The UK Benchmark for Secure Data Destruction, Explained
You’ll see “HMG Infosec Standard 5” on data destruction certificates everywhere. But what does it actually mean, is it still current, and what should UK businesses ask for in 2026? This guide breaks it down in plain English.
- ✓ What HMG IS5 is and where it came from
- ✓ The difference between Lower and Higher standard wiping
- ✓ How it relates to NCSC guidance and UK GDPR
- ✓ What to demand from your data destruction provider
Quick Summary: HMG Infosec Standard 5
- What it is: A UK government standard that defined how data must be securely overwritten or destroyed on storage media
- Two levels: The “Lower” standard (a single overwrite pass) and the “Higher” standard (multiple passes plus verification), for more sensitive data
- Its status: The original standard has been superseded by NCSC guidance, but “HMG IS5” remains the widely recognised shorthand for compliant, verified data destruction in the UK
- Why it matters: Under UK GDPR you must securely destroy personal data, and an IS5-aligned process with certification is your proof you did
- Bottom line: Ask your provider for verified destruction to a recognised standard, with a certificate of destruction and a full audit trail
If you’ve ever arranged secure data destruction, or read the small print on a certificate, you’ll have come across the phrase “HMG Infosec Standard 5”, usually shortened to HMG IS5. It appears on quotes, certificates and provider websites as a kind of shorthand for “we destroy data properly”. But it’s rarely explained, and that leaves a lot of businesses nodding along without really knowing what they’re paying for, or whether it’s enough.
That matters, because data destruction is one of those areas where the gap between “looks compliant” and “is compliant” can be expensive. Get it wrong and a single recovered drive can become a reportable personal data breach, with the regulatory and reputational fallout that follows.
This guide explains, in plain English, what HMG Infosec Standard 5 actually is, where it came from, how it relates to today’s NCSC sanitisation guidance and UK GDPR, and most importantly what you should expect from a data destruction provider in 2026. Whether you’re disposing of a handful of drives or decommissioning a data centre, understanding the standard helps you ask the right questions and get genuine assurance, not just a reassuring-looking logo.
What Is HMG Infosec Standard 5?
HMG Infosec Standard 5 was a UK government information security standard that set out how data should be securely sanitised, that is, removed from storage media so it cannot be recovered. “HMG” stands for Her (now His) Majesty’s Government, reflecting its origins as a standard for protecting government information.
Its Core Purpose
The standard answered a deceptively simple question: how do you make sure data is genuinely gone? As we explain in our guide to why deleting files is not GDPR compliant, ordinary deletion and formatting leave data fully recoverable. IS5 specified the overwriting methods needed to defeat that recovery and put the matter beyond doubt.
Why It Became the Default Reference
Because it was a government-backed, clearly defined benchmark, IS5 was adopted far beyond government. Commercial data destruction providers aligned their processes to it, and “destroyed to HMG IS5” became the recognised commercial shorthand for trustworthy, verifiable data destruction across the UK, a status it still holds today even as the underlying guidance has evolved.
The Two Levels: Lower and Higher Standard
One of the most useful things to understand about IS5 is that it defined two distinct levels of assurance. The right one for you depends on how sensitive your data is.
The Lower Standard
The Lower standard called for a single overwriting pass across the whole drive. For the vast majority of routine business data, a single verified overwrite of a modern drive is genuinely effective, it defeats software-based recovery completely. This level suited everyday commercial information being securely retired.
The Higher Standard
The Higher standard required multiple overwriting passes, typically with different data patterns, followed by verification that the process had succeeded. It was intended for more sensitive information where the consequences of recovery would be severe. The added verification step is the crucial part: it confirms, rather than assumes, that the data is gone.
Why Verification Is the Real Point
Whichever level applies, the defining feature of IS5-aligned destruction is verification and documentation. Anyone can run a wiping tool; the standard’s value is in proving the wipe worked and recording that it happened. That evidence is exactly what you need to demonstrate compliance later, which is why a certificate of destruction is so important.
Overwriting vs Physical Destruction
IS5 covered secure overwriting, but overwriting isn’t always the right tool. Two factors decide whether you wipe a drive for reuse or physically destroy it.
When Overwriting Makes Sense
If a drive is healthy and you want to reuse, resell or redeploy it, verified overwriting to the appropriate level lets you do that safely while keeping the asset in service. It’s the more sustainable choice, extending the life of working hardware rather than scrapping it. The catch is that the drive must be fully functional, you can’t reliably overwrite a failed disk.
When Physical Destruction Wins
For failed drives, end-of-life media, or the most sensitive data, physical destruction, shredding or degaussing, is the surer route. It leaves nothing to recover and nothing to verify. Our guide to hard drive shredding versus wiping walks through the trade-offs in detail.
A Note on SSDs
Solid-state drives complicate the picture. Because of how they store and move data, traditional multi-pass overwriting doesn’t reliably reach every cell. For SSDs, a proper cryptographic erase (destroying the encryption key) or physical destruction is the dependable approach, a point any competent IS5-aligned provider will understand and apply.
Is HMG IS5 Still Current in 2026?
This is where there’s genuine confusion, so it’s worth being clear. The original HMG Infosec Standard 5 document is no longer the live, maintained government standard. Responsibility for this guidance now sits with the National Cyber Security Centre (NCSC), whose sanitisation and secure-disposal guidance is the current reference point for UK organisations.
Why the Term Survives
Despite that, “HMG IS5” hasn’t gone away, and for good reason. It remains the most widely recognised shorthand in the industry for verified, documented data destruction. When a provider says it destroys to HMG IS5, the meaning everyone understands is: a defined, verifiable overwriting or destruction process, carried out to a recognised level and backed by evidence. The principles the standard established, appropriate methods, verification, and documentation, remain entirely valid.
What to Look For Today
In practice, the modern requirement is best understood through current NCSC data sanitisation guidance, which a reputable provider will follow. The smart approach is not to fixate on a single label but to confirm that the process is methodologically sound, verified, certificated and auditable. A provider that understands both the IS5 heritage and current NCSC guidance is exactly who you want.
How It Connects to UK GDPR
For most businesses, the real driver behind secure data destruction isn’t a security standard for its own sake, it’s the law. UK GDPR makes this unavoidable.
Your Legal Obligation
UK GDPR requires personal data to be processed securely and not kept longer than necessary, and “processing” includes destruction. In plain terms: when you dispose of a device, you remain responsible for the personal data on it right up to the moment it’s destroyed. If that data can be recovered, you haven’t met your obligation. Our GDPR IT disposal compliance checklist sets out the full picture.
Why IS5-Aligned Destruction Is Your Evidence
This is where the standard earns its keep. A verified, IS5-aligned destruction process produces exactly the evidence a regulator expects: proof that data was destroyed to a recognised method, when, and by whom. Without that documentation, you’re relying on assertion rather than evidence, and in a breach investigation, evidence is everything.
The Cost of Getting It Wrong
The downside is real. Recovered data from poorly disposed equipment has led to fines, enforcement and serious reputational damage for UK organisations. Set against that, certified destruction to a recognised standard is a small, sensible insurance, not an optional extra.
What to Demand From Your Data Destruction Provider
Understanding the standard is only useful if it changes what you ask for. Whether you’re disposing of ten drives or ten thousand, hold your provider to these expectations.
A Defined, Recognised Method
Ask exactly how data is destroyed, overwriting to which level, shredding to what particle size, or degaussing, and to which standard or guidance. A confident provider will answer clearly and in writing. Vague reassurance is a red flag.
Verification, Not Just Action
The process should confirm the data is gone, not simply assume it. Verified overwriting and witnessed or recorded destruction are what separate genuine assurance from a hopeful wipe.
A Certificate of Destruction and Audit Trail
You should receive a certificate of destruction listing the assets handled, ideally down to serial-number level, along with the date and method. This is your compliance evidence, so insist on it. A full audit trail from collection to destruction closes the loop.
Proper Accreditations
Look for relevant certifications such as ISO 27001 for information security management, and appropriate environmental permits for the recycling side. These show the provider’s claims are independently assessed, not self-declared. You can review Innovent’s accreditations as an example of what to expect.
Secure Chain of Custody
Data must stay protected throughout, during collection, transport and processing. Ask how equipment is secured in transit and who has access to it before destruction. A break in the chain of custody is a break in your compliance.
Putting It Into Practice
Translating the standard into a working process is simpler than it sounds. A sound approach looks like this:
- Identify every data-bearing device at end of life, including the easily forgotten ones: printers and copiers with internal drives, servers, network gear and external media
- Decide wipe or destroy for each, based on the data’s sensitivity and whether the hardware will be reused
- Maintain a secure chain of custody from the moment a device is retired until it’s destroyed
- Use a provider that verifies and documents the destruction to a recognised standard
- Keep the certificates and audit records as part of your compliance evidence
Build that into your normal IT refresh cycle and secure data destruction stops being a periodic panic and becomes a routine, defensible part of how you run your estate. For the broader framework, see our IT asset disposal best practices guide.
Frequently Asked Questions
What is HMG Infosec Standard 5?
HMG Infosec Standard 5 (HMG IS5) was a UK government information security standard that defined how data should be securely overwritten or destroyed on storage media so it cannot be recovered. It set two levels, Lower (a single verified overwrite) and Higher (multiple passes with verification), and became the widely recognised commercial benchmark for trustworthy data destruction in the UK.
Is HMG IS5 still valid in 2026?
The original IS5 document has been superseded by current NCSC sanitisation guidance, which is now the maintained reference for UK organisations. However, “HMG IS5” remains in everyday use as shorthand for verified, documented data destruction, and the principles it established, sound methods, verification and documentation, are still entirely valid.
What is the difference between the Lower and Higher standard?
The Lower standard required a single overwriting pass, which is effective for most routine business data on modern drives. The Higher standard required multiple overwriting passes plus verification, intended for more sensitive information where the consequences of recovery would be severe. The key feature of both is verification, confirming the data is genuinely gone rather than assuming it.
Does HMG IS5 satisfy UK GDPR requirements?
UK GDPR requires personal data to be securely destroyed and holds you responsible until it is. A verified, IS5-aligned destruction process with a certificate of destruction provides exactly the documented evidence a regulator expects. The standard itself isn’t a GDPR law, but using an IS5-aligned, certificated process is a practical way to demonstrate you met your GDPR obligation. See our GDPR IT disposal checklist for detail.
Is overwriting or physical destruction better?
It depends. Verified overwriting lets you safely reuse or resell a healthy drive and is the more sustainable choice. Physical destruction, shredding or degaussing, is best for failed drives, end-of-life media and the most sensitive data, because it leaves nothing to recover. SSDs are a special case where cryptographic erase or physical destruction is more reliable than traditional overwriting.
What should a data destruction certificate include?
A good certificate of destruction should list the assets destroyed (ideally to serial-number level), the date, the method used and the standard followed, and identify the provider. It is your documented proof of compliance, so it should be detailed enough to stand up in an audit or a breach investigation.
Do printers and copiers need IS5-level destruction too?
Often, yes. Many office multifunction printers and copiers contain internal hard drives that store images of documents they’ve handled. Those drives hold personal and confidential data and should be wiped or destroyed to the same standard as any computer. It’s one of the most commonly overlooked data risks in IT disposal.
How do I choose a compliant data destruction provider?
Look for a defined, recognised destruction method explained in writing, verification of the process, a detailed certificate of destruction and audit trail, relevant accreditations such as ISO 27001, and a secure chain of custody from collection to destruction. A provider who understands both the HMG IS5 heritage and current NCSC guidance, like Innovent, gives you genuine, documented assurance.
Found this guide helpful? Share it!
Help others understand secure data destruction standards
About Innovent Recycling
Innovent Recycling is a UK-based specialist in secure IT asset disposal and recycling. With ISO 27001 certification and Environment Agency T11 exemption, we provide comprehensive, compliant recycling solutions for businesses across the United Kingdom, including certified data destruction aligned to HMG Infosec Standard 5 and current NCSC guidance.
Our services include:
- Certified Data Destruction – HMG Infosec Standard 5 compliant wiping and shredding
- Computer & IT Recycling – Secure, compliant disposal of all IT assets
- WEEE Compliance Management – Full regulatory compliance and documentation
- Nationwide Collections – Free collection service available UK-wide
Trusted by businesses across the UK for secure, compliant IT disposal. View our accreditations and certifications.
Need Certified Data Destruction?
Verified destruction aligned to HMG Infosec Standard 5, with certificates and a full audit trail. Free UK collection.
Or call us on 0151 355 5482
