A.8.10 — Information Deletion

A company decommissions twenty laptops and donates them to a local school. Six months later, a parent recovers customer data, employee records and internal emails from one of the hard drives using freely available forensic software. A.8.10 prevents this by requiring that information is securely deleted when no longer needed — on all media, in all environments.

The control addresses two risks: unnecessary exposure of sensitive information and non-compliance with legal retention requirements. Both over-retention and premature deletion can create serious problems.

What does the standard require?

Define retention periods. For each information category, define how long data must be kept — based on legal requirements, contractual obligations and business needs.
Delete when retention expires. When the retention period ends, information must be securely deleted in a timely manner.
Use appropriate deletion methods. Employ methods proportionate to the sensitivity: secure overwrite, cryptographic erasure or physical destruction.
Document deletion. Record what was deleted, when, by whom and which method was used.
Handle third parties. When third parties store data on your behalf, obtain evidence that deletion was performed correctly.
Address cloud environments. Evaluate cloud providers’ deletion methods and rely on contractual assurances and cryptographic erasure.

In practice

Build a retention schedule. Map every information category to its retention period: financial records (10 years in Germany), HR files (varies), project data (contractual), log files (policy-defined). Make this the single source of truth for deletion decisions.

Automate deletion where possible. Configure systems to automatically delete data when retention periods expire. For email archives, log management systems and cloud storage, automated lifecycle policies reduce manual effort and human error.

Establish a secure media disposal process. For physical media (hard drives, tapes, USB sticks): maintain a chain of custody, use certified destruction services and obtain destruction certificates. For encrypted media, verify that encryption was active throughout the device’s lifetime.

Conduct annual deletion audits. Once per year, verify that the retention schedule is being followed: are there datasets past their retention period that have not been deleted? Are deletion logs complete?

Typical audit evidence

Auditors typically expect the following evidence for A.8.10:

Retention schedule — documented retention periods per data category (see Data Deletion and DLP Policy in the Starter Kit and Deletion Log)
Deletion logs — records of what was deleted, when and how
Destruction certificates — evidence from certified disposal services for physical media
Automated lifecycle policies — configuration showing automated deletion rules
Cloud provider documentation — contractual assurances regarding data deletion

KPI

Percentage of data retention items securely deleted upon expiry per policy

Measured as a percentage: how many data categories with expired retention periods have been securely deleted on schedule? Target: 100%.

Supplementary KPIs:

Number of data categories exceeding their retention period without deletion
Percentage of decommissioned devices with documented secure erasure
Mean time between retention expiry and actual deletion

BSI IT-Grundschutz

A.8.10 maps to BSI modules for data deletion and disposal:

CON.6 (Deletion and Destruction of Data) — the core module. Requires a documented deletion concept, appropriate deletion methods based on sensitivity and documented evidence of deletion.
CON.1 (Crypto Concept) — cryptographic erasure as a deletion method.

A.7.14 — Secure Disposal or Re-use of Equipment: Physical disposal of equipment that may contain data.
A.8.11 — Data Masking: Masking as an alternative to deletion when data must be retained but de-identified.
A.8.13 — Information Backup: Backups create copies that must be included in deletion planning.

Sources

ISO/IEC 27001:2022 Annex A, Control A.8.10 — Information deletion
ISO/IEC 27002:2022 Section 8.10 — Implementation guidance for information deletion
BSI IT-Grundschutz, CON.6 — Deletion and Destruction of Data

Frequently asked questions

What is the difference between deletion and destruction?

Deletion removes data from a storage medium so it is no longer accessible through normal means. Destruction physically renders the medium unreadable (shredding, degaussing). For highly sensitive data, destruction may be required; for most data, secure overwrite or cryptographic erasure is sufficient.

Is emptying the recycle bin secure deletion?

No. Standard deletion (including emptying the recycle bin) only removes the file system pointer. The data remains on the disk and can be recovered with forensic tools. Secure deletion requires overwriting the data or using cryptographic erasure.

How do we handle deletion in the cloud?

You typically cannot verify physical deletion in cloud environments. Rely on contractual assurances (DPA), the cloud provider's certifications (SOC 2, ISO 27001) and cryptographic erasure — where you destroy the encryption key, rendering the data unreadable.

Responsible	IT Administrator
Accountable	Information Security Officer / (C)ISO
Consulted	Asset Owner, Data Protection Officer, Facility Manager, IT Administrator, IT Security Officer, Legal Counsel, Supply Chain Manager
Informed	Asset Owner, Data Protection Officer, Head of IT, IT Administrator, Internal Auditor, Legal Counsel