ISO 27001

ISO 27001 is the standard for an Information Security Management System which authenticates a company has designed its IT security to efficiently manage information security threats. The biggest advantage of this management system is that when an organisation displays its ISO 27001 certifications, their customers will know that their information is going to stay secure when dealing with them. This is due to third party assessment and certification have reviewed the companies policies and procedures are complaint to ISO 27001 to secure their information from potential risks.

ISO 27001 is an internationally recognized standard that is suitable for almost all type of organisations such as profit or non-profit organisations, large or small organisations, federal organisations as well as bigger international corporations. ISO 27001 helps against a number of threats such as:

  • Cybercrime
  • Internal data theft
  • Misuse of people information
  • Virus attacks
  • Ransom against data
  • Terrorist attacks
  • Loss of data

ISO 27001 Data Retention Policy

An ISO 27001 Data Retention Policy is an important step to manage and secure an organisations sensitive data and avoid penalties that may arise from poor data handling.

The Importance of a Data Retention Policy

Data is the heart of any business in today’s world. Its flow dictates how you manage your business and its protection helps in gaining customers trust and its scrutiny heads to process improvements. However, its confinement is sometimes ignored and it should be a matter of concern for the management of an organisation. One of the advantages of a Data Retention Policy is to delete duplicate and old data to avoid any confusion.

Developing an ISO 27001 Data Retention Policy

ISO 27001 was formed to provide principle and technology neutral proposition to security threats. The development of an effective ISO 27001 data retention policy depends upon the organisation, but here are some basic steps that can be used for the development of the policy.

Select a Development Team

The foundation of an effective data retention policy is a strong development team that consists of trained professionals. The team should include legal team, accounting specialists and other personnel involved in data management some way or another.

Describe the Regulations Relevant to Your Organisation

There are some regulatory bodies and regulatory acts that describe specific data retention durations requisitions of data removal. Such as:

  • GDPR- This is short for General Data Protection Regulation and is applicable to residents and organisations of EU as well as the organisations outside the territory of EU that supply goods or service to EU.
  • IRS: This stands for Internal Revenue Service. It is applicable to organisations located in United States.
  • SOX: This stands for Sarbanes Oxly Act and it is related to financial trade.
  • HIPPA: This stands for Health Insurance Portability and Accountability Act and it is applicable to Healthcare industry.

This step shows why a legal advisor is important in the development team. It is because he/she can provide guidance on laws related to your Country, state and industry.

Specify the Data to be Included

There is a list of some general data that should be included in a data retention policy regardless of your industry:

  • Client Data
  • Employee Data
  • Supplier records
  • Tax documentation
  • Healthcare records
  • Educational records
  • E-mail records
  • Contracts information
  • Financial records
  • Spreadsheets etc.


To conclude ISO 27001 has many benefits. It keeps the customers’ sensitive and confidential information secure and satisfies the clients. It makes your company stand out in the growing competition. It manages and lessens risk exposure. It also permits secure transfer of information and data.

If you are looking to implement an ISO 27001 Information Security Management System, please contact us for a free consultation on how we are able to support with your project.