DSP-16: Data Retention and Deletion

CSF v1.1 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: BCR-11: Retention Policy, GRM-02: Data Focus Risk Assessments.

Control Statement

Data retention, archiving and deletion is managed in accordance with business requirements, applicable laws and regulations.

Implementation Guidance

Organizational data retention and deletion practices encompassing both physical and electronic data should be established and implemented.

Auditing Guidance

  1. Examine the organization's procedures, technical requirements and other documentation for the retention, archiving and deletion of data.
  2. Establish whether the organization has documented the roles and responsibilities for this process.
  3. Establish that the organization maintains a source(s) of record of data types, owners, and retention periods. Select a range of entries to establish that the information recorded is correct.
  4. Establish how the organization determines that its retention records are accurate and complete. Establish that the organization has documented its understanding of the extent of its remit in terms of its role as a supplier and the extent of its own supplier's obligations to this requirement.
  5. Confirm that the data retention process meets the organization's requirements as detailed in policy and procedures.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.