At the heart of ISO27001 is the drive to prevent unnecessary exposure of sensitive or confidential information. This is to comply with legal, statutory, regulatory and contractual requirements, but also to protect the reputation of your business.
By holding data for longer than is necessary you run the risk of data exposure or loss, that’s why this new control is necessary.
What does the standard require?
The standard states that “Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.” (A8.10 – Information Deletion)
Why is this required?
Let’s start with the simple fact that this control is needed because it’s the law! Under the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) and UK Data Protection Act, you have an obligation to only hold data for as long as it is necessary to do so.
Holding on to more data than you need increases costs (for storage) and increases the impact on data subjects should a breach occur.
For example, we worked with a medical organisation who dealt with families looking for helping in getting pregnant. This fertility organisation had been in operation for over thirty years, and when we met with them, they informed us that they had data going back to the start. They had over 120,000 records of people who they had worked with, but also of people who had simply made an enquiry.
This is a rich treasure trove of information for cyber criminals, but also increases the risks associated to any data breach they might have. Imagine the issues that might ensue if someone accidentally emailed everyone in their database? Could this lead to distress to the data subject? It would certainly be impactful on the reputation of the organisation.
It’s not just to manage the risks of a breach occurring that you should address the amount of data you process. By removing data that is no longer needed, you have a better understanding and visibility of those you should focus on.
For example, we worked with a client who had a marketing database of over 50,000 records, but when GDPR came along they thought they needed to delete everything. We explained that all they needed to do was clean up their data. We contacted all 50,000 people and asked them if they wanted to remain on the database. We explained the benefits of staying in touch with the client, but gave them the opportunity to ‘opt out’ of any future communication.
The result was a decrease in database numbers to just 32,000 records, but an increase in sales(!) by over 80% for that period. The client now has a database of people who are interested in their products and services, and has complied with ISO27001 too. A situation where everyone comes out ahead!
What the auditor is looking for
For this ISO27001 control, the auditor will look for a range of security measures, including;
Inventory of Assets (A5.9 - Inventory of information and other associated assets)
Data Retention scheme (A5.12 - Classification of information)
Information is labelled (A5.13 - Labelling of information)
Data Protection Policies (A5.34 - Privacy and protection of PII)
Records of Processing Activities (RoPA)
Processes for destruction of media (A7.14 - Secure disposal or re-use of equipment)
Awareness, training and education (A6.3 - Information security awareness, education and training).
Risk Register.
Management Review Meeting minutes and actions.
What do you need to do?
You can’t protect what you don’t understand, so you need to know how many records you currently own. Review your inventory of assets, or RoPA which will tell you where you data sits. If you haven’t created these, then this is where you need to start.
Speak to your business to understand where your data is and how many records you hold. Is your sales or marketing database 5,000 or 50,000 records? What about your HR and payroll database? Is it 5 employees, 50 or 500 employees?
We worked with a company that had a HR database containing 84 records. Not a problem until you realise they only employed 37 people!
If you have a Data Protection Officer (DPO) or a legal representative, they should be able to provide advice and guidance on any supporting legislation that regulates how long you can hold data for.
If you haven’t already developed a Classification Scheme, where you identified what informational assets you have, then you should develop the scheme to include data retention periods. Again, this isn’t something you can typically do in isolation of the business. Note that GDPR’s principle around data retention states that data shall only be held as long as is necessary. It’s your business's responsibility to determine what ‘necessary’ means to you. Perhaps your insurer requires that you hold data for a pre-determined amount of time, or it might be a legal requirement that data is held for a set amount of time (e.g. for Tax purposes).
The point is that you need to speak to your business and the asset owner to determine how long data should be held for. You will then add this to your classification scheme, or your RoPA, and follow up by implementing processes for the destruction of data.
Speak to your IT function about any automated tools available that will allow automatic deletion or archiving of data. For example, e-mail policies can be implemented that erases data older than a set period of time (e.g. 12mths). But first, seek agreement from the business that they are happy for this to happen. If they’re not, then ask why not? Why is the data necessary?
Difficulty rating
We rate this a 2 out of 5 difficulty rating. There are technical solutions which will help you identify data in your systems, but ultimately it’s down to your conversations with your business that determine when data is no longer required.
Q&A
Why doesn’t the GDPR or CCPA tell us how long we can hold data?
For GDPR, the clue is in the title, it’s a General Data Protection and therefore relates to every sector, from health and finance, to commerce and education. It would be impossible for them to stipulate what ‘necessary’ means, and how long you need to hold data.
There are other laws which determine how long data should be held for, and these will help you determine your approach to information deletion.
More questions?
You’ve probably noticed by now that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”