Questions about document management
- As far as I understand the offer, the package includes unlimited questions via email, right?
- I am looking for areas regarding data retention and requirements from ISO 27001 standards. Does ISO 27001 require a definition of "data retention"? I haven't found any control about it nor template in the toolkit.
- Does ISO 27001 require to keep "Records of erasure"?
- Does "Records of erasure" are applicable in case of offboarding or also as part of retention of data? Offboarding employee = Termination of Contract with Employee. That means that as part of the offboarding checklist the access is removed and his laptop is "erased" for reuse by another person. With my understanding, that provides enough evidence that device/laptop/asset has been erased and satisfy A.11.2. Is it the right understanding?
Assign topic to the user
1. As far as I understand the offer, the package includes unlimited questions via email, right?
As part of our support service, our clients indeed have an unlimited number of questions to send us via email, to clarify their doubts about ISMS implementation and operation.
2. I am looking for areas regarding data retention and requirements from ISO 27001 standards. Does ISO 27001 require a definition of "data retention"? I haven't found any control about it nor template in the toolkit.
ISO 27001 has some clauses on sections 4 to 10 that requires retention of documents and records (e.g. ISMS scope on clause 4.3, ISMS Policy on clause 5.2, results of risk assessment on clause 6.1.2, etc.), and a specific requirement for retention of documents and records on clause 7.5.3 f.
The documents and records retention is handled in section "Managing records kept on the basis of this document" of each template, where items like time retention and form of disposal are defined.
For further information, see: Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
3. Does ISO 27001 require to keep "Records of erasure"?
Keeping the evidence that data was erased is mandatory for ISO 27001 only if:
- there are unacceptable risks which treatment demands such evidence
- there are contracts, laws or regulations you have to follow which demands such evidence
- there is a top management decision demanding such evidence
If none of the above-mentioned situations occurs, then there is no need to keep such evidence.
For further information, please read:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
4. Does "Records of erasure" are applicable in case of offboarding or also as part of retention of data? Offboarding employee = Termination of Contract with Employee. That means that as part of the offboarding checklist the access is removed and his laptop is "erased" for reuse by another person. With my understanding, that provides enough evidence that device/laptop/asset has been erased and satisfy A.11.2. Is it the right understanding?
I'm assuming that by A.11.2 you are referring to control A.11.2.7 (Secure disposal or reuse of equipment).
Considering that, please note that control A.11.2.7 does not require "Records of erasure" to be kept, but if control A.8.3.2 is applicable (see answer 3), and information on the device is classified as sensible, the use of an offboarding checklist, identifying the erased device and who performed the task, is acceptable as audit trail and evidence that control A.8.3.2 is implemented.
Comment as guest or Sign in
Sep 25, 2019