Archiving and retaining outdated security documentation


Organization has defined what constitutes important security-related documentation and guidelines (e.g. report documents or all task / guideline content), which should be securely archived after they are replaced or become otherwise outdated.

This information should be saved for possible reviews of old policies or guidelines, which may be relevant e.g. in the case of a customer dispute or investigation by data protection authority.

When no specific legal or contractual requirement states the retention period, information should be saved for at least five years.

Connected other frameworks and requirements:
A.10.2: Retention period for administrative security policies and guidelines
ISO 27018
No items found.