Understanding the updates to ISO27001:2022 - Retention Management comes of age
As digital threats escalate, the updates to ISO27001 are shaking up data retention. It's forcing organizations to rethink how they protect what's both a key asset and top risk—their information. Here's the FOUR key information governance updates, in 4 minutes.
Information security and governance are constantly evolving. For organizations aiming to protect their assets and reputation, staying compliant with international frameworks like ISO/IEC 27001 is crucial. The 2022 updates to the framework introduced several changes that significantly impact how organizations manage data retention and data deletion, within their information governance programs. They are now being enforced as of April 2024, which brings both challenges and opportunities for orgs striving to achieve or maintain compliance.
The Challenge: Managing Data Retention
Data retention management is a critical component of information security. Organizations must determine how long to retain data and when to securely dispose of it. And this problem is growing in SaaS. In 2024, the average enterprise utilizes 371 SaaS applications, a dramatic increase from just 8 in 2015. This surge in SaaS usage has led to an explosion of employee-generated content, heightening the risks associated with improper content retention. Data breaches, regulatory penalties, and loss of trust are just a few of the potential consequences of failing to manage data retention effectively.
Before the 2022 update, many organizations struggled to balance the need to retain content for operational purposes with the necessity of mitigating risks associated with over-retention. The ambiguity in earlier versions of ISO 27001 left organizations grappling with the challenge of interpreting and implementing retention policies that were both secure and compliant. This often resulted in inconsistent practices, with some content retained longer than necessary and other critical content deleted prematurely.
Four Key Changes in ISO 27001:2022
The 2022 update to ISO 27001 brought significant changes aimed at addressing these retention management challenges. While the core principles of information governance and security remain intact, the new version introduces clearer guidelines and requirements, particularly in data lifecycle management, risk assessment, and documentation.
1. Emphasis on Data Lifecycle Management
One of the key changes in ISO 27001:2022 is the heightened focus on data lifecycle management. The updated standard requires organizations to clearly define and document each stage of the data lifecycle—from creation to data deletion. This structured approach ensures that information retention policies align with both operational needs and security requirements, including the management of employee-generated content at every stage.
2. Risk-Based Approach to Retention
The 2022 update reinforces the importance of a risk-based approach to retention management. Organizations are now expected to conduct thorough risk assessments to determine appropriate retention periods for different types of data and content. This approach ensures data is retained only as long as necessary to meet legal, regulatory, and business requirements, thereby reducing the risk of retaining data longer than needed.
3. Enhanced Documentation and Auditing Requirements
Another significant change is the enhanced documentation and auditing requirements. Organizations must now maintain detailed records of their retention policies and procedures, including justifications for retention periods and actions taken to dispose of data securely. This documentation supports compliance with ISO 27001 and provides a clear audit trail invaluable during security assessments, eDiscovery, legal proceedings, or in the event of a data breach.
4. Integration with Other Information Security Controls
The updated standard also promotes a more integrated approach to information security, where retention management is closely linked with other controls such as access management, encryption, and incident response. This integration ensures that retention policies are not developed in isolation but are part of a broader strategy to protect sensitive information throughout its lifecycle.
Looking Ahead: Adapting to the Updates
For organizations already certified under ISO 27001, the 2022 updates necessitate a thoughtful review and likely revision of existing retention management practices. Transitioning to the updated standard involves more than just updating documentation; it requires a cultural shift toward viewing data lifecycle management as a critical component of information security.
Organizations should begin by conducting a gap analysis to identify areas where their current practices may fall short of the new requirements. This analysis should be followed by a comprehensive review of retention policies, risk assessment processes, and documentation. Engaging stakeholders across departments—from IT to Legal—is essential to ensure that retention policies are not only compliant but also practical and aligned with the organization's operational needs.
A simple yet effective first step is to establish an archiving process before data deletion and purging occur. By archiving data, organizations create a secure, intermediate holding area that preserves important information for audits, legal reviews, or operational needs. This approach not only aligns with the enhanced documentation and risk assessment requirements of ISO 27001:2022 but also provides a safety net against the risks of premature deletion.
Training and awareness programs are crucial in helping employees understand the importance of proper data retention and the changes introduced by the 2022 update. By fostering a culture of compliance and vigilance, organizations can ensure that they are not only meeting regulatory requirements but also actively protecting their most valuable asset—information.
Implementing automated routine deletion of information and employee content is also highly beneficial. Apps like Content Retention Manager for Confluence and Content Retention Manager for Jira facilitate this through policies and automation that avoid employee mistakes while demonstrating increased compliance with the framework. All while proving archiving and subsequent deletion is entirely routine and automated during any future eDiscovery.
Conclusion
The ISO 27001:2022 updates present organizations a timely opportunity to strengthen their retention management practices. By embracing these changes and integrating them into your overall information security strategy, your organization can enhance it's ISO 27001 compliance posture, reduce risks overall, and build greater trust.
Try Content Retention Manager for free today: