A.8.10 ISO 27001

ISO 27001 A.8.10: Information deletion

What This Control Requires

Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.

In Plain Language

Data you no longer need is not harmless - it is a liability. If it gets breached, you suffer the consequences without ever having gained a business benefit from keeping it. This control, new in ISO 27001:2022, makes data deletion an explicit requirement rather than something implied.

The scope is broader than most people realise. When you decide to delete data, you need to consider every place it might live: production databases, backups, test environments, file shares, cloud storage, email archives, and endpoint caches. Data left in a forgotten test database is just as breachable as data in production.

Deletion also needs to be done properly. Just hitting delete often is not enough for sensitive information - the data may still be recoverable. You need secure deletion methods matched to the sensitivity of the data, and records to prove you did it.

How to Implement

Write a data retention and deletion policy that assigns retention periods to every category of information you hold. Align these with legal requirements, regulatory obligations, contractual commitments, and genuine business needs. Where multiple requirements overlap, use the longest mandatory period - but never retain data indefinitely without a clear justification.

Automate deletion wherever you can. Set database retention policies to purge expired data automatically. Configure email retention with auto-archive and eventual deletion. Use cloud storage lifecycle policies to transition data through tiers and ultimately delete it. Set up log rotation and deletion on defined schedules. Manual deletion at scale simply does not work reliably.

Track data across all storage locations. When production data is deleted, make sure it also disappears from backups (or that those backup sets expire within a reasonable timeframe), test and development environments, disaster recovery systems, email and messaging archives, endpoint caches, and any third-party systems you have shared data with.

Match your deletion method to data sensitivity. Standard deletion is fine for routine business data. Confidential data needs secure deletion tools that overwrite the storage space. Regulated data, especially personal data subject to GDPR erasure rights, requires complete and verifiable deletion. Physical media with the most sensitive data should follow media sanitisation methods per A.7.10.

Keep records of what you delete. Document what was removed, when, the method used, and who authorised it. This is critical for responding to GDPR erasure requests, demonstrating compliance with your own retention policy, and satisfying auditors.

Run periodic reviews to catch data that has overstayed its retention period. Organisations accumulate data through inertia - nobody deletes anything because nobody is sure if someone else needs it. Regular data hygiene exercises, backed by automated enforcement, break this cycle.

Evidence Your Auditor Will Request

Data retention and deletion policy with defined retention periods
Automated data lifecycle management configurations
Records of data deletion activities with dates and methods
Evidence of periodic reviews to identify data exceeding retention periods
GDPR erasure request handling records where applicable

Common Mistakes

No defined retention periods resulting in indefinite data accumulation
Data is deleted from production but persists in backups and test environments
No automated deletion processes leading to manual and inconsistent data management
Deletion records are not maintained to demonstrate compliance
Personal data is retained beyond the purpose for which it was collected

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	CC6.5	Related
GDPR	Art.5(1)(e)	Equivalent
GDPR	Art.17	Related

Frequently Asked Questions

Is this control new in ISO 27001:2022?

Yes, it is one of the 11 new controls. The 2013 version addressed data retention implicitly, but the 2022 revision gives information deletion its own explicit control. This reflects the reality that data protection regulations like GDPR have made data minimisation non-negotiable, and organisations need a structured approach to not keeping more than they should.

How do we handle deletion from backup systems?

In practice, surgically removing individual records from backup sets is usually impractical. The pragmatic approach is to set backup retention policies so older backups naturally expire and get overwritten. If you face a specific GDPR erasure request, document the backup expiration timeline and flag the data so that if a backup is ever restored, the deletion is re-applied. Consider shorter backup retention periods in general - 90 days covers most recovery scenarios and limits your exposure.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment