Expert Advice Community

Guest

Questions about document management

  Quote
Guest
Guest user Created:   Sep 25, 2019 Last commented:   Sep 25, 2019

Questions about document management

I've purchased toolkit for ISO 27001 and right now I am going through various documents.
  1. As far as I understand the offer, the package includes unlimited questions via email, right?
  2. I am looking for areas regarding data retention and requirements from ISO 27001 standards. Does ISO 27001 require a definition of "data retention"? I haven't found any control about it nor template in the toolkit.
  3. Does ISO 27001 require to keep "Records of erasure"?
  4. Does "Records of erasure" are applicable in case of offboarding or also as part of retention of data? Offboarding employee = Termination of Contract with Employee. That means that as part of the offboarding checklist the access is removed and his laptop is "erased" for reuse by another person. With my understanding, that provides enough evidence that device/laptop/asset has been erased and satisfy A.11.2. Is it the right understanding?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 25, 2019

1. As far as I understand the offer, the package includes unlimited questions via email, right?

 As part of our support service, our clients indeed have an unlimited number of questions to send us via email, to clarify their doubts about ISMS implementation and operation.

2. I am looking for areas regarding data retention and requirements from ISO 27001 standards. Does ISO 27001 require a definition of "data retention"? I haven't found any control about it nor template in the toolkit.

ISO 27001 has some clauses on sections 4 to 10 that requires retention of documents and records (e.g. ISMS scope on clause 4.3, ISMS Policy on clause 5.2, results of risk assessment on clause 6.1.2, etc.), and a specific requirement for retention of documents and records on clause 7.5.3 f.

The documents and records retention is handled in section "Managing records kept on the basis of this document" of each template, where items like time retention and form of disposal are defined.

For further information, see: Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

3. Does ISO 27001 require to keep "Records of erasure"?

Keeping the evidence that data was erased is mandatory for ISO 27001 only if:
- there are unacceptable risks which treatment demands such evidence 
- there are contracts, laws or regulations you have to follow which demands such evidence 
- there is a top management decision demanding such evidence

If none of the above-mentioned situations occurs, then there is no need to keep such evidence.

For further information, please read:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

4. Does "Records of erasure" are applicable in case of offboarding or also as part of retention of data? Offboarding employee = Termination of Contract with Employee. That means that as part of the offboarding checklist the access is removed and his laptop is "erased" for reuse by another person. With my understanding, that provides enough evidence that device/laptop/asset has been erased and satisfy A.11.2. Is it the right understanding?

I'm assuming that by A.11.2 you are referring to control A.11.2.7 (Secure disposal or reuse of equipment).

Considering that, please note that control A.11.2.7 does not require "Records of erasure" to be kept, but if control A.8.3.2 is applicable (see answer 3), and information on the device is classified as sensible, the use of an offboarding checklist, identifying the erased device and who performed the task, is acceptable as audit trail and evidence that control A.8.3.2  is implemented.

Quote
0 3

Comment as guest or Sign in

HTML tags are not allowed

Sep 25, 2019

Sep 25, 2019

Suggested Topics

Guest user Created:   Oct 18, 2021 ISO 27001 & 22301
Replies: 1
0 0

ISMS evidence

Guest user Created:   May 07, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment