ISO 27001 Information Deletion
The focus for this ISO 27001 Annex A Control is information deletion. As one of the ISO 27001 controls this is about deleting data properly reducing the exposure of sensitive information and complying with laws, regulations and contractual requirements.
You will learn what ISO 27001 Annex A 8.10 is, how to simply and easily implement ISO 27001 Information Deletion for ISO 27001 certification and I will show you some common gotchas so you can avoid them.
Table of contents
- ISO 27001 Information Deletion
- What is ISO 27001 Annex A 8.10 Information Deletion?
- How to implement ISO 27001 Annex A 8.10 Information Deletion
- ISO 27001 Templates
- How to pass and audit of Annex ISO 27001 A 8.10 Information Deletion
- How to comply with ISO 27001 Annex ISO 27001 A 8.10 Information Deletion
- Top 3 Mistakes People Make for ISO 27001 Annex A 8.10
- Why is information deletion important?
- Related ISO 27001 Controls
- ISO 27001 Annex A 8.10 FAQ
- Get the Help of the ISO 27001 Ninja
- Controls and Attribute Values
What is ISO 27001 Annex A 8.10 Information Deletion?
ISO 27001 Annex A 8.10 Information Deletion is an ISO 27001 control that looks to make sure you are deleting data when it is no longer required in a way that it cannot be recovered.
ISO 27001 Annex A 8.10 Purpose
The purpose of Annex A 8.10 Information Deletion is to prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.
ISO 27001 Annex A 8.10 Definition
The ISO 27001 standard defines ISO 27001 Annex A 8.10 as:
Information stored in information systems, devices or in any other storage media should be deleted when no longer required. – ISO 27001:2022 Annex A 8.10 Information Deletion
How to implement ISO 27001 Annex A 8.10 Information Deletion
General Guidance
Sensitive and confidential data should not be kept for longer than is necessary. There are many reasons for this including specific data protection laws like the GDPR relating to personal data, but in more general terms this is best practice. You will find not only laws specify that this but also regulations and your client contracts.
Information Classification and Handling Policy
Your start it point is to define your information classification scheme and set out your Information Classification and Handling Policy. For a fast track you can download the ISO 27001 Information Classification and Handling Policy Template that sets out a common information classification scheme and detailed handling policy points. It includes within it what we do for the deletion of information for each of the classification schemes. The ISO 27001 Information Classification and Handling Policy Beginner’s Guide is a great resource to learn more about this policy.
Select deletion methods
Whilst the template includes the deletion methods that are common and best practice if writing your own policy you should set out what the deletion methods are taking into account the data classification and the constraints of law, contracts and regulations.
You can look to automate or implement system controls that securely destroy information based on a process step or a trigger.
Things that may be overlooked are the deletion of temporary files, copies of files or versions of files that are no longer needed.
For software you want to consider professional deletion software to permanently delete information. This is more targeted at sensitive and confidential data with software working for government and military standards of overwriting and deletion. Just putting it in the ‘trash can’ or hitting the default operating system delete key is often not sufficient.
There are techniques to consider such as magnetic erasure and degaussing approaches but on the whole, the best advice, is to utilise the services of a professional third party service provider, under contract and to keep records and receipts.
Records of Deletion
When you delete data, and especially if this is on bulk or part of a deletion process then you should maintain records of the deletion. Examples of this can be getting records of destruction or deletion from third parties if you rely on them to conduct this exercise. Other examples include change control records as part of the change management process, incident or ticket related records or even system logs.
Transportation of devices
The standard is quite in depth on coverage, and whilst not appropriate for all organisations and situations, the consideration to remove storage devices when main devices are moved or sent back to vendors can be considered. The use of factory reset is also good practice.
ISO 27001 Templates
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. This ISO 27001 Toolkit has been specifically designed so you can DIY your ISO 27001 certification, build your ISMS in a week and be ISO 27001 certification ready in 30 days.
How to pass and audit of Annex ISO 27001 A 8.10 Information Deletion
To pass an audit of ISO 27001 Annex A 8.10 Information Deletion you are going to make sure that you have followed the steps below on how to comply.
How to comply with ISO 27001 Annex ISO 27001 A 8.10 Information Deletion
To comply with ISO 27001 Annex A 8.10 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
Time needed: 2 hours
How to comply with ISO 27001 Annex ISO 27001 A 8.10 Information Deletion
- Define and implement your information classification scheme
Implement an appropriate classification scheme for information based on risk and business need.
- Implement and communication your Information Classification and Handling Policy
Implement the Information Classification and Handling Policy that sets out the different levels of classification that you have and the deletion requirements based on that classification.
- Define and implement your information deletion methods and processes
Document your information deletion methods and processes and have them reviewed, approved and communicated.
- Implement controls proportionate to the risk posed, laws, regulations and contracts
The controls that you implement and the deletion methods you choose are based on your risk assessment and proportionate to that risk and your business needs. They take into account all laws and regulations.
- Keep records for audit purposes
For audit purposes you will keep records. Examples of the records to keep include changes, updates, monitoring, review and audits.
- Test the controls that you have to make sure they are working by performing internal audits
Perform internal audits that include the testing of the controls to ensure that they are working.
Top 3 Mistakes People Make for ISO 27001 Annex A 8.10
The top 3 mistakes people make for ISO 27001 Annex A 8.10 are
Using Operating System Delete Functions
Relying on operating system delete functions is one of the biggest mistakes we see where that operation does not actually fully delete the confidential or sensitive information. This information can be easy to recover from just looking in the system ‘Trash’ folder to simple data recovery techniques. Be sure to properly delete this data inline with your defined data deletion methods.
Sending Devices To Charity / Back to Vendor
This we see a lot with devices just being sent back to vendors as is or put on e-bay or sent to charity with little if any actual data deletion. See the section How To Implement ISO 27001 Annex A 7.14 Secure Disposal Or Re-Use Of Equipment.
Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Why is information deletion important?
Information deletion is important because the basic techniques provided in tools and software and not usually adequate to fully delete information. It can be easily recovered and this means that information can end up in the wrong hands causing financial and reputational damage.
Related ISO 27001 Controls
The following related controls apply:
ISO 27001:2022 Annex A 7.14 Secure Disposal or Reuse of Equipment
ISO 27001 Annex A 8.10 FAQ
ISO 27001:2022 Annex A Control 8.10 covers activities related to the deletion and destruction of data and/or IT assets. This also includes using specialist software and vendors that specialise in data and device deletion. As a result, the ownership is assigned to the Head of IT or equivalent.
The supplementary information for annex A 8.10 is to remove storage from devices before sending them off.
The supporting guidelines are ISO 27001:2022 Annex A 7.14 Secure Disposal or Reuse of Equipment
ISO 27001 Annex A 8.10 is a new ISO 27001 control introduced in the 2022 update to the standard.
ISO 27001 information deletion is the process of securely removing or destroying information from information systems, devices, or any other storage media. This is done to protect the confidentiality of the information and to prevent unauthorised access.
ISO 27001 information deletion is an important control to protect and organisation from data breaches. Information that is not deleted securely can be recovered by unauthorised people for malicious reasons that can lead to financial loss or reputational damage.
Physical Destruction – physically destroying a device beyond the point of recovery and use
Specialist deletion software – using software designed to securely destroy data using techniques often employed by the military.
Using a specialist third party – a company that specialises in the destruction and deletion of information to industry standards with appropriate certifications and assurances.
The method that you choose will be based on risk management and business need. If in doubt, use the most secure method possible for your budget.
Information should be deleted when it is no longer required and in line with legal and regulatory guidance. Information should never be kept just in case or indefinitely.
The best policy to have for information deletion is the Information Classification and Handling policy that sets out the exact deletion requirements based on the classification of data.
ISO 27001 Annex A 8.10 is an ISO 27001 annex a control that addresses the requirements for information deletion.
The requirements of ISO 27001 Annex A 8.10 are that you must:
have a documented information deletion policy and procedures.
implement controls to ensure that information is deleted in accordance with the policy and procedures.
provide training to personnel on the information deletion policy and procedures.
monitor and report on the effectiveness of the information deletion controls.
test the information deletion controls on a regular basis.
Yes, ISO 27001 Annex A 8.10 is a new control that was introduced in the 2022 update to the standard.
It is not difficult to implement ISO 27001 Annex A 8.10. This is about information deletion and you will require the support of your IT teams. The technology to do this is common place. This is most easily solved by outsourcing to a specialist third party company.
The responsibility for ISO 27001 Annex A 8.10 lies with the IT department.
Accountability for ISO 27001 Annex A 8.10 lies with senior management and leadership.
For ISO 27001 certification you have to implement ISO 27001 Annex A 8.10.
Get the Help of the ISO 27001 Ninja
Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.
Controls and Attribute Values
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
---|---|---|---|---|
Preventive | Confidentiality | Protect | Information Protection | Protection |
Legal and Compliance |