Secure deletion of information when no longer needed
Delete data you don't need anymore to reduce risk and comply with laws.
Plain language
This control is about securely deleting information you no longer need, to protect your business from data breaches and to comply with the law. If you keep old or unnecessary data, it could be exposed or stolen, leading to legal troubles or financial loss.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
12 Apr 2026
Maturity levels
N/A
Official control statement
Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.
Why it matters
Failing to securely delete unneeded data can lead to data breaches and legal non-compliance, risking penalties and reputational damage.
Operational notes
Regularly review retention schedules and deletion workflows; use verified sanitisation tools and destruction methods for media, and keep evidence of deletion.
Implementation tips
- The IT manager should develop a data retention policy that specifies when information needs to be deleted. This policy should take into account business needs and comply with laws like the Privacy Act 1988.
- The operations team should ensure all systems and applications are configured to automatically delete obsolete data. Use secure deletion methods like electronic overwriting in line with ISO 27002:2022 guidance.
- Procurement officers should include data deletion requirements in contracts with third-party services that handle your data. Make sure these agreements specify how and when your data will be deleted.
- HR should train staff on the importance of deleting unnecessary data. Employees should know how to identify data that is no longer needed and how to securely delete it.
- The IT department should verify that any cloud service providers are using acceptable data deletion methods. Regularly review these processes to ensure they align with your organisation's data protection policies.
Audit / evidence tips
-
Askthe data retention and deletion policy
Gooda clear policy aligned with legal and business requirements
-
Askevidence of data deletion activities, such as deletion logs
Goodrecords showing timely and secure deletions
-
Askcontracts with third-party service providers
Goodcontracts with clear data deletion obligations
-
Asktraining records for employees on data deletion practices
Goodregular training sessions on secure data handling and deletion
-
Askto see the configuration of systems used for storing sensitive data
Goodsecure configurations that ensure automatic and secure deletion processes
Cross-framework mappings
How Annex A 8.10 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (7) expand_less | ||
| ISM-0351 | ISM-0351 requires sanitisation of volatile media by removing power for at least 10 minutes | |
| ISM-0357 | ISM-0357 mandates a specific secure-erasure technique for non-volatile EPROM media (extended UV exposure, overwrite, and verification) | |
| ISM-0359 | ISM-0359 specifies how to sanitise non-volatile flash memory by overwriting it twice with random data and verifying via read-back | |
| ISM-1160 | ISM-1160 requires that where degaussing is used as the secure destruction method, the organisation uses NSA-evaluated degaussers to ensur... | |
| ISM-1221 | ISM-1221 requires organisations to clear residual information from printers and MFDs, including ensuring no pages are trapped after jams ... | |
| ISM-1722 | ISM-1722 addresses secure destruction of electrostatic memory devices via physical destruction techniques to ensure information cannot be... | |
| ISM-1723 | ISM-1723 addresses preventing information recovery by requiring physical destruction of magnetic floppy disks using specific approved met... | |
| sync_alt Partially overlaps (9) expand_less | ||
| ISM-0307 | Annex A 8.10 mandates deletion of unnecessary information | |
| ISM-0311 | Annex A 8.10 requires deletion of information when not needed to reduce risk, while ISM-0311 mandates media sanitisation either by remova... | |
| ISM-0330 | ISM-0330 requires that before media is reclassified to a lower sensitivity or classification, it is sanitised or destroyed and a formal a... | |
| ISM-0371 | ISM-0371 requires supervised handling of media up to the point of destruction and confirmation that destruction completes successfully | |
| ISM-0375 | ISM-0375 requires an authorised administrative decision before media (or its waste) can be released publicly after sanitisation, destruct... | |
| ISM-0835 | ISM-0835 deals with the residual risk that sanitisation of TOP SECRET volatile media may be insufficient to remove all recoverable inform... | |
| ISM-1574 | ISM-1574 requires service agreements to document how data can be migrated and decommissioned without loss, which typically includes speci... | |
| ISM-1600 | ISM-1600 requires media to be sanitised before first use so it does not contain unwanted data that could create security or integrity issues | |
| ISM-2053 | Annex A 8.10 requires information to be deleted from systems, devices or media when it is no longer required | |
| handshake Supports (5) expand_less | ||
| ISM-0348 | Annex A 8.10 requires organisations to ensure information is deleted when no longer required | |
| ISM-0361 | Annex A 8.10 requires secure deletion of unneeded data, while ISM-0361 supports this by specifying the use of rated degaussers for magnet... | |
| ISM-0362 | Annex A 8.10 requires deletion of unneeded information | |
| ISM-0363 | Annex A 8.10 mandates that unused information be securely deleted, while ISM-0363 requires documented procedures for media destruction, s... | |
| ISM-1065 | ISM-1065 requires resetting HPA and DCO on magnetic hard drives before sanitisation so that deletion activities apply to all addressable ... | |
| link Related (4) expand_less | ||
| ISM-0317 | Annex A 8.10 requires deletion of information from devices and storage media when it is no longer required | |
| ISM-0947 | Annex A 8.10 requires deletion of information from storage media once it is no longer required | |
| ISM-1223 | Annex A 8.10 requires organisations to delete information from devices and storage media when it is no longer needed | |
| ISM-2021 | ISM-2021 requires system owners to implement and maintain data minimisation practices for each system, limiting collection and storage to... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.