The deletion evidence log documents every secure data deletion and media destruction in your organisation. It proves that confidential data was actually destroyed — according to a defined standard, by an identifiable person, with independent confirmation.
ISO 27001 A.8.10 (Information Deletion) requires that information is deleted when no longer needed and that deletion is documented. The GDPR adds in Art. 17 the right to erasure of personal data. The deletion evidence log serves both requirements.
What does it contain?
Each row represents one deletion or destruction event. The columns:
- ID / Data or Media — unique identifier and description of the deleted object (e.g. “12 retired laptops”, “backup tapes Q3 2024”)
- Reason / Method / Standard — deletion reason, applied method and referenced standard (e.g. NIST SP 800-88 Purge)
- Performed By / Verified By — person (or external service provider) who carried out the deletion and person who confirmed it
- Date / Evidence / Status — date of execution, reference to destruction certificate and current status
How to use it
Initial setup: Define which deletion events require logging (typically everything classified as “Confidential” or above). Agree with IT operations on who documents execution and who provides confirmation.
Execution: For every deletion or media destruction, create a row in the log — before execution (with the planned date) or immediately after. Archive the evidence (destruction certificate, screenshot of the cloud audit log) and link it in the Evidence column.
Audit preparation: Auditors sample-check whether retired assets have a corresponding deletion record and whether the referenced evidence actually exists. A complete log with archived proof answers these questions immediately.
| ID | Daten / Medien | Grund | Methode | Standard | Durchgeführt von | Verifiziert von | Datum | Nachweis | Status |
|---|---|---|---|---|---|---|---|---|---|
| DEL-2026-001 | 12 ausgemusterte Laptops (AST-006 Flotte) | Lebensende | Kryptografisches Löschen + physisches Schreddern | NIST SP 800-88 Rev.1 Purge | Zertifizierter Anbieter SecureIT GmbH | IT-Betriebsleitung | 2026-02-20 | Vernichtungszertifikat CDS-26-0214 | Abgeschlossen |
| DEL-2026-002 | 5 TB Backup-Bänder (2019-2022) | Aufbewahrungsfrist abgelaufen | Degaussing + Schreddern | NIST SP 800-88 Rev.1 Destroy | Zertifizierter Anbieter SecureIT GmbH | IT-Betriebsleitung | 2026-03-05 | Zertifikat CDS-26-0301 | Abgeschlossen |
| DEL-2026-003 | Kundendatensatz (SAR-Löschantrag) | DSGVO Art. 17 | DB-Zeile Soft-Delete + Backup-Tombstone + 30-Tage-Purge | DSGVO-konformes Löschverfahren | DSB | ISB | 2026-03-12 | SAR-2026-007 Abschlusslog | Abgeschlossen |
| DEL-2026-004 | Ehemaliges Mitarbeiter-M365-Postfach (J. Schmidt) | Leaver 90 Tage vorbei | Postfach löschen + Aufbewahrungsrichtlinie entfernen | M365-Aufbewahrungsverfahren | IT-Betrieb | HR-Leitung | 2026-04-02 | M365 Audit-Log-Eintrag | Abgeschlossen |
| DEL-2026-005 | Testdatenbank (Staging-Snapshot 2025-Q4) | Alte Testdaten | Datenbank-Drop + S3-Objekt-Löschung | Internes Löschverfahren | Head of Engineering | IT-Betriebsleitung | 2026-03-18 | Pipeline-Log DEL-2026-005 | Abgeschlossen |
| DEL-2026-006 | 20 USB-Sticks (Bestandsbereinigung) | Neuzuweisung | Kryptografisches Löschen | NIST SP 800-88 Clear | IT-Betrieb | IT-Betriebsleitung | 2026-01-15 | Lösch-Skript-Log | Abgeschlossen |
| DEL-2026-007 | Marketing-Kampagnendaten (Event 2023) | Aufbewahrungsfrist abgelaufen | S3-Objekt-Löschung + CRM-Segment-Bereinigung | Aufbewahrungsplan | Marketingleitung | DSB | 2026-02-28 | S3-Lifecycle-Policy-Log | Abgeschlossen |
| ID | Data / Media | Reason | Method | Standard | Performed By | Verified By | Date | Evidence | Status |
|---|---|---|---|---|---|---|---|---|---|
| DEL-2026-001 | 12 retired laptops (AST-006 fleet) | End of life | Cryptographic erase + physical shredding | NIST SP 800-88 Rev.1 Purge | Certified vendor SecureIT GmbH | IT Operations Lead | 2026-02-20 | Certificate of destruction CDS-26-0214 | Completed |
| DEL-2026-002 | 5 TB backup tapes (2019-2022) | Retention expiry | Degaussing + shredding | NIST SP 800-88 Rev.1 Destroy | Certified vendor SecureIT GmbH | IT Operations Lead | 2026-03-05 | Certificate CDS-26-0301 | Completed |
| DEL-2026-003 | Customer record (SAR erasure request) | GDPR Art. 17 | DB row soft-delete + backup tombstone + 30-day purge | GDPR compliant deletion procedure | DPO | ISO | 2026-03-12 | SAR-2026-007 closure log | Completed |
| DEL-2026-004 | Former employee M365 mailbox (J. Schmidt) | Leaver 90 days past | Delete mailbox + retention policy removal | M365 retention procedure | IT Operations | HR Lead | 2026-04-02 | M365 audit log entry | Completed |
| DEL-2026-005 | Test database (staging snapshot 2025-Q4) | Old test data | Database drop + S3 object delete | Internal deletion procedure | Head of Engineering | IT Operations Lead | 2026-03-18 | Pipeline log DEL-2026-005 | Completed |
| DEL-2026-006 | 20 USB sticks (inventory clean-up) | Reassignment | Cryptographic erase | NIST SP 800-88 Clear | IT Operations | IT Operations Lead | 2026-01-15 | Erase script log | Completed |
| DEL-2026-007 | Marketing campaign data (2023 event) | Retention expiry | S3 object delete + CRM segment purge | Retention schedule | Marketing Lead | DPO | 2026-02-28 | S3 lifecycle policy log | Completed |
Sources
- ISO/IEC 27001:2022 A.8.10 — Information Deletion
- NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
- GDPR (EU 2016/679) Art. 17 — Right to Erasure