ISO 27001 Information Deletion

The focus for this ISO 27001 Annex A Control is information deletion. As one of the ISO 27001 controls this is about deleting data properly reducing the exposure of sensitive information and complying with laws, regulations and contractual requirements.

You will learn what ISO 27001 Annex A 8.10 is, how to simply and easily implement ISO 27001 Information Deletion for ISO 27001 certification and I will show you some common gotchas so you can avoid them.

What is ISO 27001 Annex A 8.10 Information Deletion?

ISO 27001 Annex A 8.10 Information Deletion is an ISO 27001 control that looks to make sure you are deleting data when it is no longer required in a way that it cannot be recovered.

ISO 27001 Annex A 8.10 Purpose

The purpose of Annex A 8.10 Information Deletion is to prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.

ISO 27001 Annex A 8.10 Definition

The ISO 27001 standard defines ISO 27001 Annex A 8.10 as:
Information stored in information systems, devices or in any other storage media should be deleted when no longer required. – ISO 27001:2022 Annex A 8.10 Information Deletion

DO IT YOURSELF ISO27001

STOP SPANKING £10,000s

How to implement ISO 27001 Annex A 8.10 Information Deletion

General Guidance

Sensitive and confidential data should not be kept for longer than is necessary. There are many reasons for this including specific data protection laws like the GDPR relating to personal data, but in more general terms this is best practice. You will find not only laws specify that this but also regulations and your client contracts.

Information Classification and Handling Policy

Your start it point is to define your information classification scheme and set out your Information Classification and Handling Policy. For a fast track you can download the ISO 27001 Information Classification and Handling Policy Template that sets out a common information classification scheme and detailed handling policy points. It includes within it what we do for the deletion of information for each of the classification schemes. The ISO 27001 Information Classification and Handling Policy Beginner’s Guide is a great resource to learn more about this policy.

Select deletion methods

Whilst the template includes the deletion methods that are common and best practice if writing your own policy you should set out what the deletion methods are taking into account the data classification and the constraints of law, contracts and regulations.

You can look to automate or implement system controls that securely destroy information based on a process step or a trigger.

Things that may be overlooked are the deletion of temporary files, copies of files or versions of files that are no longer needed.

For software you want to consider professional deletion software to permanently delete information. This is more targeted at sensitive and confidential data with software working for government and military standards of overwriting and deletion. Just putting it in the ‘trash can’ or hitting the default operating system delete key is often not sufficient.

There are techniques to consider such as magnetic erasure and degaussing approaches but on the whole, the best advice, is to utilise the services of a professional third party service provider, under contract and to keep records and receipts.

Records of Deletion

When you delete data, and especially if this is on bulk or part of a deletion process then you should maintain records of the deletion. Examples of this can be getting records of destruction or deletion from third parties if you rely on them to conduct this exercise. Other examples include change control records as part of the change management process, incident or ticket related records or even system logs.

Transportation of devices

The standard is quite in depth on coverage, and whilst not appropriate for all organisations and situations, the consideration to remove storage devices when main devices are moved or sent back to vendors can be considered. The use of factory reset is also good practice.

ISO 27001 Templates

ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. This ISO 27001 Toolkit has been specifically designed so you can DIY your ISO 27001 certification, build your ISMS in a week and be ISO 27001 certification ready in 30 days.

How to pass and audit of Annex ISO 27001 A 8.10 Information Deletion

To pass an audit of ISO 27001 Annex A 8.10 Information Deletion you are going to make sure that you have followed the steps below on how to comply.

How to comply with ISO 27001 Annex ISO 27001 A 8.10 Information Deletion

To comply with ISO 27001 Annex A 8.10 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

Time needed: 2 hours

How to comply with ISO 27001 Annex ISO 27001 A 8.10 Information Deletion

  1. Define and implement your information classification scheme

    Implement an appropriate classification scheme for information based on risk and business need.

  2. Implement and communication your Information Classification and Handling Policy

    Implement the Information Classification and Handling Policy that sets out the different levels of classification that you have and the deletion requirements based on that classification.

  3. Define and implement your information deletion methods and processes

    Document your information deletion methods and processes and have them reviewed, approved and communicated.

  4. Implement controls proportionate to the risk posed, laws, regulations and contracts

    The controls that you implement and the deletion methods you choose are based on your risk assessment and proportionate to that risk and your business needs. They take into account all laws and regulations.

  5. Keep records for audit purposes

    For audit purposes you will keep records. Examples of the records to keep include changes, updates, monitoring, review and audits.

  6. Test the controls that you have to make sure they are working by performing internal audits

    Perform internal audits that include the testing of the controls to ensure that they are working.

Top 3 Mistakes People Make for ISO 27001 Annex A 8.10

The top 3 mistakes people make for ISO 27001 Annex A 8.10 are

Using Operating System Delete Functions

Relying on operating system delete functions is one of the biggest mistakes we see where that operation does not actually fully delete the confidential or sensitive information. This information can be easy to recover from just looking in the system ‘Trash’ folder to simple data recovery techniques. Be sure to properly delete this data inline with your defined data deletion methods.

Sending Devices To Charity / Back to Vendor

This we see a lot with devices just being sent back to vendors as is or put on e-bay or sent to charity with little if any actual data deletion. See the section How To Implement ISO 27001 Annex A 7.14 Secure Disposal Or Re-Use Of Equipment.

Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Why is information deletion important?

Information deletion is important because the basic techniques provided in tools and software and not usually adequate to fully delete information. It can be easily recovered and this means that information can end up in the wrong hands causing financial and reputational damage.

The following related controls apply:

ISO 27001:2022 Annex A 7.14 Secure Disposal or Reuse of Equipment

ISO 27001 Annex A 8.10 FAQ

Who has owns ISO 27001 Annex A 8.10?

ISO 27001:2022 Annex A Control 8.10 covers activities related to the deletion and destruction of data and/or IT assets. This also includes using specialist software and vendors that specialise in data and device deletion. As a result, the ownership is assigned to the Head of IT or equivalent.

What is the Supplementary Information on Annex A 8.10?

The supplementary information for annex A 8.10 is to remove storage from devices before sending them off.

What are the supporting guidelines to ISO 27001 Annex A 8.10?

The supporting guidelines are ISO 27001:2022 Annex A 7.14 Secure Disposal or Reuse of Equipment

What are the changes in ISO27001:2022 to Information Deletion?

ISO 27001 Annex A 8.10 is a new ISO 27001 control introduced in the 2022 update to the standard.

What is ISO 27001 information deletion?

ISO 27001 information deletion is the process of securely removing or destroying information from information systems, devices, or any other storage media. This is done to protect the confidentiality of the information and to prevent unauthorised access.

Why is ISO 27001 information deletion important?

ISO 27001 information deletion is an important control to protect and organisation from data breaches. Information that is not deleted securely can be recovered by unauthorised people for malicious reasons that can lead to financial loss or reputational damage.

What are examples of deletion methods for ISO 27001 information deletion?

Physical Destruction – physically destroying a device beyond the point of recovery and use
Specialist deletion software – using software designed to securely destroy data using techniques often employed by the military.
Using a specialist third party – a company that specialises in the destruction and deletion of information to industry standards with appropriate certifications and assurances.

Which method of ISO 27001 information should I use?

The method that you choose will be based on risk management and business need. If in doubt, use the most secure method possible for your budget.

When should I delete information?

Information should be deleted when it is no longer required and in line with legal and regulatory guidance. Information should never be kept just in case or indefinitely.

What policy should I have for information deletion?

The best policy to have for information deletion is the Information Classification and Handling policy that sets out the exact deletion requirements based on the classification of data.

What is ISO 27001 Annex A 8.10?

ISO 27001 Annex A 8.10 is an ISO 27001 annex a control that addresses the requirements for information deletion.

What are the requirements of ISO 27001 Annex A 8.10?

The requirements of ISO 27001 Annex A 8.10 are that you must:
have a documented information deletion policy and procedures.
implement controls to ensure that information is deleted in accordance with the policy and procedures.
provide training to personnel on the information deletion policy and procedures.
monitor and report on the effectiveness of the information deletion controls.
test the information deletion controls on a regular basis.

Is ISO 27001 Annex A 8.10 a new control?

Yes, ISO 27001 Annex A 8.10 is a new control that was introduced in the 2022 update to the standard.

How hard is it to implement ISO 27001 Annex A 8.10?

It is not difficult to implement ISO 27001 Annex A 8.10. This is about information deletion and you will require the support of your IT teams. The technology to do this is common place. This is most easily solved by outsourcing to a specialist third party company.

Who is responsible for ISO 27001 Annex A 8.10?

The responsibility for ISO 27001 Annex A 8.10 lies with the IT department.

Who is accountable for ISO 27001 Annex A 8.10?

Accountability for ISO 27001 Annex A 8.10 lies with senior management and leadership.

Do I have to implement ISO 27001 Annex A 8.10?

For ISO 27001 certification you have to implement ISO 27001 Annex A 8.10.

Get the Help of the ISO 27001 Ninja

Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.

Controls and Attribute Values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityProtectInformation ProtectionProtection
Legal and Compliance