GOV-016 Records and Information Governance
Description
Records required to demonstrate compliance, support operations, and enable audit are identified, protected from unauthorized access, alteration, or loss, and retained for defined periods. Retention and disposal schedules are documented and applied.
Rationale
Organizations must be able to produce evidence of compliance and operational activity. Records that are lost, altered, or disposed of prematurely undermine auditability and legal defensibility.
Framework Mappings (5)
| SEF-09 | Incident Records Management | partial |
| GDPR-Art.30.1 | Controller Records of Processing Activities (RoPA) | partial |
| GDPR-Art.30.2 | Processor Records of Processing Activities | partial |
| 5.33 | Protection of records | full |
| AU-11 | Audit Record Retention | partial |
Evidence (2)
Records retention and disposal schedule defining retention periods, storage requirements, and destruction procedures for each category of compliance-relevant record.
Example: Records Retention Schedule (Confluence / legal team document), listing record categories (audit logs, contracts, incident records, training records, etc.), required retention period per category, storage location, and destruction method.
Test: Request the records retention schedule. Verify: (1) all key record categories relevant to the organization's compliance obligations are listed, (2) a specific retention period is defined for each category, (3) a storage and access control requirement is stated, (4) a destruction method (secure deletion, shredding) is specified, (5) the schedule has been reviewed within the last 12 months.
Storage system or logging platform configuration showing automated retention policies are applied in accordance with the retention schedule.
Example: AWS S3 Lifecycle Policy configuration, CloudWatch Logs retention settings, or Google Workspace Vault retention rule export — showing retention periods aligned to the documented retention schedule.
Test: Export or review the retention configuration from the primary storage and logging systems. Verify: (1) automated retention periods are set and match the documented retention schedule for each relevant record category, (2) immutability or write-once settings are enabled for audit log storage, (3) no retention period is shorter than the documented requirement.
Questions (2)
Does your organization have a documented records retention schedule defining retention periods, storage requirements, and destruction methods for each category of compliance-relevant record?
The schedule should cover audit logs, contracts, incident records, and training records at minimum, with specific retention periods aligned to legal and regulatory obligations.
How are retention policies enforced for your primary storage and logging systems?
Automated retention configuration (e.g. S3 lifecycle policies, Google Vault rules) aligned to the retention schedule is the strongest evidence. Immutability should be enabled for audit logs.