Information Deletion - ISO 27001 Annex A Control

ISO 27001 Annex A 8.10

Information that is no longer needed should not still be kept around.

ISO 27001 Annex A 8.10 - Information Deletion

Information that has outlived its purpose is a liability rather than an asset. It still requires storage, still falls within the security regime, and still represents an exposure if compromised. The control asks for information to be deleted when no longer required, in line with classification and any legal retention obligations.

Deletion needs to be effective - that is, the information must not be recoverable after deletion. Standard delete operations on most operating systems leave the data intact and merely mark the storage as available for reuse. Effective deletion requires either secure overwrite, cryptographic erase, or physical destruction depending on the media type.

Personal data has its own deletion regime under data protection law. Personal data must be deleted when the lawful basis for holding it ends, when retention periods expire, or in response to a data subject erasure request. The control aligns with these obligations and the personal data register should record the retention rules and deletion practice for each category.

Most organisations are far better at keeping information than at deleting it. Storage is cheap and the cost of deletion - decisions about what can go, processes to apply, evidence that it actually happened - feels disproportionate. Until something goes wrong. Then the historic data that should have been deleted years ago becomes part of the breach impact.

The audit will look for evidence of deletion in line with the retention rules. Personal data older than the documented retention period that has not been deleted is a finding under data protection compliance. Test data that contains personal data and never got cleaned up is another. The deletion process needs to operate, not just exist on paper.

Practical Compliance Guidance

Information deletion is described in the IMS1 Manual in section 8.2 alongside the Information Security Policy. The personal data register holds the retention rules.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists.
F-IMS24 Personal Data Register	The personal data register listing data categories, lawful bases, retention periods and deletion practice. Use as the master record for personal data deletion governance.
PP-8-100 Information Security Policy Procedure	This information security policy-procedure includes a large number of topic-specific information security policies including the policy on information deletion.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How do we identify what should be deleted?

Through retention schedules tied to data categories. The personal data register records the retention period for each category of personal data. Wider information retention can be tracked through the document register or equivalent. Periodic reviews identify what has reached the end of its retention period.

What deletion method is acceptable?

Either cryptographic erase (where the data was encrypted and the key is destroyed), secure overwrite using a recognised method, or physical destruction of the storage media. Standard file deletion is not sufficient because it does not actually remove the data.

How do we evidence deletion?

Through process records - retention review outputs, deletion logs from systems that support them, certificates of destruction for physical media. Where deletion is automated through retention rules in the system, the configuration is part of the evidence.

UK Legislation

Relevant UK legislation includes:

Data Protection Act 2018 - personal data must be deleted when no longer needed
UK GDPR - storage limitation and right to erasure obligations

Further Resources