Securely Decommission Service Providers

Organization has put in place exit strategies for any ICT services supporting critical or important functions to prepare for possible failures, deteriorations of quality or other business disruptions related service.

Exit strategies ensure that the organization can exit related contractual arrangements without:

• disruption to their business activities
• non-compliance with regulatory requirements
• detriment to continuity and quality of services provided

Exit plans are comprehensive, documented and sufficiently tested and reviewed periodically.

As part of exit strategies, organisation has also identified alternative solutions and developed transition plans enabling them to switch services and transfer relevant data securely.

Organization must document the retention periods for data sets and their possible archiving process (including archiving method, location or destruction). At the end of the retention period, the data must be archived or destroyed without delay in a secure manner.

When destroying data contained in data systems, the following points should be taken into account:

• suitable method of destruction (e.g. overwriting, cryptographic erasure ) is chosen taking into account the functional and statutory requirements
• the need to preserve evidence of data destruction is discussed
• when using third parties for data destruction, the requirement of evidence and the inclusion of destruction requirements in supplier contracts are discussed

The process of archiving or destroying data is defined in connection with the documentation, and the owner of the data is responsible for its implementation.