The National Cyber Security Centre (NCSC) regularly reviews its standards to combat new threats and ensure the highest level of assurance for government and related sectors.
For organisations that handle classified information, the CAS-S scheme is a crucial benchmark. It’s a certification programme run by the NCSC to ensure that data destruction services meet the strictest security requirements. In simple terms, it’s a quality assurance mark for how data is securely destroyed on storage devices that have handled government-classified or sensitive information.
For public sector organisations or any business handling classified data, working with a CAS-S certified provider is essential to demonstrate adherence to the highest standards of secure data destruction.
Why the changes?
What was considered “secure” five years ago may now be dangerously outdated. The NCSC’s recent updates to the CAS-S scheme reflect a proactive stance against increasingly sophisticated threats. The goal is to increase confidence in data destruction procedures and ensure the irrecoverability of all classified data.
Key Changes to the CAS-S Scheme
1. Stricter Evaluations for Certified Providers
Under the CAS-S scheme, including Restore Technology, now face more in-depth, regular assessments. These evaluations aren’t just technical; they also scrutinise operational security, including chains of custody, physical security at our sites, staff screening, and procedural integrity. We must demonstrate a complete, end-to-end audit trail and prove that our destruction methods meet updated requirements.
2. Reduced Particle Sizes
A major update concerns how finely storage media must be shredded or broken down. Previously, the benchmark allowed for larger particles in some cases. The new, more stringent standards often require particles to be less than 2mm, depending on the data classification and media type. This change makes data even harder, if not impossible, to reconstruct and applies to all government security classification levels.
What these changes mean for you
If you already work with a licensed CAS-S provider, you are in a good position. However, continued compliance requires a fresh look at your existing processes.
1. Review Your Existing Policies
Your data destruction policy may need to be updated to reflect the new NCSC requirements.
2. Check Your Provider’s Status
Only CAS-S certified providers can offer assurance they meet the latest NCSC standards.
3. Audit Your Chain of Custody
The chain of custody, from device collection to destruction, must be more secure and better documented than ever before.
Restore Technology: Your Partner in Compliance
We’re here to help you navigate these changes and ensure your data destruction processes are not only compliant but also simple and seamless. Our team can help you:
- Understand exactly what the changes mean for your organisation.
- Adapt your current processes to meet new NCSC requirements.
- Receive certified destruction and recycling documentation.
- Reduce liability and risk around NCSC data destruction.
We ensure everything is logged with full audit trails because transparency is just as important as compliance.
NCSC CAS-S Scheme & Data Destruction
The NCSC CAS-S (Commodity Assurance Services – Sanitisation) scheme is a certification programme run by the National Cyber Security Centre. It’s designed to provide assurance that commercial data destruction services meet the NCSC’s high-security standards. It’s a vital benchmark for any organisation handling government-classified or sensitive data.
Working with a certified provider ensures that your data is destroyed in line with the UK government’s most stringent security requirements. It demonstrates due diligence and helps you meet compliance obligations, significantly reducing your organisation’s risk of a data breach and its associated legal and financial consequences.
Not necessarily. The NCSC guidelines, which our processes are built on, provide different methods for handling end-of-life IT assets. While physical destruction is the gold standard for highly classified data, secure data wiping may be a viable option for assets you wish to reuse or remarket. Our experts can help you determine the most appropriate method for each asset based on its data classification.
Restore Technology operates a zero-landfill policy. After data destruction, all shredded waste is incinerated or recycled. This ensures that your organisation meets both its data security and sustainability goals. We provide a complete audit trail and certification of destruction for every asset.
The NCSC regularly reviews and updates its assurance schemes to keep pace with evolving threats and technological advancements. The recent changes to the CAS-S scheme, for instance, were a direct response to a need for stricter security measures. Staying informed and partnering with a provider who is up-to-date with the latest standards is key to maintaining compliance.
Restore Technology is already certified under the NCSC CAS-S scheme. Our destruction services are fully aligned with the new, more rigorous requirements. We can help you understand how these changes affect your current policies, and we provide a secure, end-to-end service, from collection and tracking to certified destruction and reporting.
Compliance, Security, and Peace of Mind
The updated NCSC CAS-S scheme is a reminder that data destruction is a critical part of any serious cybersecurity strategy. At Restore Technology, we believe that compliance shouldn’t be complicated. Whether you’re decommissioning laptops or handling highly classified material, we’ll make sure your processes meet the latest NCSC guidance—no grey areas, no guesswork.
Need a hand making sense of the updates or booking a secure collection? Get in touch with Restore Technology today. Let’s ensure your data destruction strategy is watertight, future-proof, and fully aligned with the new NCSC framework.
Get in touch