The basics
ISO 27001 control A.8.10 Information deletion requires companies to delete data when no longer required, in order to avoid leakage of sensitive information and to enable compliance with privacy and other legislation. This is a completely new control in the 2022 revision of the standard.
Documentation
ISO 27001 control A.8.10 Information deletion can be documented by writing:
- for smaller and mid-sized companies – through IT Security Policy
- larger companies might have a Disposal and Destruction Policy
Such documents are not mandatory but are recommended.
Implementation
In order to comply with control A.8.10 Information deletion you might implement the following:
- Technology — the technology to enable information deletion could include software (e.g., wiping software that overwrites the space once occupied by the file by zeros and ones) and hardware (e.g., paper shredders). Companies of all sizes will need to plan their information deletion, according to regulatory or contractual requirements, and in line with your risk assessment.
- Organization/processes — you should set up a process for defining which data needs to be deleted and when, and define responsibilities and methods for data deletion. You can document those processes through a Disposal and Destruction Policy, an Acceptable Use Policy or Security Procedures for IT Department.
- People — make employees aware of why deleting sensitive information is needed, and train them on how to do this properly.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.10 Information deletion: if data that is no longer required is deleted, regardless of where it is stored.
