If you're working towards ISO 27001 certification, creating a data retention policy isn’t just good information security practice—it's a necessity. But what is a data retention policy, why is it important, and how can you develop one that aligns with ISO 27001 requirements?

We'll dissect the role of a data retention policy in the context of ISO 27001 and provide a step-by-step guide to writing one.

Why data retention matters for ISO 27001 compliance

ISO/IEC 27001 is a global information security standard. It offers guidelines to help organizations manage risk and protect sensitive data within an information security management system (ISMS). The standard addresses many aspects of information security, including data retention, to ensure data confidentiality, integrity, and availability. 

Data retention is the process of storing and maintaining data for a specific length of time. Organizations pursuing ISO 27001 compliance must define appropriate data management processes. These include data storage and disposal methods as well as data retention periods. 

In addition to ISO 27001 compliance, proper data retention has several business benefits:

1. Promote data hygiene

Defining processes for creating, maintaining, and deleting data helps organizations prevent duplicate or outdated records. High-quality data improves business processes and leads to better insights and decision-making.

2. Improve and inform incident response

Data retention involves maintaining proper system, network traffic, and user access logs. Complete, reliable logging can help security teams:

• Flag anomalies and suspicious activity
• Understand attack vectors and entry points
• Assess the severity of a data breach
• Determine the scope of any compromised data
• Implement controls to prevent future security incidents

3. Support efficient business operations

A data retention policy ensures that essential data is properly maintained and retained. This supports a variety of critical business operations, allowing organizations to:

• Highlight customer and market trends
• Generate accurate financial reports
• Track company performance
• Support product development
• Develop effective marketing initiatives

4. Protect against accidental data loss

Establishing backup and recovery processes reduces the risk of data loss due to hardware failure, natural disaster, or malicious activity. Regularly testing backup systems and procedures as part of a data retention strategy ensures data can be restored in the event of accidental loss, minimizing downtime and supporting business continuity. 

ISO 27001 data retention requirements

ISO 27001:2022 Annex A 5.33 covers requirements for the “Protection of Records.” (‘Records’ is another term for the data your organization uses for routine business activities.) To be ISO 27001 compliant, organizations must take steps to protect all records against falsification, unauthorized access or release, and loss.

Under the latest revisions to the ISO 27001:2022 standard, organizations are required to:

1. Establish guidelines and/or processes for:

• Record storage
• Record disposal
• Establishing a chain of custody for record handling
• Preventing manipulation of records

2. Maintain a retention schedule for all records. This retention schedule defines how long different types of records will be kept based on their specific business use.

3. Define record storage and handling processes that address:

• Legal and/or regulatory requirements for commercial record keeping
• Societal and customer expectations for how organizations should manage records and personal data

4. Use secure methods to destroy records once the retention period ends.

5. Categorize records based on their security risks, particularly:

• Personnel records
• Legal records
• Accounting records
• Financial transactions

6. Store records in a way that allows them to be retrieved if requested by a third party (internal or external).

7. In the case of electronic records, consider and mitigate the risk of any technological changes that could limit access or recovery (such as keeping cryptographic keys).

8. Follow any manufacturer instructions when maintaining electronic records.

How to write an ISO 27001 data retention policy

Now that we’ve covered requirements, let’s dive into the nuts and bolts of drafting a data retention policy for ISO 27001. 

Step 1: Categorize and classify data

First, you'll need to classify data based on its sensitivity, importance, and legal requirements. Types of data to consider include: 

• Customer data
• Employee data
• Intellectual property 
• Operational data
• Supplier and vendor records
• Healthcare records
• Educational records
• Email and communications records
• Financial and tax records

Step 2: Define data retention requirements for each category

What are your legal, regulatory, or compliance requirements for each type of data?

• Healthcare data may be subject to the Health Insurance Portability and Accountability Act (HIPAA).  Under HIPAA, organizations must maintain records for at least 6 years after they are last in use.
• Organizations serving EU customers may need to comply with GDPR. GDPR requires personal data to be kept only as long as necessary to achieve the purpose for which it was collected.
• E-commerce or financial organizations may need to consider PCI DSS requirements. Cardholder data should be destroyed once it is no longer needed for legal, contractual, or business purposes. PCI compliance documentation, such as audit logs, should be kept for at least one year.

Consult stakeholders from legal, IT/compliance, and executive management to ensure appropriate coverage. Contractual agreements with customers, partners, and third-party vendors may also affect data retention requirements. 

Step 3: Set data retention periods and security methods

Specify how long each type of data needs to be retained and how it will be secured. Security methods can include data anonymization or tokenization, and encryption. 

Step 4: Document a data retention policy and procedures

An ISO 27001 data retention policy should cover how data is managed throughout its lifecycle. Specifics will vary based on your organization's needs, but the policy should include the following key elements:

1. Purpose: Explain the purpose of the policy. Be sure to mention the goal of aligning your organization’s data management practices with ISO 27001 requirements.

2. Scope: Define what data the policy covers. This should include any documents related to your ISMS, as well as any documents required by ISO 27001. Data can range from cloud systems and email documents to specific databases and physical records.

3. Roles and Responsibilities: Explain the roles and responsibilities of those involved in creating, enforcing, and maintaining the policy. Typically this involves Data Owners, Data Custodians, and/or Data Protection Officers.

4. Data Categorization: Explain how you've decided to categorize data. For example, based on sensitivity and importance to the business. These categories will be used to inform decisions about retention periods as well as storage and disposal methods.

5. Data Retention Periods: Specify retention periods for each category of data, making sure to align with any legal, regulatory, contractual, and/or business requirements. You should also explain your reasoning for choosing those retention periods.

6. Data Storage: Explain where and how data will be securely stored during the retention period.

7. Data Disposal: Outline how you will securely dispose of each category of data once the retention period ends. This could involve procedures for secure deletion, and/or physical destruction.

8. Data Protection Measures: Describe the security controls you’ve implemented to protect data at each stage of its lifecycle. These could include user access controls, encryption, anonymization/tokenization, and regular security audits.

9. Policy Review and Updates: State how often you will review and update the policy. (It should be at least annually.)

10. Enforcement: Explain the consequences of non-compliance with the policy. This could involve disciplinary action or contract termination.

11. Exceptions: If there are any exceptions to the policy, they should be clearly stated and explained.

We always recommend involving legal and IT/security professionals when drafting policies to ensure they reflect your actual business practices and align with your compliance goals.

Step 5: Share the policy for review and acceptance

This policy should be made accessible to all relevant personnel and stakeholders for review and acceptance.

Step 6: Monitor, maintain, and update policies and procedures

ISO 27001 requires organizations to continually monitor and improve their data security processes. This includes conducting regular compliance monitoring and internal audits.

Review your data retention policy at least annually to reflect any new legal, regulatory, or contractual requirements.

More free resources for ISO 27001 compliance

Getting ISO 27001 certified can be a daunting and complex process. At Secureframe, it’s our mission to demystify and streamline security compliance for all organizations. 

Our compliance automation platform monitors your cloud infrastructure for compliance, simplifies vendor and personnel management, and automatically collects audit evidence. We also built an ISO 27001 Compliance Hub to walk you through the certification process, and a library of free ISO 27001 policy templates, readiness checklists, and evidence spreadsheets to save you hours of manual work.