Statement for logs retention periods regarding critical assets
Hi! I would like to know whether in ISO 27001 from 2022 there is a statement for logs retention periods regarding critical assets? I would like to know what are the minimum requirements (meaning minimum time periods) for keeping logs containing critical data.
Assign topic to the user
ISO 27001 does not prescribe retention periods for logs.
To define proper retention periods, you need to perform a risk assessment and identify applicable legal requirements.
In case your risk assessment and requirements do not provide a proper reference, you can try starting with a retention time of one year.
For further information, see:
- Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
Comment as guest or Sign in
Jan 24, 2023