Physical security

PHY042

Retire information and assets securely

When your building, facilities, information, or assets are no longer needed, make sure you consider the security implications during the decommissioning phase.

Have a plan for destroying, redeploying, or disposing of your facilities, information, or assets securely. For example:

  • safes or filing cabinets containing classified information
  • printers / multi-function devices.


Plan secure storage and transport

Have a plan for keeping your information or equipment secure while it is being stored (awaiting destruction) and when it is being transported to a destruction facility. 

Destroy protectively-marked information and equipment properly

You must destroy protectively-marked information and equipment, so that the waste can’t be reconstructed or used.

Secure disposal or reuse of ICT equipment

You must sanitise or destroy all ICT equipment and media before disposal in line with the New Zealand Information Security Manual (NZSIM) - Product Security and Media Security. This includes devices such as printers, photocopiers, and faxes.

You may re-use ICT equipment if it has been sanitised correctly.


Use appropriate destruction equipment

Destruction equipment is used to destroy protectively-marked information (paper-based and ICT media) so that the waste cannot be reconstructed.

You must destroy protectively-marked information using appropriate destruction equipment or an NZSIS-approved destruction service or a GCSB-approved destruction facility.

Further information can be found in the NZISM.

You should use one of the following options when destroying paper or ICT media:

  • shredding
  • disintegrating
  • pulping (paper-based only)
  • pulverising (ICT media only).

Also refer to:


Using shredders

You may use shredders to destroy paper and ICT media. For example, CDs, and single and dual layer DVDs.

Paper shredders

Commercial strip shredders are not suitable for destroying of protectively-marked material or sensitive waste. Anybody wishing to access the information will have little difficulty reconstructing the pages from the resultant strips.

Cross-cut shredders produce smaller pieces that are harder to reconstruct. The smaller the particle size the more secure the results.

Manufacturers often grade their shredders based on various international standards that often have differing specifications for each security level.

You should take care when purchasing a shredder to ensure the maximum particle size is suitable for your needs.

You must use the following shredders to destroy paper-based protectively-marked information.

  • Grade 3 shredder, maximum particle size 4 mm x 15 mm, suitable for Business Impact Levels (BILs) up to and including high, or protectively-marked information up to and including RESTRICTED.
  • Grade 4 shredder, maximum particle size 1 mm x 15 mm, suitable for BILs up to and including extreme, or protectively-marked information up to and including SECRET.
  • Grade 5 shredder, maximum particle size 1 mm x 5 mm, suitable for all BILs including TOP SECRET and information with compartmented markings.

When possible, use a commercial cross-cut shredder for paper waste for official information where the compromise has a BIL up to and including medium.

Alternatively, you may use an NZSIS-approved destruction company for all levels of protectively-marked information up to SECRET, or TOP SECRET, when directly supervised by one of your people.

Also refer to NZSIS Security Equipment Guide for Shredders (under development).

ICT media shredders

Ask the GCSB for advice on approved media shredders and destruction facilities to destroy ICT media.

Page last modified: 6/06/2019