(For ITAD Providers Seeking Certification – Replacement for CAS‑S)

Overview

The NCSC’s shift from CAS‑S to CRFT-aligned assurance changes how ITAD providers demonstrate compliance.

The focus moves from:

❌ one-off evidence submissions
to
✅ repeatable, auditable, and defensible sanitisation processes supported by structured evidence

For ITAD organisations, this means proving not just that devices are sanitised — but:

👉 how sanitisation is consistently performed, verified, and evidenced across operations

✅ 1. Governance & Accountability

• Defined ownership for:

  • data sanitisation processes

  • certification compliance

  • evidence management

• Named accountable individuals for:

  • approval of sanitisation methods

  • external assurance submissions

• Documented governance covering:

  • device lifecycle handling

  • risk acceptance (e.g. damaged drives)

  • escalation procedures

✅ 2. Sanitisation Processes (CORE REQUIREMENT)

You must demonstrate controlled, repeatable sanitisation processes across all asset types.

✅ Processes defined for:

• HDD, SSD, and removable media

• mobile devices and endpoints

• failed or non-functional devices

✅ Methods must be:

• aligned to recognised standards (e.g. NCSC, NIST 800-88)

• consistently applied across operations

• appropriate to device type and risk

✅ You should be able to evidence:

• wiping processes (logical sanitisation)

• destruction processes (physical sanitisation)

• decision criteria between wipe vs destroy

✅ 3. Verification & Validation

CRFT requires proof that sanitisation actually worked.

You should have:

• verification mechanisms for each sanitisation method

• documented checks (automated or manual)

• sampling or validation processes

✅ Evidence should show:

• successful completion of sanitisation

• failure identification and reprocessing

• audit trail linking: device → process → outcome

✅ 4. Chain of Custody & Asset Tracking

A core requirement for ITAD providers.

You must maintain:

• full asset traceability from:

  • receipt → processing → sanitisation → disposition

✅ Systems should track:

• serial numbers / asset IDs

• location and custody changes

• processing status and outcomes

✅ Evidence must demonstrate:

👉 No loss of control over devices at any stage

✅ 5. Evidence & Record Keeping

This is where most organisations struggle.

You must maintain defensible, structured evidence, not just operational logs.

✅ Evidence should include:

• sanitisation certificates (where applicable)

• process logs

• system-generated records

• exception handling records

✅ Good evidence is:

• repeatable

• traceable

• time-stamped

• tamper-resistant or controlled

❗ Avoid:

• screenshots without provenance

• manual spreadsheets without controls

• inconsistent record formats

✅ 6. Evidence Sanitisation (CRITICAL CHANGE FROM CAS‑S)

You must be able to safely share evidence externally.

✅ Before sharing evidence:

• remove or redact:

  • customer identifiers

  • asset ownership data

  • internal system IDs

  • any sensitive operational information

✅ While maintaining:

• proof of sanitisation

• traceability

• auditability

👉 Key principle:

Evidence must be safe to share, without losing meaning

✅ 7. Operational Security Controls

CRFT expects assurance around how the service is delivered.

✅ You should demonstrate:

• controlled access to processing facilities

• physical security (CCTV, restricted areas)

• personnel controls (background checks, training)

✅ Logical controls:

• access management for systems

• logging of user actions

• segregation of duties where appropriate

✅ 8. Staff Competence & Training

Sanitisation is only as strong as the people executing it.

✅ You must evidence:

• role-based training for staff

• awareness of sanitisation standards

• understanding of handling sensitive data

✅ Records should include:

• training completion logs

• competency assessments

• refresher training cycles

✅ 9. Customer Communication & Assurance

CRFT places more emphasis on customer-facing transparency.

✅ You should have:

• clear description of sanitisation processes

• defined approach to issuing certificates

• ability to respond to:

  • customer audits

  • due diligence requests

✅ Communication should explain:

• what was done

• how it was verified

• what evidence supports it

✅ 10. Exception Handling

Not all devices can be processed normally.

You must define:

• how failed devices are handled

• how incomplete wipes are escalated

• when destruction is required

✅ Evidence should show:

• decision making

• approval

• final outcome

✅ Common Challenges for ITAD Providers

Across CRFT readiness, the most frequent issues are:

❗ Weak Evidence Structures

• data exists but is not:

  • structured

  • consistent

  • audit-ready

❗ Poor Traceability

• gaps between: asset → process → outcome

❗ Over- or Under-Sanitisation of Evidence

• too much redaction = unusable

• too little = security risk

❗ Manual Processes

• paper-based or spreadsheet tracking

• difficult to scale or audit

❗ Inconsistent Execution

• variation between sites, teams, or devices

✅ Final Outcome

An ITAD organisation ready for CRFT certification should be able to:

👉 Track every asset
👉 Sanitise it using defined processes
👉 Verify the outcome
👉 Evidence everything clearly
👉 Share that evidence safely with customers

👉 The NCSC Sanisation Standard isn’t just about wiping data, it’s about proving, at scale and with confidence, that you did it properly.

Ready to find out where your sanitisation processes stand against NCSC CRTF requirements? Book a free gap assessment — we'll give you a clear picture of what's ready and what needs work before you go for certification.