Storage limitation is a principle from Art. 5(1)(e) GDPR. Personal data may only be stored for as long as necessary for the processing purpose. After that it must be deleted or anonymised. You implement this principle by defining retention periods for each data category and setting up automated deletion routines. Statutory retention obligations (e.g. tax law) may prescribe longer periods. In an ISMS, storage limitation is part of the data-protection controls and is operationalised through the retention policy.