Statement for logs retention periods regarding critical assets
Hi! I would like to know whether in ISO 27001 from 2022 there is a statement for logs retention periods regarding critical assets? I would like to know what are the minimum requirements (meaning minimum time periods) for keeping logs containing critical data.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 does not prescribe retention periods for logs.
To define proper retention periods, you need to perform a risk assessment and identify applicable legal requirements.
In case your risk assessment and requirements do not provide a proper reference, you can try starting with a retention time of one year.
For further information, see:
- Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
Comment as guest or Sign in
Jan 24, 2023