A retention period (German: Aufbewahrungsfrist) is the legally or internally defined timeframe for which documents, records, or data must be kept. After expiry, data must be deleted — especially when personal data is involved (GDPR Art. 5(1)(e), storage limitation).
In an ISMS, ISO 27001 Annex A control A.5.33 (Protection of Records) governs the handling of records subject to retention requirements. You need an overview of which retention periods apply to which data types. The challenge lies in actually deleting data after the period expires: without automated deletion processes, data accumulates that may no longer be lawfully retained. A retention schedule — mapping data categories to their legal basis, retention period, and deletion method — is the standard approach.