psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5eade2d99bef262cef5be6d01dc0bbbc9119b82e
ISMS/01-policies/records-retention-and-disposal-policy.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.4 KiB
Raw Blame History

Title: Records Retention and Disposal Policy Document ID: [POL-RECORDS-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CEO (Paul Hague) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Records Retention and Disposal Policy

Purpose

This policy defines BlackDice's high-level requirements for retaining and disposing of business and ISMS records in a controlled manner.

Scope

This policy applies to records created or maintained within the ISMS scope, including governance records, risk records, incident records, audit outputs, supplier records, and supporting operational evidence.

Objectives

  • retain records for as long as required by business, legal, contractual, and assurance needs
  • dispose of records securely when retention is no longer required
  • support traceability, evidence, and defensible record handling

Principles / Policy Statements

Records must be retained according to defined retention requirements that reflect legal, regulatory, contractual, operational, and assurance needs.

Records must remain accessible, accurate, and protected for the duration of their retention period.

Disposal of records must be controlled and appropriate to the sensitivity of the information involved.

ISMS records such as risks, incidents, audit findings, management reviews, and exceptions must be retained in a way that supports oversight and auditability.

Where operational tooling is used as the system of record, retention and disposal arrangements must be understood and controlled.

Roles and Responsibilities

  • [Role] must define retention and disposal expectations.
  • Record owners must ensure records are retained and disposed of appropriately.
  • System owners must support retention controls where records are stored in business systems.

Compliance / Exceptions

Any exception to approved retention or disposal requirements must be documented and approved by the relevant authority.

Monitoring and Review

This policy should be reviewed through record sampling, legal change monitoring, audit, and management review.

Related Documents

  • Information Security Policy
  • Document and Records Control Standard
  • Data Retention Standard
  • Legal and Regulatory Obligations Register Template

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink