ISO 27002:2022 introduces several new information security controls including A8.10 – Information deletion.
This blog takes a brief look at what is required.
Information Deletion in ISO 27002:2022
The new control id 8.10 – Information deletion has been added to ISO/IEC 27002:2022 to prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory, and contractual requirements for information deletion.
The control covers Information stored in software systems, on devices or in any other storage media and should be deleted when no longer required.
Information, including PII, should not be kept for longer than it is required to reduce the impact of undesirable disclosure and deletion should be via secure means.
How to Evidence A8.10 of ISO 27002:2022
Organisations should define the retention period for information and have a method of identifying when that period expires.
A documented information deletion procedure would be a benefit. The organisation should consider appropriate methods of deletion compatible with its risk assessment.
Options for information deletion may include:
- Electronic Overwriting of Data, for example to HMG IS5 standard.
- Physical Shredding of Drives,for example to BS EN 15713 Standard.
There should be full traceability and record keeping to evidence which information assets have been destroyed and how.
For physical drives this may include recording the serial numbers of the hard drives, however it should be considered that serial numbers alone may not be enough to maintain a complete audit trail of the data.
When using service suppliers for information deletion it is important to obtain evidence of information deletion from them, and conduct enough due diligence to be satisfied that the process has been completed effectively.
An official record of information deletion is useful when analysing the cause of a possible information leakage event.