Memory cues
| Control | Cue |
|---|---|
| A.8.10 Information Deletion | Delete information when no longer required |
| A.8.11 Data Masking | Hide, tokenize, pseudonymize, or anonymize data when full visibility is not needed |
Likely exam traps
- A.8.10 is not only physical media destruction.
- Retention policy alone is weak without deletion evidence.
- Items awaiting destruction still need protection.
- Masking is not the same as anonymisation.
- Pseudonymised data can be re-linked using a lookup table.
- True anonymisation is hard because combinations of fields may re-identify people.
Quick comparison
| Question | A.8.10 | A.8.11 |
|---|---|---|
| Main concern | Removing information no longer required | Limiting visibility of sensitive data still in use |
| Evidence | Retention rules, deletion logs, destruction certificates, cloud/backup deletion records | Masking standard, decision register, role access, re-combination logs, re-identification assessment |
| Common failure | Keeping data indefinitely in backups/cloud/archive | Treating pseudonymised data as anonymous |
| Audit method | Sample asset retention against deletion evidence | Demonstrate masking and test re-identification risk |
Practical mentor takeaway
Exam lens
A.8.10 reduces risk by removing data that is no longer needed. A.8.11 reduces risk by hiding or transforming data that still needs to be used.
- Iso27001
- Exam
- Technological controls
- Privacy
Note Metadata
Aliases: A.8.10 A.8.11 exam cues
Source: 09-Exam-Preparation/EXAM-031-Deletion-and-Data-Masking.md