A.8.10 Information Deletion

What is this control?

ISO 27001 control A.8.10 Information Deletion ensures that information stored in information systems, devices, or other storage media is deleted when no longer required using secure deletion methods that prevent recovery. The control implements Microsoft Purview Retention Policies for automatic deletion of M365 data after retention periods expire, Intune device wipe for endpoint data destruction, and documented disposal procedures for physical media following Certificate of Destruction requirements.

How to implement in Microsoft 365

Implement A.8.10 by configuring Microsoft Purview Retention Policies with delete actions after retention periods expire for Exchange, SharePoint, OneDrive, and Teams. Configure Purview Retention Labels with disposition review for records requiring manual approval before deletion. Use Intune Remote Wipe for secure deletion of all data on managed devices when decommissioned.

For physical media, use certified data destruction services with Certificate of Destruction documenting serial numbers and destruction method. Implement Microsoft Purview Data Subject Request tool for GDPR and POPIA right to erasure requests.

What an auditor looks for

Auditors will verify Purview Retention Policies are configured with delete actions after retention periods. They will check Retention Labels with disposition review are configured for records requiring approval. Auditors will review evidence of Intune wipe commands executed for decommissioned devices.

They will verify Certificates of Destruction from certified e-waste partners listing serial numbers and destruction method. Auditors will check Data Subject Request tool is accessible and functional. They will verify documented deletion procedures align with data classification requirements.