Data Retention in ISO 27001 Compliance

Data retention plays a crucial role in ISO 27001 compliance, ensuring that organisations securely manage information while meeting legal, business, and regulatory requirements.

From compliance data to logs, defining retention periods and implementing robust processes for storage, monitoring, and eventual disposal is essential for maintaining both security and efficiency.

Various organisations, especially those in the Financial Services industry such as Banks, require data especially those related to transaction processing, logs etc to be stored and retained for 2-5 years. And with the rise of digital transactions in the post pandemic world have added some notable questions that need to be addressed:

• How long should compliance data be retained?
• How long should logs be retained?
• What is data retention in logging & monitoring?
• How to protect the data retained?

Let’s address these key aspects of data retention for ISO 27001 compliance, focusing on how long data and logs should be retained, the role of data retention in logging and monitoring, and considerations for data protection within AWS Audit Manager.

What is Data Retention in ISO 27001?

Data retention refers to the policies and practices governing how long data is stored, how it is handled, and how it is eventually disposed of. In ISO 27001, these policies ensure that information is protected against unauthorised access, alteration, or destruction while meeting business and legal requirements. Although ISO 27001 2022 version does not have a specific Data retention control, however Annex-A controls 8.10, 8.13 and 8.15 require that:

• Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.
• Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
• Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.

How Long Should Compliance Data Be Retained?

The retention period for compliance data depends on regulatory, contractual, and business-specific requirements. While ISO 27001 itself does not prescribe specific retention periods, it mandates that organisations determine retention based on the following:

1. Legal and Regulatory Requirements: Industries such as finance, healthcare, and telecommunications often have strict data retention regulations. For example:
2. Business Needs: Certain operational needs, such as audits or dispute resolution, may necessitate longer retention periods for specific datasets.
3. Risk-Based Approach: Retaining data beyond its useful life can increase risks and costs. Organisations should identify and document the rationale for retention periods within their information security management system (ISMS).

How Long Should Logs Be Retained?

Logs are a cornerstone of ISO 27001 compliance, providing evidence of activities and supporting incident response. The retention period for logs typically depends on factors such as:

1. Regulatory Requirements: In some cases, regulations mandate specific log retention periods. For example:
2. Security and Monitoring Needs: Logs should be retained long enough to:
3. Industry Best Practices: Many organisations retain logs for 90 days to one year for operational monitoring and analysis, with archived storage for longer periods if needed.
4. Storage Costs: Log retention policies should balance security needs with storage costs, leveraging archival solutions for long-term retention.

Data Retention in Logging and Monitoring

Logging and monitoring are critical components of an ISO 27001-compliant ISMS, providing the visibility needed to detect, respond to, and mitigate threats. Data retention policies in this context must address:

1. Centralised Log Management: Use a Security Information and Event Management (SIEM) solution to collect and store logs centrally.

Define retention periods for various log types (e.g., application logs, system logs, access logs) based on their relevance and compliance requirements.

2. Automated Archiving: Implement automated processes to archive older logs securely. Use encryption to protect archived logs from unauthorised access.

3. Real-Time Monitoring: Retain real-time logs for short-term analysis (e.g., 30-90 days). Periodically review retention policies to ensure they align with evolving threats and compliance needs.

4. Auditable Trail:

Maintain an auditable trail of log retention and deletion activities to demonstrate compliance with ISO 27001 and other standards.

Why is Data Retention Critical?

1. Avoiding Data Breaches: Retaining data longer than necessary increases the attack surface for cybercriminals. Proper retention policies minimise this risk by ensuring only essential data is stored.
2. Cost Efficiency: Storage and management of large datasets can become prohibitively expensive. Retention policies reduce storage costs by archiving or deleting obsolete data.
3. Regulatory Compliance: Many industries have stringent data retention and disposal regulations. Non-compliance can lead to hefty fines and reputational damage.
4. Stakeholder Trust: Demonstrating robust data governance fosters trust among clients, partners, and regulators.

Challenges in Implementing Data Retention Policies

While the benefits are clear, implementing data retention policies is not without hurdles:

• Legacy Systems: Older systems may lack the flexibility to enforce modern retention policies.
• Unstructured Data: Identifying retention periods for unstructured data like emails and documents can be complex.
• Multi-Cloud Environments: Managing retention across diverse platforms introduces additional challenges.

Steps to Develop an Effective Data Retention Policy

To overcome these challenges, organisations should follow a structured approach:

1. Data Inventory: Conduct a comprehensive inventory of all data assets, noting where they reside and their relevance.
2. Classification: Categorise data based on sensitivity, regulatory requirements, and business value.
3. Legal and Business Requirements: Align retention periods with applicable laws, industry standards, and organisational needs.
4. Policy Implementation: Leverage automation to enforce retention schedules and ensure consistent adherence.
5. Review and Audit: Regularly review retention policies to ensure they remain relevant and effective.

Tools and Technologies to Support Compliance

AWS Audit Manager is a powerful tool for automating audit readiness and managing compliance data. To ensure data protection while meeting retention requirements:

1. Retention Configuration: Define retention policies for assessments, reports, and evidence collected within AWS Audit Manager. Use tagging to classify data and apply retention policies based on categories.
2. Secure Storage: Store assessment data in secure AWS services such as S3, with encryption at rest and in transit. Leverage AWS Key Management Service (KMS) for managing encryption keys.
3. Access Control: Implement role-based access controls (RBAC) to restrict access to compliance data. Use AWS Identity and Access Management (IAM) policies to enforce the principle of least privilege.
4. Lifecycle Policies: Apply S3 lifecycle policies to automate data movement between storage tiers (e.g., Standard to Glacier for archival purposes). Ensure data is deleted securely at the end of its retention period.
5. Continuous Monitoring: Use AWS CloudTrail to log API activity related to AWS Audit Manager. Integrate with AWS Security Hub for centralised monitoring and reporting.

In addition, several technologies can aid in the effective implementation of data retention policies:

• Data Loss Prevention (DLP) Solutions: Identify and protect sensitive data across systems.
• Automated Archival Systems: Simplify the archival and retrieval of data.
• SIEM Platforms: Integrate retention policies with security monitoring and reporting tools.
• Data Governance Platforms: Centralize policy management and ensure compliance across hybrid environments.

Summary:

To comply with ISO 27001, organisations must:

• Define Retention Policies: Clearly outline how long specific categories of data should be retained based on business needs and regulatory requirements.
• Document Policies: Include retention requirements in the Statement of Applicability (SoA) and align them with identified risks.
• Ensure Secure Disposal: Implement mechanisms to securely delete or archive data once the retention period ends.

By addressing these requirements, organisations can mitigate risks such as data breaches, regulatory penalties, and excessive storage costs.

Consider a financial services firm that faced skyrocketing storage costs and compliance challenges. By implementing ISO 27001-aligned retention policies, they:

• Reduced storage costs by 35% through efficient data archiving.
• Enhanced compliance with regulations like GDPR and CCPA.
• Strengthened customer trust by demonstrating transparent data governance.

While retaining compliance data and logs is essential, excessive retention can increase storage costs and data breach risks. To strike a balance:

• Regularly assess which data is still relevant for compliance and operational needs.
• Implement automated data deletion for logs and compliance records that exceed their retention period.
• Train employees on data retention policies to minimise accidental mismanagement.

I hope this article can help you answer some of the your security and compliance needs.

Do like 👍 and share ♻ it in your network and follow Kamalika Majumder for more.

Need to get ISO 27001 compliant ASAP, and have no clue where to start?

Book a Free Consultation Now.

Thanks & Regards

Kamalika Majumder