Information deletion in ISO 27001 Framework

In one of my banking projects, data storage size grew from 100 GB to 3 TBs within 4 months of going live. And this just their friends and family release, was not even their full version release which had planned to onboard 5 million customers. 

Another one, a Fintech app, had their data storage expense reach 2x their annual revenue. This happened just months after their initial release, before they even started profiting. 

The short answer: yes, but strategically.

Organisations often focus more on collecting and storing data than they do on securely deleting it. However, information deletion is no longer an afterthought—it is a compliance requirement, a security best practice, and a strategic necessity.

Under ISO 27001:2022, the practice of securely disposing of information has been more explicitly addressed, aligning it with growing regulatory expectations and risk mitigation strategies.

ISO 27001:2022 doesn’t just encourage organisations to safeguard information - it demands that data be retained only as long as necessary and securely deleted when no longer needed.

Control A.8.10 Information Deletion mandates that “information stored in information systems, devices, or in any other storage media should be deleted when no longer required.”

This is not just about cleaning up space; it's about reducing the attack surface, minimising liability, and ensuring compliance with regulatory expectations around data minimisation and retention policies.

Over-retention of information exposes organisations to multiple risks:

• Legal exposure in the event of audits or subpoenas

• Higher impact in case of a breach

• Data mismanagement and integrity issues

• Non-compliance with data protection laws like GDPR, CCPA, or sector-specific mandates

But why does ISO 27001 require  Information Deletion!!

At the heart of ISO 27001 lies the principle of minimising risk—not just by protecting information but by ensuring data does not exist unnecessarily. With the release of ISO 27001:2022, Control 8.10 – Information Deletion was introduced to promote deliberate and secure removal of information that is no longer needed.

Here’s why this control is critical in modern security governance:

1. Minimizing the Attack Surface: Every piece of stored data is a potential entry point for threat actors. Removing obsolete or redundant data limits what attackers can target, especially in case of system compromise.

2. Reducing Legal and Compliance Risks: Many regulations (e.g., GDPR, CCPA, HIPAA) require organizations to process and retain data only as long as it is necessary. Retaining it beyond that can lead to penalties and reputational damage.

3. Supporting Data Lifecycle Hygiene: Deletion enforces discipline in the data lifecycle. Without clear deletion practices, organizations risk accumulating "data debt," leading to inefficiency, confusion, and higher operational costs.

4. Aligning with Data Subject Rights: Laws like GDPR grant individuals the “right to be forgotten.” ISO 27001 encourages compliance with such rights by including deletion as part of its security framework.

5. Preventing Data Leakage: Unused or forgotten data can end up in unsecured archives, cloud buckets, or backup tapes, increasing the risk of accidental exposure or insider threats.

By requiring organisations to delete information when it's no longer needed, ISO 27001 promotes a leaner, safer, and more accountable approach to information security.

How Should You Delete Data?

Deletion is not as simple as hitting the "delete" key. In an enterprise context, it must be secure, irreversible, and auditable.

Here’s how ISO 27001:2022 recommends approaching deletion:

1. Policy-Driven Deletion: Organisations must establish clear data retention and deletion policies aligned with legal, regulatory, and operational requirements. This includes defining retention periods per data type (e.g., financial records, customer data, employee records).

2. Secure Erasure: Information should be deleted using secure deletion tools that ensure data is unrecoverable. This may involve overwriting data multiple times (in accordance with NIST SP 800-88 guidelines), using cryptographic erasure, or physically destroying storage media.

3. Role-Based Execution: Deletion processes should be carried out by authorized personnel only, as part of change management or data lifecycle governance processes.

4. Logging and Audit Trails: Secure deletion should be logged, and the logs should be preserved to demonstrate compliance and traceability in audits.

5. Automation and Workflow Integration: For scalability and consistency, deletion processes should be automated and integrated into broader data lifecycle management tools, especially in cloud and hybrid environments.

How Much and How Far?

A critical consideration in data deletion is the scope—what data should be deleted and when?

1. Business-Need-Driven Retention: Keep data only as long as it serves a legitimate business or compliance purpose. Once that’s expired, the data must be removed.

2. Data Categories and Sensitivity: Highly sensitive data (e.g., customer credentials, financial records, health data) should have stricter deletion timelines.

3. Backup and Redundant Copies: Organizations must ensure that deleted data is also removed from backups, replicas, and other redundant storage locations after retention periods expire.

4. Third-Party and Cloud Providers: If your data is stored with third-party service providers, ensure that deletion policies extend to their environments, governed by strong contractual clauses and Service Level Agreements (SLAs).

5. Geographical Reach: In multi-region operations, organizations must comply with local data retention laws. For example, the EU’s GDPR may require deletion after a subject's data retention rights are invoked, whereas financial regulations may mandate keeping records for several years.

Regulatory Expectations: Banking, Financial Services & IT

In regulated industries like Banking, Financial Services, and IT, data retention and deletion are governed not only by ISO 27001 but also by domain-specific regulations.

• Regulatory bodies like RBI, SEC, and FINRA require certain financial records to be retained for 5 to 10 years.

• After retention periods, these records must be securely deleted to prevent unauthorised access or misuse.

• Institutions are expected to prove they have robust data governance frameworks, including controlled data erasure protocols, especially in case of M&A, application decommissioning, or cloud transitions.

• For IT service providers and SaaS companies, secure deletion is essential to meet SLAs, customer trust, and compliance with ISO 27018 or SOC 2.

• Data processed on behalf of customers must be deleted upon contract termination or at the end of a processing activity, as per Data Processing Agreements (DPAs).

• With increasing reliance on public cloud, companies must ensure that cloud providers honour deletion instructions, and data is erased from all storage nodes and caches.

Summary:

Information deletion under ISO 27001:2022 is not just a technical requirement - it is a strategic shift in how organisations manage data lifecycle.

Instead of endlessly hoarding data, smart enterprises now align with the principle of “right-sizing” their data estate. This reduces costs, limits exposure, and demonstrates maturity in information security practices.

ISO 27001:2022 provides a clear framework for embedding this practice into your information security management system (ISMS).

Whether you’re a bank safeguarding client records, a fintech startup with sensitive APIs, or an IT provider hosting customer data, the rule is the same: retain what you must, delete what you should, and always delete it securely.

Thanks & Regards

Kamalika Majumder

10factorinfra.com/iso-27001