As one of the most common information security frameworks in the world, ISO 27001 is used by tens of thousands of organizations worldwide. That means it has to fit a lot of different groups with a lot of different needs.
It also means that there’s a lot of information pertaining to ISO 27001 within each of those companies. Data like the logs of access control systems, the chain of custody for sensitive information, and the results of audits are all stored somewhere.
The question is, what do you need to store, and for how long? What are the record retention requirements for ISO 27001?
As with many elements of ISO 27001, the answer is “it varies.” So, to help you navigate it, we put together this guide.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontISO 27001, a key global information security framework, requires organizations to create and follow record retention policies to protect confidentiality, integrity, and accessibility. Policies must define storage, disposal, and handling while adhering to relevant laws, such as GDPR or SOX. Data should be categorized, retained for necessary periods, then securely destroyed. Automation can aid in lifecycle management but requires oversight. Compliance tools, like the Ignyte Assurance Platform, can help manage these processes effectively.
What is Record Retention and Why is it Important to Define?
Let’s start in general terms: what is record retention, and why is it important?
Information security generally revolves around three core pillars, which all need to be balanced for properly-secured information. Those pillars are Confidentiality, Integrity, and Accessibility.
- Confidentiality: The information is safe and secure against unauthorized access or sharing.
- Integrity: The information is kept controlled and free from tampering or unauthorized destruction.
- Availability: The information is accessible to those who need access.
It’s that third one that matters when we’re discussing data retention.
After all, if you want to prevent others from accessing a piece of information, you could do so by destroying it or by encrypting it and throwing away the keys. It can’t be stolen or tampered with if it doesn’t exist, right? But that violates the pillar of availability.
At the same time, there have to be limits. No one needs access control logs from 10+ years ago, and retaining that information can be a burden on an organization. Even just having to sort through it all, let alone manage huge databases of data, let alone securing ever-increasing piles of information, is a significant barrier.
Records retention is a two-pronged concept, in that it says two things.
- Information must be retained for a given duration, generally as long as it’s relevant.
- Information past its relevance should be destroyed.
In fact, information beyond a certain age might not just be a burden: it can be a liability. The more data you retain, the more can be stolen in a data breach. The more data you retain, the more privacy can be violated with it. The more data you retain, the more expensive it is to maintain it.
In some cases, you may also be susceptible to legal demands. A FOIA request or a subpoena might demand you hand over records; the more data you have, the more you have to hand over.
If you’re familiar with information security (and you likely are, which is why you’re here), you already know that different kinds of information have different values and different needs. That’s exceptionally true with records retention. Some kinds of information can be discarded as soon as newer information is received. Some might only need to be kept for a year. Others might be under legal requirements to be retained for three years, seven years, or 30 years.
What Are ISO 27001’s Record Retention Requirements?
If you’re operating a business and you’re aiming to earn an ISO 27001 certification, you need to implement all of the security controls throughout the guidelines and develop a robust ISMS. Some of those controls are technical, like cryptographic controls. Others are institutional, like employee awareness and training. And some are operational, like record retention policies.
So, what does ISO 27001 have to say about records retention?
Put simply: “Have a policy and follow it.”
One of the consistent challenges of ISO 27001 compared to frameworks like FedRAMP and CMMC is that, rather than outlining specific controls and policies to implement and check that you’ve done it, ISO 27001 tells you goals to accomplish and leaves it up to you to figure out how best to do so.
It’s this flexibility that makes ISO 27001 both an extremely powerful framework and an extremely complex framework to implement.
ISO/IEC understands that the needs of a business will vary depending on a lot of different factors, including size, operations, location, industry, and more. Therefore, they don’t try to tell you how long to retain records; instead, they tell you that you need to have a records retention policy, and you need to follow that policy, including the destruction of information that has outlived its retention.
The relevant control comes from Annex A, specifically control 5.33. It outlines the protection of records in general, including the core pillars of data handling, as well as topic-specific policies.
Remember, too, that you may not have one general retention policy, but rather a set of policies depending on the types of information you need to retain. Different kinds of information can be subject to different demands from different governing bodies, and need to be retained for different lengths of time.
In more specific terms, ISO 27001 asks you to:
- Establish guidelines and/or processes for record storage, record disposal, record handling and chain of custody, and preventing manipulation of records.
- Establish and maintain a retention schedule for all records, defining the different kinds of records and how long they are to be kept.
- Define a process for record storage and handling that addresses legal, regulatory, and societal expectations for access to those records.
- Establish a secure method for destroying records once their retention period is over.
- Establish definitions of different kinds of data across different categories, based on their security risks.
- Store records in a way that maintains the availability and accessibility of those records to authorized personnel, internal and external.
- Consider, evaluate, and mitigate risks related to digital and electronic records that aren’t present in physical records, such as access to cryptographic keys.
So, bearing all of this in mind, how do you establish a records retention policy for data and information your business handles?
How to Establish Data Retention Policies Under ISO 27001
Now, let’s go through the process you will need to follow to establish your data retention policies.
Categorize Your Data
The first step is to go through the different kinds of data you handle as a business and classify them. These different kinds of data can be subject to different rules and regulations, as well as different statutes and laws, depending on too many factors to list here. You’ll know your industry better than a generalized blog post will, anyway.
Consider types of data such as:
- Customer information
- Employee information
- Company intellectual property
- Business operational data
- Records from vendors, suppliers, and partners
- Healthcare information and medical records
- Educational data and records
- Email and other communication
- Financial and tax records
- Access and change logs
- Security control artifacts
- Auditing results and logs
Each kind of data can have different rules, so it’s important to be thorough.
Do audit records have special requirements in ISO 27001?
The title of this post references audit records specifically, which brings us to a question we frequently receive: What are the data retention rules for audit records?
As far as ISO 27001 is concerned, there are no differences between audit records and other kinds of data. They don’t call out audit records as a specific kind of data with different requirements.
Inasmuch as auditing results and logs will have a lot of business and employee data in them, they do need to be treated properly, but they are far from the most retained data out there.
Identify Relevant Laws and Regulations
Once you know the kinds of data you’re handling, you need to figure out what laws and regulations apply to that data. Here’s a bunch of examples you might need to consider.
- The EU’s General Data Protection Regulation, or GDPR. This requires personal user data to be kept only as long as necessary to do what it needs to be collected to do, and purged as soon as it can be afterwards.
- SOX focuses on financial information in publicly traded companies and requires logs to be maintained for seven years.
- PCI DSS, with the most recent version 4.0, sets out record retention rules for payment card information and requires a year of log history.
- The Equal Employment Opportunity law requires employers to keep employee and personnel information for a year, including maintaining records from terminated employees for a year after their termination date.
- The Fair Labor Standards Act requires employers to retain payroll records, sales information, purchase information, and collective bargaining agreements for a minimum of three years.
- The Occupational Health and Safety Act requires that OSHA records be kept for five years, but employee exposure and medical exam records must be kept for a whopping 30 years.
This is just a sampling of the kinds of laws and regulations you need to look into.
What if multiple regulations address the same information with conflicting rules?
In some cases, particularly for international businesses, you might find that laws from different regions or countries apply to data differently. This can even happen within the bounds of the United States, with different state laws applying within their borders.
As far as ISO 27001 is concerned, you need to treat each of these as a minimum unless otherwise specified. If one regulation says to keep information for a minimum of one year, and another says a minimum of three years, you will need to retain records for three years.
You can retain them for longer, but you don’t have to. This is where flexibility comes in, and the above-mentioned “social expectations” for data handling.
For certain kinds of information (for example, marriage licenses and property deeds), it may be data that should be kept indefinitely.
There are never situations where a law requires you to delete information while another requires you to save it. The closest you come is something like GDPR, requiring that you delete data when it’s no longer necessary, and that doesn’t conflict with other laws.
Define Policies
Now you’ve determined what kinds of information you have, and what laws tell you how long it needs to be kept. Now, you have to develop your company policies to determine how long to keep and when to destroy different kinds of information.
Fortunately, drafting a policy isn’t difficult. All you need is basic information to fill one out:
- What the information is.
- How long it will be retained.
- How it will be destroyed when the retention period is over.
- Who is responsible for enforcing this policy.
- Penalties for violation of the policy.
- Exceptions to the policy.
This is what a data retention policy can look like.
So, whether it’s personnel records, audit results and logs, access control records, or Controlled Unclassified Information, your policy (or policies) should be available to show how long it is retained and when it is destroyed.
Automation, Auditing, and Lifecycle Management
Some kinds of data can be handled through automation. There exist both dedicated data lifecycle management tools and features within general tools that help with data clutter and retention.
Automation is not necessarily a bad thing here, but it does need to be validated. If an automated tool is ever empowered to destroy data, it needs careful oversight to ensure it never destroys records that need to be saved.
Conversely, whatever tools or methods you use to destroy data must also be validated to make sure the data isn’t still mirrored or stored somewhere else.
All of this will be examined when you undergo your audits, including both internal audits and external audits for ISO 27001.
Keeping track of all of this can be a pain, so why not try the Ignyte Assurance Platform for assistance? We designed our platform to work with many frameworks, including ISO 27001. You can use it to track compliance with various controls, maintain your records and policies, and ensure enforcement of data retention. All you need to do to get started is give us a call.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.