What the auditor wants to verify
Audit objective
Verify that information is deleted when no longer required, using a method suitable for the sensitivity, storage type, and retention requirement.
Evidence to request
| Evidence | Purpose |
|---|---|
| Information asset register | Shows information holdings are known |
| Retention and deletion rules | Shows when information should be deleted |
| Deletion/destruction procedure | Shows how deletion is performed |
| Deletion/destruction logs | Shows deletion occurred |
| Destruction certificates | Shows physical media destruction |
| Cloud deletion records | Shows cloud data deletion |
| Backup retention settings | Shows expired backup data is removed |
| Training/competence records | Shows staff know deletion requirements |
Strong evidence
- Deletion records match retention rules.
- Deletion method matches sensitivity and storage type.
- Items awaiting destruction are secured.
- Cloud and backup data are included.
- Destruction can be traced to selected assets.
- Staff can explain how to delete or destroy information correctly.
Weak evidence
- Retention policy exists but no deletion evidence exists.
- Deletion is left to individual users.
- Old media awaiting destruction is unsecured.
- Backups are kept indefinitely.
- Cloud deletion is assumed but not evidenced.
Sample interview questions
- How do you know when information is no longer required?
- Which deletion method applies to this information type?
- How is deletion evidenced?
- How are cloud and backup copies handled?
- How are items awaiting destruction protected?
Common nonconformities
- No retention-to-deletion mapping.
- No deletion/destruction records.
- Destruction method not suitable for sensitivity.
- Old media stored insecurely before destruction.
- Backup and cloud deletion not addressed.
Related notes
- Audit
- Evidence
- A8 10
- Iso27001
Note Metadata
Aliases: A.8.10 Evidence
Source: 04 Audit Evidence Packs/A.8.10 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.10 - Information Deletion
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.10 Information Deletion
- A.8.10 Audit Checklist
- Cloud and Backup Deletion Checklist
- Information Deletion and Destruction Register
- Information Retention and Deletion Rules
- Audit Evidence Index