The ISO/IEC 27002 standard was released in a new guise in 2022 ( we reported ) and includes some new reference measures (so-called controls), which we will take a closer look at in this blog series.
The new control “8.10 Information Deletion” is assigned to the “Technological Controls” section of the newly selected structure. This measure addresses the deletion of information and applies to any information, regardless of the specific device or storage medium select “8.10 Information deletion.
Subject and objective of Control 8.10 “8.10 Information deletion
The core of this new reference measure is the deletion of all information on information systems. End devices, and data storage devices, austria business fax list even if provided by third parties. As soon as the information is no longer required according to company guidelines. This should continue to take into contractual, and legal obligations and provisions.
The aim is to minimize the risks of disclosure of this potentially sensitive information in the event of an information security incident or through the improper disposal of physical storage.
Organizational measures and decisions
As an organizational task, companies are faced with the creation of an extinguishing concept in which the following aspects and questions must be answered
Companies can create a deletion plan for individual devices, individual applications, and the information processed within those applications. Data can be deleted at different times depending on its information classification. The statutory retention periods, your complete guide to website qa (quality assurance) with free qa checklist in particular,. Provide guidance here. However, after the respective statutory period has expir. Eompanies must decide for themselves when data should be deleted because it is no longer required for business processes. When making these decisions, data protection law must also be taken into account when it concerns personal data.
In this context, Control 8.10 cites company-specific, fixed time intervals as a possible solution, or access to information and data resources as practical indicators to justify the classification. It is recommended to conduct a risk analysis beforehand and make the classification decision based on the results.
Requirements for the implementation of deletion
If companies want to securely delete data that has been created but is no longer needed during ongoing operations, taking. The deletion concept into account, they can approach the problem in the form of an example solution.
At this point, reference should also be made to the new standard requirements “7.10 Storage media” and “7.14 Secure. Disposal or reuse of equipment, albania business directory” which largely complement and, in a sense. Round off” Control 8.10 in its scope. Control 7.14 also describes the requirement to securely delete sensitive data stor on storage media prior to device disposal. Control 7.10 also specifically requires compliance . Wth and conformity with the company’s own policies for all storage media upon disposal.
Another, if not the central, element of the new reference measure is the selection of the concrete technical solution for the actual secure data deletion.
Technical deletion routines
The standard provides a number of general guidelines for implementing the concrete technical deletion of internal data:
If legal and regulatory requirements and technical feasibility allow, systems should incorporate automated processes for the secure deletion of data. This is likely only possible for a small portion of a company’s information assets, leaving companies with the option of selecting a deletion process deemed secure and applying it manually.