Does the Retention time mean that all entries related to the ISMS that are in the mail register (in our case our CRM) have to be deleted after X (three) years or ALL registrations which are older than three years. Moreover why should you want to delete entries of documents that may still be relevant? I find this document retention situation where mail is concerned very very confusing.
Answer: The retention time refers to entries related to the ISMS only, and it must be defined considering precisely the time frame you consider that information will be relevant to the organization. For example, if you consider that the information in your incoming mail register only will be irrelevant after 5 years, then you must define the retention time as 5 years. Issues you should consider for defining the retention time are business objectives, contractual or legal clauses.
This article will provide you further explanation about document control:
- Records management in ISO 27001 and ISO 22301 https://advise ra.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/