I start security audit with paper shredders, what about you?

Where do you usually start in your security audit?

– Perimeter fence?

– Guard house?

– Guards’ post orders?

– Local ERP (Emergency Response Plan)?

There is no wrong answer.

You may follow different patterns or theories and there is no security standard that says you must start with which item.

I don’t know about you but I always start my security audit with a tour of the premise, be it an office or production site.

In my tour, I always stop by the pantry room or where the office printers are placed, and look through the paper scattered around the printers and thrown in the trash.

Throughout the years, my printer visits have never disappointed me because I almost always found documents containing information of great value or sensitivity to the company there, some lying innocently beside the printers, some scrambled and discarded in the dust bins.

What could be on those papers?

A lot — contact list, vendor list, vendor contract, sales agreement, business memorandum, emails between the sales and customers, lease agreement…

You name it.

Believe it or not, I once found an intact piece of paper on which there was the detailed itenerary of the visiting CEO of the company including his email address, cell phone number, name of the hotel he will stay in, venue of dinners, and all the big names he was to meet…

I wish I were a commercial spy — the espinage job would be so easy. 

That’s why I always start my security audit tour with the printers.

What is missing there is a simple device that not so many companies think necessary –paper shredders.

There is a theory:

If you want to tear up a piece of paper by hand, no matter how hard you try, or how strong you or your hands are, no matter how big the paper is, you cannot tear it up after 8 folds (one tearing after one folding).

Don’t try it now though. Let’s back up a little.


Tearing up a piece of paper by hand is never a good idea, if you seriously want to destroy what’s written on it.

There was anAmerican inventor named Abbot Augustus Low who knew better than that.

In 1909, Mr. Low filed a patent application for his invention of a
“waste-paper receptacle”– That was the prototype paper shredder in human history.

Mr. Low’s invention was even granted the U.S. patent (number 929,960) on August 31, 1909, but was never manufactured.

It was not until 1935 when a German
toolmaker named Adolf Ehinger who invented a device in an eager to destroy and make sure his anti-Nazi
documents unreadable if seized by the authorities.

He was successful and later registered a company, EBA Maschinenfabrik, to manufacture the first
cross-cut paper shredders in 1959 (EBA Krug & Priester GmbH & Co. in Balingen

Over time, Ehinger’s shredder, initially used by governments and banks only, got
popular for personal use and widely accepted in the business world after the World War II.


There are two standards for paper shredders, namely, DIN 32757andDIN
66399, DIN being the acronym of the Deutsches Institut für Normung eV
or German Institute for Standardization.

You shouldn’t be surprised because the Germans are good at making standards — think about the Purity Law they have for making beers.

DIN 32757

DIN 32757 is the European standard for paper shredder security. It’s broken up into six different security levels.

Security Level 1:
(10.5mm Strip Cut)
(11.8mm Strip Cut)
(10.5mm x 40-80mm Cross Cut)

Security Level 2:
(3.9mm Strip Cut)
(5.8mm Strip Cut)
(7.5mm x 40-80mm)

Security Level 3:
(1.9mm Strip Cut)
(3.9mm x 30-50mm Cross Cut)

Security Level 4:
(1.9mm x 15mm Cross Cut)

Security Level 5:
(0.78mm x 11mm Cross Cut)

Security Level 6:
(1mm x 4-5mm)

*above picture from https://www.abcoffice.com/office-equipment-news/tag/din-32757/

DIN 66399

DIN66399, introduced by the UN in 2012, overrides the previous DIN32757, reclassifying the old security levels (6 levels) to 7 new security levels ranging from P1 to P7.

The new standard DIN 66399 features 4 shredding patters and 7 levels of security.

  • Strip-cut– Low level of security,– p1, p2
  • Cross-cut– Medium/higher level of security– P3/P4
  • Micro-cut– High level of security-P5/P6

  • Hight-security cut– highest level of security – P7

The 7 defined security levels can be classified into 3 protection classes:

Protection class 1

1, 2 & 3

Protection class 2

3, 4 & 5

Protection class 3

5, 6 & 7

So far we’ve been calling the device paper shredder, but strictly speaking, it should not be called paper shredder as it cuts not only paper.

The DIN 66399 standards also specifies 6 data media categories:

P – Information in original size (e.g. paper, films, printed forms)
F – Information in reduced form (e.g. microfilms, transparencies)
O – Optical data media (e.g. CDs, DVDs, Blu-ray discs)
T – Magnetic data media (e.g. floppy disks, cards with magnetic strips)
H – Hard drives with magnetic data media (e.g. from computers and laptops)
E – Electronic data media (e.g. flash drives, digital camera memory cards,bank cards)

*above picture from https://www.the-shredder-warehouse.com/security-level

Below I have made a simple chart to compare the two security standards.

Old DIN 32757 Security Level

Shred/particle Size and number

New DIN 66399 Security Level

Stripe/particle size

of strips/particles after shredding (A4 paper)


Level 1

12 mm strip cut

40 parts /sheet

P 1

Strip size: < 2,000 mm²

Strip width: < 12 mm


general internal documents; home

Level 2

6 mm

100 stripes/sheet

P 2

Strip size: < 800 mm²

Strip width: < 6 mm


Normal internal business documents

Level 3

2mm strip cut, 3.9 x 80mm, 3.9 x
40mm, 3.9 x 30mm, 3 x 35mm, 2 x 28mm cross cut

P 3

·  Particle size: < 320

·  Particle width: < 2 mm


confidential documents; personal
data, etc.



P 4

·  Particle size: < 160

·  Particle width: < 6 mm


highly sensitive documents subject
to high protection requirements.

Level 4

2 x 15mm particle

P 5

·  Particle size: < 30 mm²

·  Particle width: < 2 mm


secret documents; highly
restricted documents

Level 5

0.8 x 12mm cross cut particles

P 6

·  Particle size: < 10 mm²

·  Particle width: < 1 mm


extremely high demands of
security; military or government

Level 6

0.8 x 4mm cross cut particles

P 7

·  Particle size: < 5 mm²

·  Particle width: < 1 mm


confidential data with the highest security precautions

*Note: A4size = 210mm x 297mm.

8.5″ x 11″=210mm x 279.4mm.
A4 is slightly different from 8.5×11 letter paper (common in North America).

What security level do you need?

If you have seen the Oscar-winning movie “Argo”, you may remember what the Iranians were able to do to the classified documents shredded hurriedly in the American embassy – they hired people to reconstruct the stripes…

*above pictures from http://lewisperdue.com/archives/4052

Stripe cut is not good enough if the information is of high sensitivity.

How sensitive would be classified as “high”?

It depends on you and your internal definitions of sensitivity.

  • level 1 for general data that needs to be made illegible
  • level 2 for internal data that needs to be made illegible
  • level 3 for confidential data
  • level 4 for highly confidential data
  • level 5 for secret data
  • level 6 for highly secret data
  • level 7 for top secret data

Generally, in my experience and understanding, protection class 2 (P3, P4, P5) would be sufficient for most normal business documents, although P3 still produces fine stripes instead of cross-cut particles.

If your company would like to set a high standard to play safe, I recommend P4 or P5.




P1-3 are stripe cuts, easy to be reconstructed, if the perpetrator is serious.

In a nutshell, there is not a set rule that tells you which level of security you need to adopt for your shredders.

A reasonable starting point would be a thorough SVA (security vulnerability assessment) at your facility.

Two gold rules for your decision based on the risks:

1. Do not overreact

2. Do not underestimate

Your comments are welcome.

*This article is written by Flecher Feng, CPP, CFE, PSP.









电子邮件地址不会被公开。 必填项已用*标注