ISO 27001 Data Retention Policy: How to Write (& Template)

Time needed: 1 hour and 30 minutes

How to write an ISO 27001 Data Retention Policy

1. Create your version control and document mark-up

   ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.

2. Write the ISO 27001 Data Retention Policy contents page

   1 Document Version Control
   2 Document Contents Page
   3 Data Retention Policy
   3.1 Purpose
   3.2 Scope
   3.3 Principle
   3.4 Agreement of Retention Periods
   3.5 Record of Retention Periods
   3.6 Expiry of Retention Period
   3.7 Suspension of Record Disposal in the event of litigation or claims
   4 Policy Compliance
   4.1 Compliance Measurement
   4.2 Exceptions
   4.3 Non-Compliance
   4.4 Continual Improvement

3. Write the ISO 27001 Data Retention Policy purpose

   The purpose of this policy is to ensure that necessary records, documents, and information of the company containing personal data are retained for no longer than necessary for the purposes for which personal data are processed.

4. Write the ISO 27001 Data Retention Policy principle

   The GDPR principle of Data Storage Limitation for personal data.

5. Write the ISO 27001 Data Retention Policy scope

   All employees and third-party users.
   Personal Data as defined by GDPR.

6. Define the approach to agreeing retention periods

   The relevant owners of the documentation as detailed in the asset register are responsible for agreeing the data retention periods in line with legal, regulatory, and business requirements.
   Data retention periods are approved by legal counsel.

7. Explain the record of retention periods

   Retention periods are recorded in the Data Asset Register. Additional detail is contained where applicable and appropriate in the Record of Processing Activities and the Asset Register.

8. Set out what happens at the expiry of retention periods

   When the retention target is reached, the information will be reviewed by relevant owners of the documentation as detailed in the asset register to confirm that the information is to be further retained or destroyed. It will be destroyed in line with the Information Classification and Handling Policy if there is no further business, statutory or historical reason to keep them or to select them for re review at a later date; either because the business need is ongoing or because of potential historical value.

9. Explain the suspension of record disposal in the event of litigation or claims

   In the event any employee of the company reasonably anticipates or becomes aware of a governmental investigation or audit concerning the company or the commencement of any litigation against or concerning the company, such employee shall inform Directors and Board of Directors and any further disposal of documents shall be suspended until such time as the Board of Directors, with the advice of the Executive Director and the company legal counsel, determines otherwise. The Directors shall take such steps as are necessary to promptly inform affected staff of any suspension in the disposal or destruction of documents.