Series: New Controls in ISO/IEC 27001:2022 Annex A

Information Deletion

In this article series, we are analyzing the implementation aspects of the 11 new controls of ISO/IEC 27001:2022 Annex A. The sixth article of the series explores the new technological control 8.10 (Information deletion).

Control

Control 8.10 (Information deletion) defines the best practices for deletion of information which is no longer required.

Attributes

Implementation of this control would help an organization prevent unnecessary exposure of sensitive information and hence, protect their confidentiality. It would also help the organization comply with legal and contractual requirements for information deletion.

Implementation

The organization should define processes for the deletion of sensitive information, which is stored in information systems, devices etc., when it is no longer required. The deletion method (degaussing hard disk drives, cryptographic erasure, physical destruction of devices etc.) should be selected in accordance with business requirements, perceived risks, and relevant laws and regulations. Third party agreements should include provisions for information deletion as per the organization’s requirements. Logs of information deletion should be maintained as evidence.

In case of cloud services, the organization should either use the default deletion method provided by the cloud service provider, or request the cloud service provider to delete sensitive information when it is no longer required. Logs may be maintained to verify the secure deletion of information.

Artefacts

The contents and implementation of the following security policies and procedures may be impacted by the above control:

• Information Classification and Handling Policy – This policy ensures that sensitive information is protected from unauthorized use and disclosure. It helps to facilitate the identification of information to support routine disclosure, active dissemination and deletion when no longer required.

• Media Handling Policy – This policy defines the rules for secure handling and disposal of media that contain sensitive information.

• Media Disposal Procedure – This describes how media, containing sensitive information, should be securely disposed.

• Acceptable Use Procedure – This defines how users should delete sensitive information on their systems and mobile devices, when it is no longer required.

• Security Operating Procedures – Rules for the secure deletion of sensitive information, residing on servers and networks, may be defined within security operating procedures.

• Information Deletion Logs – The logs and records of secure information deletion should be protected and retained for defined time-periods.

How Sujosu Technology Can Help

Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include:

• Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure.

• Countermeasures and Solutions: Providing tailored strategies to prevent, detect and recover from potential attacks.

• Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures and other relevant manuals.

• Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively.

  
  

With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations. Besides, we organize webinars and publish insightful articles to create awareness on various aspects of cyber security and data privacy.

Partner with Sujosu Technology

Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.