ISO27001:2022 FAQ

Home / ISO 27001 Templates / ISO 27001 Data Retention Policy Explained + Template

ISO 27001 Data Retention Policy Explained + Template

Last updated Sep 25, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

A Data Retention Policy is a set of rules that tells you how long to keep different types of information. It’s like having a tidy-up schedule for your digital files. The main idea is that you shouldn’t keep data forever. You should keep it as long as you need it for business reasons, legal reasons, or to follow specific rules, and then you should get rid of it securely.

What is it?
Applicability to Small Business, Tech Startups, and AI Companies
ISO 27001 Data Retention Policy Template
Why Do You Need It?
When Do You Need It?
Who Needs It?
Where Do You Need It?
How to Write It
How to Implement It
Examples of Using It
How the ISO 27001 Toolkit Can Help
Information Security Standards That Need It
List of Relevant ISO 27001:2022 Controls
ISO 27001 Data Retention Policy Example
ISO 27001 Data Retention Policy FAQ

What is it?

An ISO 27001 data retention policy is a set of guidelines that tells you how to long to keep your company’s information. It is part of the larger ISO 27001:2022 standard, which is all about information security. The policy helps you keep data private and safe from harm.

Applicability to Small Business, Tech Startups, and AI Companies

This policy is super important for different types of businesses, but for slightly different reasons.

Small Businesses: You might think you don’t need it, but you do! Even a small customer list needs to be managed properly. A policy helps you protect your customers’ trust and avoid fines.
Tech Startups: You’re probably moving fast and handling a lot of user data. A policy helps you manage this growth without letting data pile up and become a security risk.
AI Companies: You deal with massive amounts of data to train your models. A data retention policy is crucial for managing this data, ensuring you’re not keeping training data longer than you should and that you’re complying with privacy laws.

ISO 27001 Data Retention Policy Template

The ISO 27001:2022 Data Retention Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.

You can find templates for an ISO 27001 data retention policy online. These templates give you a head start. You can then change them to fit your specific business needs. Using a template can save you time and help you make sure you don’t miss anything important.

ISO 27001 Data Retention Policy Template

Why Do You Need It?

You need a data retention policy for several important reasons. Firstly, it helps you reduce your risk. The more data you have, the bigger the target you are for cyberattacks. It’s like having fewer valuables in your house, so there’s less for a burglar to steal. Secondly, it helps you save money. Storing data costs money, and having less of it means lower costs. Lastly, it helps you stay compliant with laws like GDPR. Having a policy shows that you’re serious about protecting personal data and following the rules.

When Do You Need It?

You need a data retention policy as soon as you start handling any kind of data, especially if it’s personal information about people. If you’re a new business, you might think you can put this off, but it’s much easier to set up a policy from the beginning than to clean up a mess later. It’s a key part of getting your ISO 27001 certification.

Who Needs It?

Everyone who handles data needs this policy! This includes all types of organisations, from a small bakery to a huge tech company. However, it’s particularly important for businesses that handle a lot of sensitive information, such as financial details, health records, or personal data.

Where Do You Need It?

This policy applies to all the places where you store information. This means your computers, servers, cloud storage (like Google Drive or Dropbox), and even physical documents in a filing cabinet. The policy should cover all your data, no matter where it lives.

How to Write It

Start by looking at what kind of data you have and how you store it. Then write down how long you need to keep it. Decide how you’ll securely delete or destroy data when the time is up. This could be by shredding paper or securely wiping a hard drive.

Time needed: 1 hour and 30 minutes

How to write an ISO 27001 Data Retention Policy

Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
Write the ISO 27001 Data Retention Policy contents page
1 Document Version Control
2 Document Contents Page
3 Data Retention Policy
3.1 Purpose
3.2 Scope
3.3 Principle
3.4 Agreement of Retention Periods
3.5 Record of Retention Periods
3.6 Expiry of Retention Period
3.7 Suspension of Record Disposal in the event of litigation or claims
4 Policy Compliance
4.1 Compliance Measurement
4.2 Exceptions
4.3 Non-Compliance
4.4 Continual Improvement
Write the ISO 27001 Data Retention Policy purpose
The purpose of this policy is to ensure that necessary records, documents, and information of the company containing personal data are retained for no longer than necessary for the purposes for which personal data are processed.
Write the ISO 27001 Data Retention Policy principle
The GDPR principle of Data Storage Limitation for personal data.
Write the ISO 27001 Data Retention Policy scope
All employees and third-party users.
Personal Data as defined by GDPR.
Define the approach to agreeing retention periods
The relevant owners of the documentation as detailed in the asset register are responsible for agreeing the data retention periods in line with legal, regulatory, and business requirements.
Data retention periods are approved by legal counsel.
Explain the record of retention periods
Retention periods are recorded in the Data Asset Register. Additional detail is contained where applicable and appropriate in the Record of Processing Activities and the Asset Register.
Set out what happens at the expiry of retention periods
When the retention target is reached, the information will be reviewed by relevant owners of the documentation as detailed in the asset register to confirm that the information is to be further retained or destroyed. It will be destroyed in line with the Information Classification and Handling Policy if there is no further business, statutory or historical reason to keep them or to select them for re review at a later date; either because the business need is ongoing or because of potential historical value.
Explain the suspension of record disposal in the event of litigation or claims
In the event any employee of the company reasonably anticipates or becomes aware of a governmental investigation or audit concerning the company or the commencement of any litigation against or concerning the company, such employee shall inform Directors and Board of Directors and any further disposal of documents shall be suspended until such time as the Board of Directors, with the advice of the Executive Director and the company legal counsel, determines otherwise. The Directors shall take such steps as are necessary to promptly inform affected staff of any suspension in the disposal or destruction of documents.

How to Implement It

Putting the policy into action is key.

Tell everyone about it: Make sure all your employees know the rules.
Train your team: Teach them how to follow the policy.
Automate when you can: Use tools that automatically delete old data to make it easier.
Check in regularly: Review your policy every year to make sure it’s still working and up to date.

Examples of Using It

For a small business: A local flower shop collects customer names and phone numbers for delivery. The policy says to delete this information 30 days after the delivery is complete, unless the customer signs up for a newsletter.
For a tech startup: A new social media app collects user profiles and messages. The policy states that user profiles are kept as long as the account is active, but messages are deleted after one year.
For an AI company: An AI company uses photos to train a facial recognition model. The policy requires that all photos are deleted from the training servers three months after the model is trained and deployed.

How the ISO 27001 Toolkit Can Help

An ISO 27001 toolkit is a collection of pre-written documents and guides that make it much easier to get certified. It will almost certainly include a professionally written data retention policy template that you can just fill in with your specific details. It saves you a ton of time and ensures you don’t miss anything important.

Get the Small Business ISO 27001 Toolkit >

Information Security Standards That Need It

This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:

CCPA (California Consumer Privacy Act)
DORA (Digital Operational Resilience Act)
NIS2 (Network and Information Security (NIS) Directive)
SOC 2 (Service Organisation Control 2)
NIST (National Institute of Standards and Technology)
HIPAA (Health Insurance Portability and Accountability Act)
GDPR (General Data Protection Regulation)

List of Relevant ISO 27001:2022 Controls

The ISO/IEC 27001:2022 standard has many controls, which are like specific rules. Here are a few that are important for data protection:

ISO 27001 Data Retention Policy Example

An example ISO 27001:2022 Data Retention Policy:

ISO27001 Data Retention Policy Example 3

ISO27001 Data Retention Policy Example 5

ISO27001 Data Retention Policy Example 6

ISO27001 Data Retention Policy Example 7

ISO27001 Data Retention Policy Example 8

ISO 27001 Data Retention Policy FAQ

What’s the difference between data retention and data backup?

Data retention is about how long you keep active data. Data backup is about saving copies in case something goes wrong.

Can I keep data forever?

No, you shouldn’t. Keeping data longer than you need it is a security risk and can violate privacy laws.

What if I don’t have a policy?

You could face fines, lose customer trust, and be more vulnerable to cyberattacks.

How often should I review my policy?

You should review it at least once a year.

Is this policy just for digital data?

No, it also applies to physical paper documents.

Does GDPR require a data retention policy?

Yes, it requires you to have a clear reason and timeframe for keeping personal data.

What if a customer asks me to delete their data?

Your policy should have a process for this, as it’s a right under many privacy laws.

Do I need a lawyer to write this?

It’s a good idea to have a lawyer look it over, but you can write a good draft yourself.

What’s the first step?

The first step is to make a list of all the data you have.

How do I know what the legal retention periods are?

You’ll need to research the laws that apply to your business and location.

What is a disposal log?

It’s a record you keep of all the data you have securely deleted.

What if a hacker steals my old data?

If you have a policy and can show you were in the process of deleting it, it can help you in a legal situation.

What is secure deletion?

It means using special methods to make sure the data can’t be recovered, like using a data wiping tool.

Is this policy part of my ISO 27001 certification?

Yes, it’s a key requirement.

What’s the biggest mistake people make?

The biggest mistake is not having a policy at all, or having one and not following it.

Stuart Barker
ISO 27001 Expert and Thought Leader

Book a Call

ISO 27001 Toolkit: Business Edition

ISO 27001 Toolkit: Consultant Edition

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.