Retention rules per classification
Demonstrate that data retention policies are differentiated by classification level, actively enforced through technical or procedural controls, and result in timely, secure disposal of data when retention periods expire.
Description
What this control does
This control requires organizations to define and enforce data retention periods that are explicitly mapped to data classification levels (e.g., public, internal, confidential, restricted). Each classification tier receives specific retention durations and destruction schedules based on regulatory, legal, business, and security requirements. Automated systems or documented procedures ensure data is retained for the minimum necessary period and securely destroyed afterward, reducing exposure windows for sensitive information while maintaining compliance with legal hold and archival obligations.
Control objective
What auditing this proves
Demonstrate that data retention policies are differentiated by classification level, actively enforced through technical or procedural controls, and result in timely, secure disposal of data when retention periods expire.
Associated risks
Risks this control addresses
- Indefinite retention of highly classified data increases the attack surface and potential impact of data breaches over time
- Premature destruction of data subject to regulatory or litigation hold requirements results in legal penalties and evidence spoliation claims
- Inconsistent retention practices create compliance gaps across multi-jurisdictional operations subject to varying data protection laws (GDPR, CCPA, HIPAA)
- Excessive storage of low-value data inflates infrastructure costs and complicates incident response and e-discovery processes
- Unauthorized access to data retained beyond legitimate business need violates data minimization principles and privacy regulations
- Lack of automated enforcement leads to human error in manual deletion processes, causing retention policy violations
- Failure to securely destroy expired classified data allows data recovery through forensic methods after nominal deletion
Testing procedure
How an auditor verifies this control
- Obtain the current data classification policy and data retention schedule matrix mapping each classification level to specific retention periods and destruction methods
- Review documented legal, regulatory, and business justifications for each retention period by classification tier
- Identify technical systems (DLP, ECM, cloud storage platforms, databases) and procedural mechanisms responsible for enforcing retention rules
- Select a representative sample of data assets across all classification levels from production environments, including structured databases, file shares, email archives, and backup media
- Examine configuration settings, lifecycle policies, and automated workflows in retention enforcement systems to verify alignment with documented retention schedules
- Trace a sample of data records through their full lifecycle from creation through retention expiration to confirm actual disposal occurred per schedule and method
- Interview data custodians and records managers to assess procedural adherence for data types not under automated retention management
- Review audit logs and disposal certificates for the past 12 months to verify retention rule execution, exceptions handling, and legal hold override processes
Where this control is tested