Control Definition
Once information has outlived its business or legal purpose, organizations must remove it from everywhere it lives — applications, systems, devices, and every other form of storage media — rather than letting it accumulate indefinitely.
Control Objective
To prevent unauthorized disclosure of information through improper disposal and ensure data is irrecoverably deleted when retention periods expire or systems are decommissioned.
What This Really Means
Information deletion means permanently and irrecoverably removing data when you no longer need it—whether from hard drives, SSDs, cloud storage, backup tapes, mobile devices, or paper documents. Simple file deletion or formatting isn't enough; deleted files can be recovered using forensic tools unless properly sanitized.
Think of it like shredding confidential documents. You don't just throw them in the trash—you use a cross-cut shredder that makes reconstruction impossible. Digital data requires the same treatment: cryptographic erasure, data wiping tools that overwrite storage multiple times, or physical destruction of media.
This control requires you to know what data you have, where it's stored, when retention periods expire, and how to securely delete it using methods appropriate to the sensitivity level. It also covers decommissioning systems, disposing of old hardware, returning leased equipment, and ensuring data isn't recoverable from devices sold, donated, or sent for recycling. The principle: data should only exist as long as legally or business-required, then be permanently destroyed.
Why It Matters
Improper data disposal is a leading cause of data breaches. Hard drives sold on eBay, cloud storage left active after project completion, and backup tapes in dumpsters have exposed millions of records. Even "deleted" data can be recovered and exploited.
Without proper information deletion practices, organizations face:
- •Data Breaches from Disposed Hardware – Hard drives, laptops, servers, copiers, and mobile devices sold or recycled without proper wiping expose customer data, credentials, and intellectual property
- •Regulatory Violations and Fines – DPDPA, GDPR, and data protection laws mandate data deletion upon retention expiry or user request; failure results in significant penalties
- •Increased Attack Surface – Retaining unnecessary data (old backups, archived emails, dormant databases) expands the scope of potential breaches and compliance audits
- •Legal Discovery Risks – Data that should have been deleted can be subpoenaed in litigation, exposing the organization to legal liability and increased legal costs
Indian organizations face DPDPA requirements for data deletion upon consent withdrawal and retention period expiry, making this control critical for compliance.
Implementation Guidance
Establish Data Retention Schedule and Deletion Policies
Document retention periods for each data category—customer records, employee records, financial and accounting data, log files—mapped to the specific legal, regulatory, contractual, and business requirements that apply to you (company law, tax law, labor law, and sector rules each impose their own periods, so have legal counsel validate the schedule). Define when data must be deleted, who approves deletion, and what methods to use. Review annually.
Implement Secure Data Wiping for Storage Media
Use certified data sanitization tools (DBAN, Blancco, BitRaser) that overwrite data in line with recognized sanitization guidance such as NIST SP 800-88, and verify completion. For SSDs and flash storage, use manufacturer's Secure Erase commands or encrypt drives and destroy keys. Never rely on quick format or file deletion alone.
Deploy Cryptographic Erasure for Encrypted Storage
For encrypted volumes, simply destroying the encryption key renders data irrecoverable without needing to wipe every block. Use this for cloud storage (AWS EBS, Azure disks), encrypted databases, and mobile devices. Ensure keys are stored in separate key management systems and deleted from all locations including backups.
Establish Physical Destruction Procedures for End-of-Life Media
For highly sensitive data or when wiping isn't practical, physically destroy storage: shred hard drives using industrial shredders, degauss magnetic media, or use certified e-waste disposal vendors (document chain of custody and obtain destruction certificates). Never throw storage media in regular trash.
Automate Cloud and SaaS Data Deletion with Lifecycle Policies
Configure automatic deletion policies in cloud services: AWS S3 lifecycle rules to delete objects after N days, Azure Blob lifecycle management, Google Cloud retention policies. For SaaS apps (Google Workspace, Microsoft 365), enable auto-delete for inactive users, purge deleted items after 30-90 days, and schedule periodic data reviews. Document all policies.
Implement Secure Deletion for Databases and Application Data
For database records, don't just mark as deleted—run TRUNCATE or DELETE with subsequent VACUUM operations to reclaim space. For sensitive fields, overwrite with random data before deletion. Implement application-level deletion workflows that propagate to all systems (primary DB, replicas, caches, search indexes). Test that data is truly gone, not just hidden.
Handle Backup and Archive Deletion Systematically
Backups are often forgotten—implement automated expiration for backup retention (daily: 7 days, weekly: 4 weeks, monthly: 12 months). When deleting production data, schedule corresponding backup deletion after retention expires. For tape backups, maintain inventory and shred tapes when retention ends. Never assume old backups are harmless—they contain PII subject to DPDPA.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.8.10:
Documentation
- Data Retention and Deletion Policy defining retention periods and deletion methods
- Data classification inventory mapping data types to retention requirements
- Secure deletion procedures for different media types (HDD, SSD, cloud, mobile)
- Vendor contracts and certificates of destruction from e-waste disposal companies
- Deletion logs or records showing when data was deleted, by whom, and using what method
Interviews
- IT administrators about data sanitization tools and procedures used
- Data Protection Officer or legal team about retention schedules and compliance requirements
- Asset disposal coordinator about hardware decommissioning and destruction processes
Observations
- Review of data wiping tool configurations and deletion logs from software
- Physical inspection of destroyed hardware or certificates from destruction vendors
- Demonstration of cloud lifecycle policies showing automated deletion rules
- Testing data recovery on "deleted" test data to verify proper sanitization
Practitioner Insights
I once audited a company that sold 50 old laptops to employees at a discount. When we booted one randomly, we found the previous user's Outlook mailbox intact—10,000 emails including customer contracts and financial data. The IT team claimed they "deleted the files" but never actually wiped the drives. Always test your deletion procedures by attempting data recovery yourself before declaring success.
Cloud data deletion is tricky because of backups, snapshots, and replicas across regions. I've seen organizations delete S3 buckets but forget about cross-region replication or CloudFront caches. When deleting cloud data, you must identify ALL locations: primary storage, backups, snapshots, geo-replicas, CDN caches, and service logs. Use cloud inventory tools to map dependencies before deletion.
Common Challenges & Solutions
Challenge
Employees take old company laptops home after replacement without proper data wiping.
Solution
Implement mandatory asset return policy—no exceptions. Before handing over devices, IT must wipe drives using certified tools (DBAN, Blancco) and provide employees a fresh OS installation. For high-risk roles (finance, HR), physically destroy drives and provide new devices. Maintain asset tracking to ensure all devices are accounted for.
Challenge
Legal hold requirements conflict with data retention policies—data should be deleted but can't be due to litigation.
Solution
Implement legal hold procedures that suspend normal deletion for specific data sets under litigation or investigation. Maintain a legal hold register tracking what's preserved, why, and for how long. Require legal approval before resuming deletion. Use e-discovery platforms (Relativity, Exterro) to manage holds across multiple systems.
Challenge
Cloud backups and snapshots accumulate indefinitely because nobody monitors them, increasing costs and risk.
Solution
Audit cloud accounts quarterly for orphaned resources: unattached EBS volumes, old AMI snapshots, RDS backups, blob storage archives. Implement tagging policies that require expiration dates on all backups. Use cloud cost management tools (AWS Cost Explorer, Azure Cost Management) to identify expensive old storage. Set automated deletion policies.
Challenge
Employees store sensitive data on personal devices, USB drives, and cloud accounts that IT can't track or delete.
Solution
Implement DLP (Data Loss Prevention) to block copying sensitive data to unauthorized locations. Use endpoint protection that can remotely wipe corporate data from BYOD devices (Intune, VMware Workspace ONE). Educate employees about acceptable use and consequences of shadow IT. Conduct periodic audits of file sharing permissions.
Challenge
Third-party vendors and service providers store our data—we don't know if they delete it when contracts end.
Solution
Include data deletion clauses in all vendor contracts: "Provider must securely delete Customer data within 30 days of contract termination and provide written certification." Request deletion certificates. For critical vendors, require deletion to be verified through audit rights. Maintain a vendor data inventory tracking what data each vendor holds.
