples of confidential information include stored facts or knowledge such as medical records, financial
records, software source code or metadata contained on data carriers, the confidentiality of which the
client wishes to protect
3.1.9
contract
documented agreement covering all transactions between the client and the company
3.1.10
critical supplier
contractors with personnel or suppliers who provide equipment that will be used in any area, including
vehicles, where confidential or sensitive material are stored or destroyed
3.1.11
data controller
natural or legal person, public authority, agency or other body who (either alone or jointly or in common
with other persons) determines the purpose for which and the manner in which any personal data are,
or are to be, processed, e.g. owners of personal data will be data controllers
3.1.12
data processor
natural or legal person, public authority, agency or other body who processes the data on behalf of the
data controller, e.g. destruction company and service providers destroying personal data will be data
processors
3.1.13
deforming of data carrier
process of making a data carrier unreadable
Note 1 to entry: Deforming Category H material to the extent that the disk or media cannot be passed over a reader
as a means of data destruction, can be specified up to and including level 3.
3.1.14
destruction
physical process after which confidential or sensitive material becomes non-confidential or non-sensitive
material
Note 1 to entry: Examples of physical processes include disintegration, shredding, dissolution or any other process
which renders material or data unusable or unreadable. Example of a non-physical process might include
encryption, which is outside the scope of this document.
3.1.15
destruction engine
actual destruction mechanism itself
3.1.16
destruction equipment
combination of equipment which can include container lifting/transfer mechanisms, infeed conveyors
and hoppers, destruction engine/mechanism such as shredders, granulators, cutting units or knives,
together with discharge conveyors
3.1.17
destruction facility
service provider premises where destruction equipment is set up and operated
3.1.18
destruction outcome
reduction in size or reduction in composition dependant on the security level chosen and the level of
effort required to recover information or reconstitute the materials
3.1.19
destruction output
material that has been through the destruction process, as specified in this document
3.1.20
dissolved
process by which any information or trace of information held on data bearing materials is dispersed so
as to be completely erased and destroyed
3.1.21
holding site
geographically separate non-destruction site of the service provider for the secure retention of
confidential and sensitive material designated for destruction prior to the ultimate transport to the
destruction facility
3.1.22
locked
physically secured to prevent unauthorized access
Note 1 to entry: This includes access to secure areas and confidential or sensitive materials. Unlocking requires a
protected input to open such as a key, token, RFID lock, passphrase or PIN.
3.1.23
material type
differentiation of confidential and sensitive material dependent on the information density and the scale
of information combined with the construction of the object
3.1.24
protection class
classification of the protection requirement of confidential and sensitive material
3.1.25
record
document describing an event or completion of a process
3.1.26
sealed
physically secured by means of an attached tamper-evident seal restricting access to and withdrawal of
confidential and sensitive documents or materials
3.1.27
secure area
building, room, reception area or shredding/destruction compartment of a mobile destruction vehicle or
an area containing confidential and sensitive material which is controlled and protected from
unauthorized access
3.1.28
security bag
sealable opaque bag designed to securely contain confidential or sensitive material whilst in storage or
transit prior to destruction
3.1.29
security clearance
status granted to individuals, via thorough background checks in jurisdictions where it is legally possible
to do so and / or to a data controller’s specific requirements, allowing them access to confidential and
sensitive materials and secure areas
Note 1 to entry: Security clearance does not grant individuals access to confidential information of protection class
HS.
3.1.30
security container
lockable container, e.g. a console or bin capable of providing secure protection of confidential or sensitive
material including data carriers
3.1.31
security level
classification of the effort needed to recover data and/or information or reconstitute objects to their
original form
3.1.32
sensitive material
all objects containing confidential information or sensitive data (paper, film, optical, electronic) and other
objects containing sensitive material (validation seals, mechanical/electronic lock keys, defective
products, obsolete branded merchandise)
3.1.33
service provider
organization or individual, including subcontractors, offering one or more capabilities relating to the
destruction process, typically on a commercial basis, to whom the client has delegated one or more tasks
3.1.34
shredded ash
residue of incinerated data bearing materials whereby any information or trace of information held on
them is completely erased and destroyed
3.1.35
subcontractor
service provider not directly employed by the Client, contracted to carry out work on behalf of the
Company
3.2 Abbreviations
GPS Global Positioning System
HS Highly Sensitive
OS Official Sensitive
RC Routine Confidential
RFID Radio Frequency Tracking Device
VSS Video Surveillance Systems (CCTV)
4 Protection class
4.1 General
This document recognizes that clients and data controllers will determine the security and protection
requirements with regard to processes to be followed after confidential or sensitive material is allocated
for destruction through to the point at which material has been destroyed.
The degree of the material sensitivity or its data and information content will inform and determine the
need to protect it from violation of the basic principles of confidentiality and integrity, taking into account
the harm which would result from such a violation.
There are three classifications of protection:
— routine confidential - requiring normal protective measures;
— official sensitive - requiring heightened protective measure;
— highly sensitive - requiring very high protective measures.
NOTE See criterion in Annex B, at B.1.1.
4.2 Determination of the protection class
In order for the destruction of data carriers to comply with the principles of economy and proportionality,
the data contained on them shall be assigned a protection class. The security level which is chosen for the
destruction of the data carriers is determined by the protection level of the data.
Protection class RC (Routine Confidential), normal protection level for internal data:
— the most common classification of information, intended for large groups of people;
— unauthorized disclosure or transfer would have limited negative effects on the organization;
— protection of personal data shall be ensured. Otherwise, there is a risk that persons affected may
suffer damage to their reputation and economic circumstances.
Protection class OS (Official Sensitive), higher protection level for confidential data:
— the information is restricted to a small group of people;
— unauthorized disclosure would have serious effects on the organization and may lead to violation of
laws or contractual obligations;
— the protection of personal data shall meet stringent requirements. Otherwise, there is a risk that
persons affected may suffer serious damage to their social standing or economic circumstances.
Protection class HS (Highly Sensitive), very high protection level for strictly confidential and secret data:
— the information is restricted to a very small group of named persons, who are authorized to access
the documents or materials;
— unauthorized disclosure would have serious (existence-threatening) effects on the organization
and/or would lead to violation of professional secrets, contracts and laws;
— the protection of personal data shall be strictly ensured. Otherwise, the life and safety of persons
affected may be at risk, or their personal freedom may be jeopardized.
5 Determination of security level
A level of destruction is to be determined by selection of an outcome, taking into account:
— the state of the art;
— the costs of implementation;
— the nature, scope, context and purposes of processing;
— the risk of varying likelihood and severity of a security breach.
The client as controller and the company/service provider as processor shall implement and approve
technical and organizational measures and the method of destruction to ensure a level of security
appropriate to the risk, including the ability to ensure the ongoing confidentiality, integrity, and resilience
of processing systems and services until the material is destroyed to the required destruction outcomes
specified in the Annex A, Tables A.1 to A.7, to ensure that it is unreadable, illegible, unusable and unable
to be reconstructed.
A security level from 1 to 7 together with the method of destruction shall be chosen that is applicable to
the protection class and that will provide the destruction outcome approved by the client. See Table 1
below.
Table 1 — Assignment of security levels and protection classes
Security levels
Protection
class 1 2 3 4 5 6 7
RC a a x
x x
OS  x x x
HS  x x x x
a
This combination cannot be used for personal data.

NOTE See criteria in Annex B, at B.1.1 and B.2.1.
6 Increasing the security level
For destruction output within Category P, or separately, Category F only, material which has been
destroyed to security level 1, 2 or 3, mixing and compacting may increase security to the next higher level
once only, up to a maximum of security level 4 provided the following criteria are met:
— mixing comprises a minimum of 100 kg of any single Category P and Category F Material Type to be
presented as the aggregate mass of particles or fragments within the destroyed output which shall
be destroyed in a single, uninterrupted cycle of the machine or equipment;
— the company/service provider obtains explicit confirmation from the Client that the methods of
increasing the security level may be applied for this specific work order.
Mixing and compacting material destroyed at security levels 1 and 2 shall not be used as a means of
increasing the security level for the destruction of personal data classified as Material Category P.
It is recommended that the client or data controller of the material gives consideration to the storage of
the destruction output. A paper document is easier to reconstitute if all of its particles are kept in one
place. It is recognized that mixing and compacting destruction output in larger volumes and from multiple
sources dissipates the waste and may make reconstitution less likely. This does not affect the possible
information content of individual particles of material.
When selecting a security level, the density and/or size of the represented information on the data carrier
shall be taken into consideration. If the colour or other characteristics of the data carrier make it easier
to reconstruct, a higher security level may have to be selected.
7 Destruction equipment
7.1 General
The following requirements apply to all physical destruction equipment and related procedures. These
apply at any location: client site, mobile vehicle, or at a destruction facility.
7.2 Use of destruction equipment
Destruction equipment shall be operated by authorized personnel that are trained and in line with
Clause 9 and 13.3, Controlled access to that equipment.
For category P documents or materials that are protection class HS operating staff shall not have physical
access to documents or materials with presentation in original size. The machine, used for the destruction
of the data carrier, is fed either by dumping the content out of the security containers directly into the
machine or hopper or by a secured feed device. This requirement shall be understood in such a way that
ANY access to documents or materials, be it in the normal process of destruction or by design features of
the plant in question, is physically prohibited. Therefore, the transfer of data carriers (e.g. from large
volume security containers) into a collection hopper or bunker as well as the option of manual sorting, is
not sufficient to meet the requirements of protection class HS. This is due to fundamental design
principles which may result in data carriers remaining in the open area as part of the regular process,
requiring manual removal. Any deviation is only permissible in case of technical faults of the destruction
engine itself or of the container lifting/transfer mechanism (e.g. in case of fire).
NOTE 1 See criterion in Annex B, at B.7.1.
With the exception of category P documents or materials at protection class HS, the handling of loose
confidential data carriers (such as reloading or emptying) is permitted only within a secure area.
NOTE 2 See criterion in Annex B, at B.5.9.
In the event that material of different protection class or security level become mixed then all material
shall be destroyed at the highest security level required.
NOTE 3 See criterion in Annex B, at B.10.
Any and all changes of sieve basket and / or cutting unit shall be documented, including details of the
destruction unit, the sieve hole diameter and/or the cutting width of the sieve basket, both installed and
uninstalled, as well as the time of completion of the change. All measurements are to be listed in
millimetres.
NOTE 4 See criterion in Annex B, at B.7.3.
7.3 Operating instructions
Instructions to enable the operator to achieve the destruction outcome shall be available at the
destruction service provider premises.
The range of security levels attainable by destruction equipment shall be stated in written form which
shall be available to machine operators and for inspection.
NOTE See criteria in Annex B, at B.7.5.
7.4 Destruction outcome
The material output from the destruction equipment shall be sample tested to ensure that it can destroy
confidential and sensitive materials to produce waste in accordance with the destruction outcomes
detailed in Annex A, Destruction outcomes.
NOTE See criterion in Annex B, at B.2.9.
7.5 Confirmation of destruction process and its completion
Once destruction is completed, an authorized person is permitted to visually confirm that all confidential
and sensitive material that has entered the equipment destruction process has been destroyed and that
the process has achieved the required outcome.
The client or the data controller is entitled to supervise the destruction of their confidential material.
NOTE 1 See criteria in Annex B, at B.2.11 and B.7.6.
The client is entitled to take a sample of their destroyed confidential or sensitive material. This shall be
made possible unless compromising other client’s material and taking into account the destruction
method. A sample of the requesting client’s material shall be made available at protection class HS.
NOTE 2 See criterion in Annex B, at B.7.7.
7.6 Maintenance and performance monitoring
Destruction equipment shall be regularly serviced and maintained, as follows:
— performance of equipment shall be monitored to ensure that the output complies with the
destruction outcome as stated in Annex A (destruction outcomes);
— performance of equipment, including any swappable modules, screens, cutting units or knives, shall
be assessed by a competent person to ensure that the output achieved complies with the destruction
output detailed in the written form;
NOTE 1 See 7.3 Operating instructions and criterion in Annex B, at B.7.5.
— equipment shall be assessed by a competent person before its first use and thereafter on a regular
basis. The frequency of assessments is detailed in 7.7 below;
— the integrity of the equipment shall be examined by an authorized person following installation,
maintenance or modification to confirm that the equipment has not been modified to facilitate a
deliberate security breach;
— checks and assessments shall be documented and shall include at least the points in the list below.
The record shall note the reason for the check or assessment.
If performance of equipment does not comply with the destruction outcome, corrective action shall be
taken and another documented check made before the equipment can be used for secure destruction of
confidential and sensitive material.
The record and assessment of destruction equipment shall include:
— identifying serial number of equipment;
— reason for check/assessment;
— date and time of check;
— name and organization of the person(s) performing the check;
— description of output checked;
— confirmation of compliance or details of corrective action taken.
NOTE 2 See criteria in Annex B, at B.2.8, B.2.9 and B.7.2.
7.7 Frequency of destruction equipment assessment
The company shall, as a minimum requirement, conduct maintenance as prescribed and/or
recommended by the manufacturer within the time periods specified by the manufacturer.
The specific maintenance interval for parts subject to wear and tear which may affect the resultant
destruction quality (e.g. cutting unit, knives, blades, counter blades, perforated classifier screens) is
dependent upon the machine type as well as the type and duration of machine use (material category,
volume of destruction).
Destruction equipment operators or competent person shall visually inspect machinery at a minimum of
one-week usage intervals, to confirm all functions are in working order to achieve the required
destruction outcome.
Equipment operators shall check the particle size regularly throughout the operating life of the machine
or equipment, because wear or damage to the cutting blades can reduce efficiency in particle size
outcome.
The company is responsible for the identification of maintenance intervals or provide professional
estimates or maintenance service agreements with due care and shall provide these to the client upon
request.
Destruction equipment shall be assessed in line with ISO/IEC 21964-2:2018, Clause 5, Clause 6 and
Clause 7 upon installation and thereafter every five years to test the machine remains fit for purpose and
the certified outcomes are achieved. Upon successful examination, a five-year certificate shall be issued.
In the event of test failure, the destruction equipment shall not be used until a further test confirms the
machinery has been rectified to achieve the required outcomes and a new certificate of conformity has
been issued.
NOTE 1 See criteria in Annex B, at B.2.8 and B.2.9.
For material class M, the service provider will be required to provide specific contract destruction output
requirement together with test material, e.g. branded workwear textile material in original size. The
evaluation of the test shall be to assess the degree of destruction achieves the contracted requirement
which shall be recorded within the test report. The test material shall be measured and pre-sorted in
order to measure particles against the limits and tolerance range stated in Annex A.
NOTE 2 See criterion in Annex B, at B.7.2.
7.8 Redundancy of destruction equipment
Redundancy and availability of the machine for destruction of material shall be ensured by a contingency
plan. For off site destruction premises, there is no requirement for a second machine to be available, but
it shall be ensured that the destruction is completed within the time limit requirements for each
protection class, as specified in Clause 15.
The availability of the destruction machine shall be ensured by a contingency plan, which is required for
protection class OS and protection class HS and is possible for protection class RC.
NOTE See criteria in Annex B, at B.2.10 and B.7.2.
8 Company destruction premises and service provider holding sites
8.1 General
The company destruction premises and any service provider holding sites shall have secure areas with
protective security measures in place in accordance with the designated protection class, as described
below. The company shall have a lockable administrative office and operational centre where records,
business documents, certificates, correspondence, files, etc., necessary for conducting business
transactions are kept.
NOTE See criteria in Annex B, at B.2.12, B.3.1 and B.3.2.
All physical security measures and procedural controls shall be appropriate for the level of risk associated
with the confidential and sensitive material to prevent attack or loss.
Service provider holding sites shall not be used for protection class HS confidential and sensitive material.
The holding sites shall be protected by security methods proportionate to the sensitivity of the material.
The material shall not be stored for more than 72hrs at the holding site.
A secure area shall be protected whilst it contains confidential and sensitive material. This would include,
holding sites as well as the company destruction facility premises. Confidential and sensitive material
shall be protected by measures in accordance with the designated protection class and client specific
requirements.
8.2 Destruction premises and service provider holding site secure areas
The secure area shall be built as a massive construction (e.g. by reinforced concrete, massive brickwork
or equivalent).
NOTE 1 See criterion in Annex B, at B.3.7.
A secure area or service provider holding sites shall be physically separated from other organizations by
massive construction.
NOTE 2 See criterion in Annex B, at B.3.4.
The secure area shall be designed to be a closed area, which is exclusively used for the purpose of
confidential and sensitive material destruction, and is physically isolated from other business activities
on the same site. The secure area shall be designed to protect against attack or unauthorized entry.
8.3 Security
Pedestrian door-sets, windows, curtain walling, grilles and shutters that allow access to processing,
secure areas and office areas shall have a high physical security and shall be fitted with locks, conforming,
as a minimum, to EN 1627, EN 1628, EN 1629 and EN 1630 or equivalent national standards, relevant
authority or contracted insurance requirements. The level of protection specified within these standards
or requirements should be determined by company risk assessments in relation to the protection class
and client requirements.
NOTE 1 See criterion in Annex B, at B.3.6.
An intruder alarm system conforming to EN 50131-1 and monitored by an alarm receiving centre shall
be installed in the premises. As a minimum requirement the system shall monitor the processing, secure
areas and office areas.
NOTE 2 See criteria in Annex B, at B.3.3 and B.5.12.
If either locks or an intruder alarm system is inoperative due to defect or maintenance the secure area
shall be guarded when unattended if confidential or sensitive material is being stored.
A video surveillance system (commonly called CCTV) with recording facilities conforming to EN 62676-4
shall be installed to monitor the secure area entrances, unloading areas, secure areas and processing
areas. The use of such video surveillance shall not enable confidential data to become legible. Video
surveillance of the infeed-opening or feeding device is required during the dumping of the security
containers, unless the client witnesses the destruction process.
NOTE 3 See criterion in Annex B, at B.3.11.
A company risk assessment should be undertaken to establish if further protective measures are
required.
Physical security protective measures shall be subject to individual risk assessment but as a minimum
shall include:
At protection class RC and protection class OS:
— All doors or gates, which lead directly into the secure area, shall normally be closed and locked
manually or closed and locked automatically. Open and unlocked doors and gates are indicated by
optical or acoustical signals;
— The access to and movement within the secure area of any non-company vehicle shall be strictly
controlled and supervised.
At protection class OS and protection class HS:
— A double door/gate system (e.g. airlock docking) is available for entry by vehicles into the secure
area.
NOTE 4 See criterion in Annex B, at B.3.8.
At protection class HS:
— When Doors and Gates, which lead directly into the secure area
...