UnixTime

Research Note

ISO 27001 A.8.10 - Information Deletion

The organization should not keep information forever just because storage is cheap. When information is no longer needed for business, legal, regulatory, contractual, or evidenc...

On this page

Requirement

Requirement lens

This control asks whether information is deleted when it is no longer required.

“Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.”

Plain-language meaning

The organization should not keep information forever just because storage is cheap. When information is no longer needed for business, legal, regulatory, contractual, or evidence purposes, it should be deleted using a method suitable for the sensitivity of the information and the storage technology.

Information that no longer exists cannot be leaked, misused, searched in discovery, retained beyond privacy requirements, or become unnecessary risk.

Why this matters

Over-retention creates avoidable risk. Old emails, forgotten backups, abandoned databases, test exports, USB drives, archive folders, and unused cloud storage can contain personal data, payment data, intellectual property, credentials, or regulated records.

Deletion must also be controlled. Deleting too early can breach legal or contractual retention obligations. Deleting too weakly can leave recoverable data behind.

Implementation guidance

Implementer focus

Start from asset inventory and retention rules. Then define deletion methods by information type, sensitivity, storage technology, and required assurance.

1. Know what information is held

The information asset inventory should be the starting point. If the organization does not know what it holds, it cannot know what must be retained, protected, deleted, or destroyed.

2. Define retention and deletion rules

Retention rules should define:

Rule area Practical decision
Information type Personal data, payment data, records, logs, contracts, source files
Retention period How long the information is needed
Deletion trigger End of contract, account closure, expiry date, user request, system retirement
Deletion method Secure delete, cryptographic erasure, media destruction, specialist service
Evidence Deletion log, destruction certificate, system job record, review record

3. Match deletion method to risk and storage type

Deletion method depends on budget, certainty required, storage technology, and sensitivity. Examples include secure overwrite, cryptographic erasure, application-level deletion, cloud provider deletion process, or physical destruction of media.

Physical destruction can be reliable for known media that no longer needs to be reused. Cloud storage usually requires secure deletion or cryptographic approaches because physical destruction is not practical.

4. Protect items awaiting destruction

Information awaiting deletion or destruction should be protected at the same level as active information. Backup tapes, old drives, USB sticks, printouts, or retired devices should not sit unsecured while waiting for disposal.

5. Review deletion methods

Deletion methods should be reviewed as recovery techniques, attacker capability, storage technologies, and legal requirements change.

Audit guidance

Auditor focus

Test whether deletion follows retention rules, uses suitable methods, is evidenced, and protects items awaiting destruction.

Auditors should verify:

  • information asset register;
  • retention and deletion policy;
  • deletion/destruction procedure;
  • sample deletion records against retention rules;
  • deletion method suitability for sensitivity and media type;
  • destruction certificates or system deletion logs;
  • competence of people performing deletion;
  • protection of items awaiting destruction;
  • deletion controls for cloud systems, backups, removable media, and retired devices.

Auditors should sample assets randomly from the inventory and ask for evidence that records past retention were deleted or securely destroyed.

Evidence examples

Evidence quality

Strong evidence proves information is retained only as long as needed and deletion is controlled, verified, and recorded.

Evidence What it proves
Information asset register Information holdings are known
Retention schedule Deletion timing is defined
Deletion/destruction procedure Method is defined
Deletion logs Deletion occurred
Destruction certificates Physical media was destroyed
Cloud deletion records Cloud-stored data was removed
Backup retention configuration Old backup data expires
Training/competence records Staff know how to delete securely

Strong evidence

  • Asset inventory maps information to retention periods.
  • Deletion methods match sensitivity and storage type.
  • Destruction records match assets selected from the inventory.
  • Items awaiting destruction are stored securely.
  • Cloud and backup deletion are included.
  • People responsible for deletion can explain the process.

Weak evidence

  • Retention policy exists but no deletion records exist.
  • Users decide deletion informally.
  • Old media awaiting destruction is left unsecured.
  • Cloud deletion relies on assumptions without provider/process evidence.
  • Backups are kept indefinitely.
  • Deletion method is the same regardless of sensitivity.

Common failures

Implementation watchouts

A.8.10 fails when retention rules exist on paper but information is still kept indefinitely in systems, backups, archives, and unmanaged media.

Failure Why it matters
No asset inventory Organization cannot know what to delete
No retention trigger Information remains indefinitely
Weak deletion method Deleted data may be recoverable
Unsecured media awaiting destruction Old data remains exposed
Backups ignored Deleted information survives in backup sets
Cloud deletion not evidenced Deletion cannot be proven
Staff not trained Wrong deletion method is used

Exam traps

Exam focus

A.8.10 is about deleting information when no longer required, not merely disposing of equipment.

Trap Correct interpretation
Deletion means physical destruction only Secure deletion, cryptographic erasure, application deletion, and media destruction may all be relevant
Cloud data cannot be deleted Cloud deletion needs provider-supported process and evidence
Retention policy alone proves compliance Deletion records and method suitability are needed
Items awaiting destruction are low risk They must be protected like active information
Keeping everything is safer Over-retention creates privacy, legal, and breach impact risk

KB-ready summary

Mentor takeaway

A.8.10 reduces risk by deleting information that is no longer required. Strong implementation ties asset inventory, retention rules, secure deletion methods, destruction evidence, backup/cloud handling, and staff competence together.

  • Know what information is held.
  • Define retention periods and deletion triggers.
  • Use deletion methods suitable for sensitivity and storage type.
  • Protect items awaiting destruction.
  • Keep evidence of deletion or destruction.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Information deletion
  • Retention
  • Audit

Note Metadata

Aliases: A.8.10, Information Deletion, Secure Deletion

Source: 05 Annex A Technological Controls/A.8.10 Information Deletion.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

12

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

Graph-sourced resources

Templates and evidence