When you transition from the 2013 version of ISO 27001 to the 2022 update, you’ll notice that some things have simply been moved around. But for Annex A 8.10: Information Deletion, the change is much more significant: it is a brand-new control that didn’t exist in the 2013 version. While the old standard touched on disposing of physical media, it lacked a dedicated requirement for the digital “housekeeping” of information that is no longer needed.
The introduction of A 8.10 reflects a shift in modern cybersecurity. In an era of GDPR and massive data breaches, “data hoarding” is now seen as a major liability. If you don’t have the data, it can’t be stolen. Let’s dive into what this new control requires and how to align your system with the 2022 standard.
Table of contents
The Evolution: Why A 8.10 Was Introduced
In the ISO 27001:2013 standard, data removal was primarily addressed under Control 11.2.7 (Secure disposal or re-use of equipment). The focus was mostly on the hardware, making sure a hard drive was wiped before being thrown away. However, it didn’t explicitly mandate a process for deleting files and databases within active systems just because they were no longer required for business purposes.
In the 2022 revision, ISO consolidated the 114 controls into 93 and grouped them into four themes. Annex A 8.10 was introduced as a Technological Control. According to Hightable.io, this new control addresses the “invisible” risk of over-retention. It shifts the mindset from just securing what you have to proactively destroying what you no longer need.
What Exactly is Annex A 8.10 Information Deletion?
The requirement for Annex A 8.10 is straightforward: “Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.” This includes data on servers, cloud storage, laptops, and even removable media.
The “why” behind this control is twofold:
- Risk Reduction: Minimising the volume of sensitive data reduces the “blast radius” of a potential breach.
- Compliance: It ensures you are meeting legal and regulatory obligations, such as the “Right to Erasure” under GDPR.
Key Requirements of the New 8.10 Control
Since this control is new, organisations must build a process from the ground up rather than just updating an old one. The 2022 standard expects you to move beyond simply hitting “empty recycle bin.” Here is what you need to consider:
- Secure Deletion Methods: Standard deletion often just removes the “pointer” to a file, leaving the actual data on the disk. A 8.10 encourages Secure Overwriting (wiping), Cryptographic Erasure (deleting the encryption keys), or Physical Destruction for media at end-of-life.
- Cloud Data Deletion: You must ensure that deletion requirements extend to your cloud environments. According to Hightable.io, verifying that a cloud provider has actually deleted your data, not just “hidden” it, is a common point of audit scrutiny.
- Backups and Residue: Deletion isn’t complete if the data still lives in a legacy backup or a temporary cache. You need to consider how your deletion policy interacts with your Information Backup (A 8.13) procedures.
- Verification and Evidence: You cannot just tell an auditor that you delete data; you must prove it. This might include logs from automated deletion scripts or Certificates of Destruction from third-party vendors.
The Role of Attributes in Annex A 8.10
A major feature of the ISO 27001:2022 update is the use of “Attributes.” These help you categorise the control’s function. For Annex A 8.10, the attributes are:
| Attribute | Value |
|---|---|
| Control Type | Preventative |
| Security Properties | Confidentiality |
| Cybersecurity Concepts | Protect |
| Operational Capabilities | Asset Management |
Practical Steps for Compliance
Transitioning to the 2022 standard requires integrating deletion into your daily operations. Hightable.io suggests that the most successful implementations are those that automate the process where possible.
- Define Retention Periods: Align your deletion policy with your Information Classification (A 5.12). How long do you legally need to keep HR files versus marketing logs?
- Automate Deletion: Set up automated policies in tools like Microsoft 365 or AWS to automatically purge files that have exceeded their retention date.
- Select Appropriate Methods: Use secure wiping software for sensitive data on SSDs and HDDs. If you are using encrypted storage, use cryptographic erasure to render data unreadable in seconds.
- Audit Your Vendors: If a third party manages your data, check your contracts. Do they guarantee secure deletion? Can they provide evidence of it upon request?
Why the Change Matters
The update to Annex A 8.10 recognizes that in the modern world, information has a shelf life. By forcing organisations to address the “end-of-life” for data, ISO 27001:2022 helps prevent the accumulation of “dark data”, information that serves no business purpose but carries immense security and privacy risk.
Final Thoughts on the Transition
The jump from the 2013 version to the 2022 version’s Annex A 8.10 is a positive step toward more mature data management. It might feel like extra work initially, but it actually simplifies your security landscape in the long run. As Hightable.io highlights, “If you don’t have the data, you don’t have the risk.” By mastering Information Deletion, you are protecting both your customers and your company’s reputation.