UnixTime

Research Note

EXAM-031 - Deletion and Data Masking

- A.8.10 is not only physical media destruction. - Retention policy alone is weak without deletion evidence. - Items awaiting destruction still need protection. - Masking is not...

On this page

Memory cues

Control Cue
A.8.10 Information Deletion Delete information when no longer required
A.8.11 Data Masking Hide, tokenize, pseudonymize, or anonymize data when full visibility is not needed

Likely exam traps

  • A.8.10 is not only physical media destruction.
  • Retention policy alone is weak without deletion evidence.
  • Items awaiting destruction still need protection.
  • Masking is not the same as anonymisation.
  • Pseudonymised data can be re-linked using a lookup table.
  • True anonymisation is hard because combinations of fields may re-identify people.

Quick comparison

Question A.8.10 A.8.11
Main concern Removing information no longer required Limiting visibility of sensitive data still in use
Evidence Retention rules, deletion logs, destruction certificates, cloud/backup deletion records Masking standard, decision register, role access, re-combination logs, re-identification assessment
Common failure Keeping data indefinitely in backups/cloud/archive Treating pseudonymised data as anonymous
Audit method Sample asset retention against deletion evidence Demonstrate masking and test re-identification risk

Practical mentor takeaway

Exam lens

A.8.10 reduces risk by removing data that is no longer needed. A.8.11 reduces risk by hiding or transforming data that still needs to be used.

  • Iso27001
  • Exam
  • Technological controls
  • Privacy

Note Metadata

Aliases: A.8.10 A.8.11 exam cues

Source: 09-Exam-Preparation/EXAM-031-Deletion-and-Data-Masking.md