Destruction of data carriers in accordance with the requirements of ISO/IEC 21964

Probably each of us has experienced how valuable both private and business information can be. How costly can it be to lose access or lose a document briefcase. Today, the topic is related to securing information by destroying it.

It is known that information is inseparable from its carrier – paper, electronic, biological. Sometimes in the media there is information that somewhere in the trush quite interesting information of a confidential nature has been found. Generally speaking, there is time to gather information and keep it secure, and there is time to permanently delete it (in whole or in part). Certain circumstances may require it. How to prepare for the earlier deletion of data and their carriers? We can find help in international standards.

ISO/IEC 21964 standards

The ISO/IEC 21964 series of standards includes data destruction requirements. It introduces 3 protection classes that define the accuracy with which data should be destroyed. It defines 7 security levels applicable to 6 categories of carriers:

  • Original size information e.g. paper, printed forms, x-ray film
  • Optical data carriers, e.g. CD / DVD / Blue-ray;
  • Magnetic data carriers, eg floppy disks, magnetic stripe cards;
  • Hard drives with magnetic storage media;
  • Information in reduced form, e.g. films, microfilms;
  • Electronic data carriers, e.g. USB sticks, smart cards, solid-state drives;

For each category of carriers, the security level = destruction class (they differ mainly in the size of the fragments and the possibility of their later reconstruction).

ISO / IEC 21964 consists of three parts:
  1. ISO/IEC 21964-1:2018 INFORMATION TECHNOLOGY — DESTRUCTION OF DATA CARRIERS — PART 1: PRINCIPLES AND DEFINITIONS;
  2. ISO/IEC 21964-2:2018 INFORMATION TECHNOLOGY — DESTRUCTION OF DATA CARRIERS — PART 2: REQUIREMENTS FOR EQUIPMENT FOR DESTRUCTION OF DATA CARRIERS;
  3. ISO/IEC 21964-3:2018 INFORMATION TECHNOLOGY — DESTRUCTION OF DATA CARRIERS — PART 3: PROCESS OF DESTRUCTION OF DATA CARRIERS.

Who is the standard addressed to?

Anyone who processes confidential data, personal data and / or sensitive data for their own purposes or on behalf of other persons / entities, must ensure the secure destruction of media containing such information in a manner that ensures privacy. “Safe destruction” in this context means the destruction of media containing the above-mentioned information in such a way that restoring data from them becomes either impossible or possible only with significant expenses (personnel, resources, time).

Scroll to Top