Requirement
Requirement lens
This control asks whether information is deleted when it is no longer required.
“Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.”
Plain-language meaning
The organization should not keep information forever just because storage is cheap. When information is no longer needed for business, legal, regulatory, contractual, or evidence purposes, it should be deleted using a method suitable for the sensitivity of the information and the storage technology.
Information that no longer exists cannot be leaked, misused, searched in discovery, retained beyond privacy requirements, or become unnecessary risk.
Why this matters
Over-retention creates avoidable risk. Old emails, forgotten backups, abandoned databases, test exports, USB drives, archive folders, and unused cloud storage can contain personal data, payment data, intellectual property, credentials, or regulated records.
Deletion must also be controlled. Deleting too early can breach legal or contractual retention obligations. Deleting too weakly can leave recoverable data behind.
Implementation guidance
Implementer focus
Start from asset inventory and retention rules. Then define deletion methods by information type, sensitivity, storage technology, and required assurance.
1. Know what information is held
The information asset inventory should be the starting point. If the organization does not know what it holds, it cannot know what must be retained, protected, deleted, or destroyed.
2. Define retention and deletion rules
Retention rules should define:
| Rule area | Practical decision |
|---|---|
| Information type | Personal data, payment data, records, logs, contracts, source files |
| Retention period | How long the information is needed |
| Deletion trigger | End of contract, account closure, expiry date, user request, system retirement |
| Deletion method | Secure delete, cryptographic erasure, media destruction, specialist service |
| Evidence | Deletion log, destruction certificate, system job record, review record |
3. Match deletion method to risk and storage type
Deletion method depends on budget, certainty required, storage technology, and sensitivity. Examples include secure overwrite, cryptographic erasure, application-level deletion, cloud provider deletion process, or physical destruction of media.
Physical destruction can be reliable for known media that no longer needs to be reused. Cloud storage usually requires secure deletion or cryptographic approaches because physical destruction is not practical.
4. Protect items awaiting destruction
Information awaiting deletion or destruction should be protected at the same level as active information. Backup tapes, old drives, USB sticks, printouts, or retired devices should not sit unsecured while waiting for disposal.
5. Review deletion methods
Deletion methods should be reviewed as recovery techniques, attacker capability, storage technologies, and legal requirements change.
Audit guidance
Auditor focus
Test whether deletion follows retention rules, uses suitable methods, is evidenced, and protects items awaiting destruction.
Auditors should verify:
- information asset register;
- retention and deletion policy;
- deletion/destruction procedure;
- sample deletion records against retention rules;
- deletion method suitability for sensitivity and media type;
- destruction certificates or system deletion logs;
- competence of people performing deletion;
- protection of items awaiting destruction;
- deletion controls for cloud systems, backups, removable media, and retired devices.
Auditors should sample assets randomly from the inventory and ask for evidence that records past retention were deleted or securely destroyed.
Evidence examples
Evidence quality
Strong evidence proves information is retained only as long as needed and deletion is controlled, verified, and recorded.
| Evidence | What it proves |
|---|---|
| Information asset register | Information holdings are known |
| Retention schedule | Deletion timing is defined |
| Deletion/destruction procedure | Method is defined |
| Deletion logs | Deletion occurred |
| Destruction certificates | Physical media was destroyed |
| Cloud deletion records | Cloud-stored data was removed |
| Backup retention configuration | Old backup data expires |
| Training/competence records | Staff know how to delete securely |
Strong evidence
- Asset inventory maps information to retention periods.
- Deletion methods match sensitivity and storage type.
- Destruction records match assets selected from the inventory.
- Items awaiting destruction are stored securely.
- Cloud and backup deletion are included.
- People responsible for deletion can explain the process.
Weak evidence
- Retention policy exists but no deletion records exist.
- Users decide deletion informally.
- Old media awaiting destruction is left unsecured.
- Cloud deletion relies on assumptions without provider/process evidence.
- Backups are kept indefinitely.
- Deletion method is the same regardless of sensitivity.
Common failures
Implementation watchouts
A.8.10 fails when retention rules exist on paper but information is still kept indefinitely in systems, backups, archives, and unmanaged media.
| Failure | Why it matters |
|---|---|
| No asset inventory | Organization cannot know what to delete |
| No retention trigger | Information remains indefinitely |
| Weak deletion method | Deleted data may be recoverable |
| Unsecured media awaiting destruction | Old data remains exposed |
| Backups ignored | Deleted information survives in backup sets |
| Cloud deletion not evidenced | Deletion cannot be proven |
| Staff not trained | Wrong deletion method is used |
Exam traps
Exam focus
A.8.10 is about deleting information when no longer required, not merely disposing of equipment.
| Trap | Correct interpretation |
|---|---|
| Deletion means physical destruction only | Secure deletion, cryptographic erasure, application deletion, and media destruction may all be relevant |
| Cloud data cannot be deleted | Cloud deletion needs provider-supported process and evidence |
| Retention policy alone proves compliance | Deletion records and method suitability are needed |
| Items awaiting destruction are low risk | They must be protected like active information |
| Keeping everything is safer | Over-retention creates privacy, legal, and breach impact risk |
Related controls and concepts
- A.8 Technological Controls MOC
- A.5.33 Protection of Records
- A.5.34 Privacy and Protection of PII
- A.7.10 Storage Media
- A.7.14 Secure Disposal or Re-Use of Equipment
- A.5.31 Legal, Statutory, Regulatory and Contractual Requirements
- Information and Associated Asset Inventory
- Records Retention and Protection Register
- Equipment Disposal and Reuse Register
- Information Deletion and Destruction Register
- Information Retention and Deletion Rules
- Cloud and Backup Deletion Checklist
- A.8.10 Audit Evidence Pack
- A.8.10 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.10 reduces risk by deleting information that is no longer required. Strong implementation ties asset inventory, retention rules, secure deletion methods, destruction evidence, backup/cloud handling, and staff competence together.
- Know what information is held.
- Define retention periods and deletion triggers.
- Use deletion methods suitable for sensitivity and storage type.
- Protect items awaiting destruction.
- Keep evidence of deletion or destruction.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Information deletion
- Retention
- Audit
Note Metadata
Aliases: A.8.10, Information Deletion, Secure Deletion
Source: 05 Annex A Technological Controls/A.8.10 Information Deletion.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.33 - Protection of Records
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment
- A.8.10 Audit Evidence Pack
- ISO 27001 A.8.11 - Data Masking
- ISO 27001 A.8.12 - Data Leakage Prevention
- ISO 27001 A.8.13 - Information Backup
- ISO 27001 A.8.24 - Use of Cryptography
- ISO 27001 A.8.33 - Test Information
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.10 Information Deletion
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-031 - Deletion and Data Masking
- ISO 27002 Annex A Control Interpretation Map
- A.8.10 Audit Checklist
- Cloud and Backup Deletion Checklist
- Equipment Disposal and Reuse Register
- Information and Associated Asset Inventory
- Information Deletion and Destruction Register
- Information Retention and Deletion Rules
- Records Retention and Protection Register
- Test Data Protection Checklist
- Test Data Security Approval Record
- Annex A Controls MOC