Back

Establish, implement, and maintain document retention procedures.


CONTROL ID
11660
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain records management procedures., CC ID: 11619

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • For the management of data, programs, and documents, establish regulations that stipulate the management of important confidential data such as customer data and private keys, whenever necessary. (C12.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • For magnetic media and documents that are stored in a fire-resistant safe, give priority to those that are more important and difficult to recover or reproduce over others. (F101.1. ¶ 2(2), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Establish that data input is performed in a timely manner by authorised and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transaction authorisation levels. Where appropriate for reconstruction, retain original sourc… (AC2 Source Data Collection and Entry, CobiT, Version 4.1)
  • retention and disposition. (§ 7.5.3 ¶ 2 Bullet 4, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall retain documented information as evidence of: (§ 10.2 ¶ 3, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • the maintenance, retention or control of relevant documented information. (§ 5.7 ¶ 1 Bullet 3, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • retention, disposition and disposal; (§ 7.5.3 ¶ 2 Bullet 4, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Corrective actions should be appropriate to the effects of the nonconformities and/or noncompliances encountered. The organization should retain documented information as evidence of: (§ 10.1.1 ¶ 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and … (§ 7.5.3 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • retention and disposition. (§ 7.5.3.2 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Decisions concerning the creation, retention and handling of documented information should take into account, but not be limited to: their use, information sensitivity and the external and internal context. (§ 6.7 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • retention and disposition. (§ 7.5.3 ¶ 2 bullet 4, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • Documented information shall be available as evidence of: (§ 10.2 ¶ 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • retention and disposition. (§ 7.5.3 ¶ 2 Bullet 4, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • as evidence of the results of monitoring, measurement, analysis and performance evaluation; (§ 9.1.1 ¶ 5 Bullet 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • determining, maintaining and retaining documented information to the extent necessary: (8.1 ¶ 1(e), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • retention and disposition. (§ 7.5.3 ¶ 2 bullet 4, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall retain documented information as evidence of: (§ 10.1 ¶ 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall retain documented information as evidence of: (Section 10.1 ¶ 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • retention and disposition. (Section 7.6.5 ¶ 2 bullet 4, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • retention and disposition. (§ 7.5.3.2(d), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall retain documented information as evidence of: (§ 10.1.2 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Documented information shall be available as evidence of: (§ 10.2 ¶ 3, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Procedures for retention and retrieval of original items. (App A Tier 2 Objectives and Procedures M.3 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • All output from the system must be retained and handled appropriately to document what actions have been taken. (§ 5.6.16, Exhibit 4 SI-12, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Organizational records and documents should be examined to ensure system output is retained according to organizational policies and procedures, output is handled in accordance with labeled instructions or organizational policies and procedures, and specific responsibilities and actions are defined … (SI-12, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)