Expert Advice Community

Home / ISO 27001 & 22301 / Documentation retention period

Guest

Documentation retention period

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   May 28, 2019 Last commented:   May 28, 2019

Documentation retention period

ISO 27001 & 22301
I'd like to know more about the retention period of a company's information security policy. Is there a standard number of years for this?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal May 28, 2019

Answer:

ISO 27001 does not prescribe retention periods for documents, but requires an organization to define them, and you can do that based on legal requirements (e.g., contracts, laws, regulations, etc.) the organization must comply with, business needs, and results of risk assessment.

As one example you can consider that for a ISO 27001 certified ISMS, you must retain obsolete documents at least for as long as the next certification audit is (i.e., a three year retention period).

This article will provide you further explanation about control of documents:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

This material will also help you regarding control of documents:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 28, 2019

May 28, 2019

Suggested Topics
Guest user Created:   Jan 05, 2021 ISO 27001 & 22301
Replies: 1
0 0

Incident Management Procedure
Guest user Created:   Nov 20, 2017 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content
Guest user Created:   Oct 31, 2023 ISO 27001 & 22301
Replies: 1
0 0

Guidance on Missing ISMS Documentation and Implementation Drafts