ITSG-06 Canadian Government Media Sanitization
If your organization handles Government of Canada information, you have likely encountered references to ITSG-06 — the IT security guidance document that defines how storage media must be sanitized before it is repurposed, transferred, or destroyed. Despite being the authoritative Canadian standard, ITSG-06 is frequently misunderstood or confused with American frameworks.
This guide explains what ITSG-06 is, how its three sanitization levels work in practice, and how to choose equipment that meets each level’s requirements.
What Is ITSG-06?
ITSG-06 is the IT Security Guidance document titled Clearing and Declassifying Electronic Data Storage Devices, published by the Canadian Centre for Cyber Security (CCCS). It is the primary Canadian government standard for the sanitization of electronic storage media, and the Canadian functional equivalent of NIST Special Publication 800-88.
The Three ITSG-06 Sanitization Levels
-
-
Level 1: Clear
Clearing removes data so it cannot be recovered using standard operating system functions or common data recovery utilities. Used for storage media being repurposed within the same security domain. Achieved via software overwriting using approved tools that write patterns across all addressable storage locations.
U-Reach equipment for Clear: Any U-Reach HDD, SSD, or NVMe eraser running a DoD 5220.22-M or equivalent multi-pass overwrite meets the Clear level requirement.
-
Level 2: Purge
Purging removes data so it cannot be recovered even using laboratory forensic techniques. Required for media leaving its current security domain, being prepared for surplus disposal, or for Protected B and above data.
For magnetic HDDs: multi-pass overwrite or degaussing with a certified degausser.
For SSDs and flash media: cryptographic erasure or manufacturer-issued Secure Erase via firmware — software overwriting alone is generally NOT sufficient for SSDs due to wear-levelling.
U-Reach equipment for Purge: U-Reach erasure systems support Secure Erase (ATA and NVMe) and cryptographic erasure for qualifying drives.
-
Level 3: Destroy
Physical destruction rendering the media completely non-functional. Required for end-of-life media containing Secret or Top Secret information, or media that has failed and cannot be sanitized by software or firmware methods.
U-Reach equipment for Destroy: U-Reach hard drive destroyers physically destroy HDDs and SSDs, satisfying the Destroy level requirement.
-
Level 1: Clear
ITSG-06 vs. NIST 800-88 Comparison
| Aspect | ITSG-06 (Canadian) | NIST 800-88 (US) |
|---|---|---|
| Issuing authority | Canadian Centre for Cyber Security (CCCS) | US National Institute of Standards & Technology |
| Primary audience | Canadian government departures | US federal agencies; widely adopted commercially |
| Sanitization levels | Clear, Purge, Destroy | Clear, Purge, Destroy |
| SSD/NVMe guidance | Software overwrite insufficient; requires Secure Erase or physical destruction | Recommends Secure Erase or cryptographic erasure over software overwrite |
| Degaussing | Recognized for magnetic HDD Purge level | Recognized for magnetic media only; ineffective on SSDs |
| Documentation | Sanitization certificate required with device details | Certificate of sanitization recommended |
Building an ITSG-06 Compliant Sanitization Program
-
- Media inventory: maintain a record of all storage devices, classification level, and intended disposition
- Sanitization procedure by media type: define which method applies to each media type and classification combination
- Approved equipment list: identify tools meeting ITSG-06 technical requirements
- Per-device documentation: generate a sanitization certificate for every device processed
- Auditable chain of custody: document custody at each step from removal from service to final disposition
U-Reach erasure systems with iSecuLog tamper-free audit logging automate per-device documentation — generating signed sanitization reports that satisfy government documentation requirements. For private-sector organizations, PIPEDA imposes separate but complementary data destruction obligations.
For authoritative ITSG-06 documentation, refer directly to the Canadian Centre for Cyber Security at cyber.gc.ca.