This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.10 Information deletion.
ISO 27001: 2022 Control Description
Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.
Purpose
To prevent unnecessary exposure of sensitive information and ensure compliance with legal, statutory, regulatory, and contractual requirements for information deletion.
Guidance on implementation
Sensitive information should only be retained for as long as necessary to reduce the risk of unauthorised disclosure. When deleting information from systems, devices, and storage media, the following steps should be followed:
Key Considerations for Information Deletion
- Choosing a Deletion Method:
- Select an appropriate method for deleting information, such as electronic overwriting or cryptographic erasure, based on business needs and legal requirements.
- Recording Deletion:
- Keep records of all deletion activities as evidence, ensuring compliance and accountability.
- Using Third-Party Services:
- If third-party service providers handle information deletion, obtain evidence from them confirming the secure deletion of your information.
- Including Deletion Requirements in Third-Party Agreements:
- For information stored by third parties on behalf of your organisation, ensure that agreements include clear requirements for information deletion, both during and after the termination of services.
Methods for Secure Information Deletion
In line with your organisation’s data retention policy and relevant laws, sensitive information should be securely deleted once it is no longer needed:
- Automated Deletion:
- Configure systems to automatically delete information after a specified period, in line with your data retention policy or upon a data subject’s request.
- Removing Obsolete Data:
- Regularly delete outdated versions, copies, and temporary files from all locations to prevent unnecessary data retention.
- Using Secure Deletion Software:
- Employ approved and secure deletion software to permanently erase information, ensuring that it cannot be recovered using specialist tools.
- Certified Disposal Services:
- Use certified providers for secure disposal of physical storage media, ensuring that all information is completely destroyed.
- Appropriate Disposal Methods:
- Choose the correct disposal method for each type of storage media (e.g. degaussing for hard drives and magnetic media).
- Cloud Services:
- Verify that the deletion methods provided by your cloud service provider meet your security standards. Use the provider’s deletion tools or request deletion if necessary. Automate these processes according to your data policies and maintain logs to verify successful deletions.
Preventing Unintentional Exposure
To prevent accidental exposure of sensitive information:
- Before Returning Equipment:
- Remove and securely erase any auxiliary storage (e.g. hard drives) and memory from equipment before it is returned to vendors or leaves your premises.
- Device-Specific Deletion:
- For devices like smartphones, where secure deletion may only be possible through destruction or factory reset, choose the appropriate method based on the sensitivity of the data.
- Physical Destruction:
- Apply control measures to physically destroy storage devices while simultaneously ensuring that the data they contain is securely deleted.