Why the Replacement for CAS-S Matters
Executive Summary
Why the Replacement for CAS-S Matters and How Independent Assessment Works? The way organisations prove secure data disposal is changing. The NCSC’s new data sanitisation standard, which replaces CAS-S, introduces an outcome-driven, evidence-based approach to assurance. We assess ITAD companies against this new standard to validate that data sanitisation is not only performed, but demonstrably effective.
Why CAS-S Is Being Replaced?
CAS-S provided a useful baseline for data sanitisation assurance. However, it reflected a scheme-based, point-in-time model that no longer aligns with modern threat environments, regulatory scrutiny, or buyer expectations. The new NCSC standard aligns with Principles Based Assurance and CRTF thinking, focusing on security outcomes rather than process adherence. The key shift is simple: it is no longer enough to show that sanitisation was performed; irrecoverability must be independently proven.
Why This Change Is Critical for ITAD Companies For ITAD providers, the replacement of CAS-S reshapes how trust is established in the supply chain. Under the new standard, evidence matters more than certification, sanitisation outcomes must be demonstrable, and assurance must remain valid as tools, firmware, and processes change.
Data Destruction vs Data Sanitisation
Understanding the distinction between data destruction and data sanitisation is fundamental to the new NCSC standard and it is a distinction that matters commercially as well as technically.
Data destruction relies on the physical elimination of storage media. Shredding, crushing, and degaussing are the most common methods. While physically destructed media is unrecoverable, destruction also renders the asset permanently unusable. For ITAD providers, this limits remarketing potential and increases disposal costs. It also typically relies on procedural trust and a certificate of destruction is issued, but the actual irrecoverability is rarely independently verified.
Data sanitisation takes a different approach. Using validated logical or cryptographic overwrite methods, sanitisation renders data permanently unrecoverable while preserving the physical asset for reuse or remarketing. When performed and evidenced correctly, a sanitised SSD or HDD is both data-safe and commercially viable.
The critical word is evidenced. Under the old CAS-S model, it was broadly acceptable to demonstrate that a sanitisation process had been followed. Under the new NCSC standard, that is no longer sufficient. Providers must demonstrate that irrecoverability was actually achieved and not just that the right tool was run.
This creates a meaningful challenge for ITAD providers who rely on high-volume, automated workflows. The question is not whether your tools work in principle and it is whether you can prove, for each device processed, that the outcome met the standard. That requires structured evidence, audit trails, and exception handling that can withstand independent scrutiny.
For devices that cannot be successfully sanitised such as damaged drives, failed overwrites, unsupported media — the new standard also expects a defined and documented escalation path to physical destruction, with that outcome evidenced as well.
In short: sanitisation is the preferred route for operational and commercial reasons, but only when it can be independently proven to have worked.
SecurLab’s Role: Independent Assessment Against the New NCSC Standard
We independently assess ITAD companies against the NCSC data sanitisation standard that replaces CAS-S. Assessments are principles-based and evidence-driven, focusing on whether irrecoverability is achieved in practice.
How the Assessment Process Works
Scope Definition: Asset types, media, sanitisation methods, claims, and applicable NCSC principles are defined.
Process and Method Validation: Tools and techniques are reviewed for suitability against media type and threat model.
Evidence Review: Logs, tool outputs, asset identifiers, and chain-of-custody records are examined.
Independent Assurance: Evidence is assessed to verify consistent achievement of irrecoverability.
Assurance Outputs: Buyer-consumable, audit-ready assurance statements are produced.
Ongoing Assurance: Revalidation occurs as tools, firmware, or processes change.
Why This Matters to ITAD Customers
For the organisations that use ITAD services — enterprises, public sector bodies, financial institutions, healthcare providers — the stakes around data disposal have never been higher.
Data protection legislation, sector-specific regulation, and increasingly demanding procurement frameworks all require organisations to demonstrate that data has been disposed of in a way that is secure, auditable, and defensible. A certificate of destruction or a supplier's self-attestation is no longer sufficient for many buyers. They need to be able to show, if challenged by a regulator or in the event of a data breach investigation, that their disposal processes met an independently verified standard.
This is where the shift from CAS-S to CRTF-aligned assurance directly affects the commercial relationship between ITAD providers and their customers.
Under the old model, buyers could point to a CAS-S certification as evidence that their supplier operated to an NCSC-recognised standard. With CAS-S no longer active, that assurance reference point is gone. Buyers are now asking their ITAD suppliers a harder question: how do you independently prove that data disposed of on our behalf was irrecoverably destroyed?
ITAD providers who cannot answer that question clearly are increasingly finding themselves removed from approved supplier lists, losing tenders to competitors with stronger assurance credentials, or facing extended due diligence cycles that slow down contract renewal.
Conversely, ITAD providers who can demonstrate independent, CRTF-aligned assurance gain a significant procurement advantage. They reduce the due diligence burden on their customers, shorten sales cycles, and position themselves as the lower-risk, higher-trust option in a competitive market.
Independent assessment against the new NCSC standard provides what buyers actually need: defensible, decision-grade assurance that can be shared with procurement teams, auditors, and regulators. It transforms a supplier's security claim into independently verified evidence which is a fundamentally different and more valuable thing.
Conclusion
CAS-S focused on how sanitisation was performed. The new NCSC standard focuses on whether it truly worked. For ITAD companies, the ability to prove irrecoverability is now central to trust and market differentiation.
The replacement of CAS-S means ITAD companies are no longer judged on whether sanitisation was performed but on whether it can be independently proven to have worked.
Investing in assessment against the new NCSC sanitisation standard allows you to:
Demonstrate verifiable data irrecoverability
Reduce customer due-diligence and audit friction • Support reuse and remarketing with confidence
Position your organisation as a trusted, future-ready ITAD provider Our Differentiator We don’t just assess, we operationalise assurance.
Structured evidence management
Repeatable assessment workflows
Continuous assurance delivery
Next Steps
CRTF readiness is not just about meeting a framework, it’s about making trust easy for your customers. For a detailed breakdown of what ITAD providers need to have in place, see our NCSC CRTF Sanitisation Readiness Checklist.
Request a product gap analysis
Speak to an assurance expert @ info@securlab.io