Title: Records Retention and Disposal Policy
Document ID: [POL-RECORDS-001]
Version: 0.1 Draft
Status: Draft
Owner: CISO (Paul Jenkins)
Approver: CEO (Paul Hague)
Classification: Internal
Effective date: [DD Month YYYY]
Review date: [DD Month YYYY]

# Records Retention and Disposal Policy

## Purpose

This policy defines BlackDice's high-level requirements for retaining and disposing of business and ISMS records in a controlled manner.

## Scope

This policy applies to records created or maintained within the ISMS scope, including governance records, risk records, incident records, audit outputs, supplier records, and supporting operational evidence.

## Objectives

- retain records for as long as required by business, legal, contractual, and assurance needs
- dispose of records securely when retention is no longer required
- support traceability, evidence, and defensible record handling

## Principles / Policy Statements

Records must be retained according to defined retention requirements that reflect legal, regulatory, contractual, operational, and assurance needs.

Records must remain accessible, accurate, and protected for the duration of their retention period.

Disposal of records must be controlled and appropriate to the sensitivity of the information involved.

ISMS records such as risks, incidents, audit findings, management reviews, and exceptions must be retained in a way that supports oversight and auditability.

Where operational tooling is used as the system of record, retention and disposal arrangements must be understood and controlled.

## Roles and Responsibilities

- [Role] must define retention and disposal expectations.
- Record owners must ensure records are retained and disposed of appropriately.
- System owners must support retention controls where records are stored in business systems.

## Compliance / Exceptions

Any exception to approved retention or disposal requirements must be documented and approved by the relevant authority.

## Monitoring and Review

This policy should be reviewed through record sampling, legal change monitoring, audit, and management review.

## Related Documents

- Information Security Policy
- Document and Records Control Standard
- Data Retention Standard
- Legal and Regulatory Obligations Register Template

## Version Control

| Version | Date | Description of Change | Author |
| --- | --- | --- | --- |
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |