Information Deletion

Information Deletion

One of the most well-known information deletion stories is related to a motion picture.

The ISO 27001 standard requirement regarding information deletion is as follows: „Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.” (A8.10)

This control has two key terms:

  • „deleted” means making content inaccessible, but this simple action has several aspects to consider:
    • is deletion needed or removal of access rights suits the objective better
    • when is erasure enough and when wiping is needed
    • where does that data reside (for example if GDPR requires deletion of the data, then it requires deletion of all its instances, including backups)
  • „when no longer required” means at that given time, because both deviations can be painful:
    • early deletion may stem from the fact that there is no adequate (recovery-tested) backup
    • late erasure may cause problems with data that shouldn’t exist at all already (e. g. customer data that should have been erased gets stolen and published).
02/05/2024