C1.2 SOC 2

SOC 2 C1.2: Confidentiality - Disposal of Confidential Information

What This Control Requires

The entity disposes of confidential information to meet the entity's objectives related to confidentiality. Procedures are in place to securely dispose of confidential information when it is no longer needed, preventing unauthorized access or disclosure.

In Plain Language

Every copy of confidential data sitting around past its useful life is a breach waiting to happen. Auditors look at whether you're actively cleaning house - deleting data you no longer need, and doing it in a way that makes recovery impossible.

In practice, this means having data retention policies that define how long different types of confidential information should be kept, secure disposal procedures for both physical and electronic media, automated deletion where possible, and records proving disposal actually happened. The disposal methods need to match the sensitivity of the data and the type of media it's stored on.

Assessors verify that you've defined retention periods, that disposal procedures are documented and followed, that disposal activities are recorded, and that the methods used make confidential information unrecoverable. Organisations that keep confidential data indefinitely without a clear business or legal reason are raising their own risk profile for no benefit.

How to Implement

Write a data retention and disposal policy defining retention periods for each category of confidential information. Base these on legal and regulatory requirements (which often mandate minimum retention), contractual obligations, business needs, and the principle that data shouldn't be kept longer than necessary. Document the rationale for each retention period.

Automate data deletion. Configure systems to automatically purge or archive data that's exceeded its retention period. For databases, implement lifecycle management that identifies and removes expired records. For file systems, use automated policies that flag or delete files past their retention date. For email, configure retention policies in the email platform.

Set up secure disposal procedures for electronic media. Match the method to the media type: for hard drives, use NIST SP 800-88 compliant overwriting or physical destruction. For SSDs, use cryptographic erasure or physical destruction. For cloud storage, use provider deletion APIs and verify removal from all replicas and backups. For backup tapes, use degaussing or physical shredding.

Set up secure disposal for physical documents. Provide cross-cut shredders for in-office disposal. Use locked collection bins for bulk document disposal. Engage certified document destruction vendors for large volumes and keep certificates of destruction.

Maintain disposal records. Document what was disposed of, the method used, the date, and who performed or verified the disposal. For third-party media destruction, obtain and retain certificates of destruction. These records are your audit evidence.

Audit data retention compliance periodically. Check that data past its retention period is actually being disposed of, that automated deletion is working, and that no unauthorised copies of confidential information linger in unexpected places like developer workstations, test environments, or personal devices.

Evidence Your Auditor Will Request

Data retention policy specifying retention periods for each category of confidential information
Automated data lifecycle management configurations showing deletion schedules
Secure disposal procedures for electronic media and physical documents
Disposal records and certificates of destruction from third-party vendors
Data retention compliance audit results showing adherence to defined retention periods

Common Mistakes

No data retention policy exists, leading to indefinite retention of confidential information
Retention periods are defined but not enforced through automated deletion or periodic cleanup
Confidential data persists in test environments, developer workstations, or personal devices after its retention period
Electronic media is disposed of through simple deletion without secure destruction methods
No disposal records are maintained, making it impossible to demonstrate compliance with retention policies

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.7.14	Related
ISO 27001	A.8.10	Equivalent
nist-csf	PR.DS-11	Related

Frequently Asked Questions

How do we determine appropriate retention periods?

Start with legal and regulatory requirements - they often mandate minimums (7 years for financial records, 3 years for employment records, etc.). Layer contractual obligations on top. For data without specific legal requirements, define retention based on business need, typically 1-3 years for operational data. When in doubt, get legal counsel involved.

How do we ensure data is deleted from all locations, including backups?

This is genuinely one of the hardest parts. For structured data, implement deletion at the application level that propagates to all replicas. For backups, let natural backup rotation eventually expire old data rather than trying to selectively delete from backup media. Document this approach in your retention policy, noting that data may persist in backups for the backup retention period. Auditors understand this reality.

Can we use a legal hold to override retention policies?

Yes, that's standard practice. When litigation is anticipated or ongoing, a legal hold suspends normal retention policies for the relevant data. Set up a formal legal hold process that defines who can initiate holds, how affected data is identified and preserved, and how holds are released when they're no longer needed.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment