[REVIEW] iso27001-gap: add A.8.10 information deletion evidence gates

[wowsofine]

Skill Being Reviewed

Skill name: iso27001-gap
Skill path: skills/compliance/iso27001-gap/

False Positive Analysis

Benign-looking ISO 27001 evidence packet that can be over-scored as A.8.10 conforming:

control: A.8.10 Information deletion
app_delete_endpoint: implemented
retention_policy: approved
primary_database:
  deletion_job: runs_daily
  proof: one successful job screenshot
backups:
  retention_days: 180
  deletion_scope: not mapped
logs:
  pii_redaction: partial
third_parties:
  downstream_deletion_confirmation: missing
legal_holds:
  process: undocumented

Why this is a false positive:
The current skill lists A.8.10 as a new ISO 27001:2022 control but does not define what evidence proves information is deleted when no longer required. A reviewer could mark the control as implemented because a retention policy and primary-store deletion job exist, while copies remain in backups, object storage, search indexes, logs, exports, test datasets, downstream processors, or unmanaged SaaS tools.

For ISO 27001 readiness, the control evidence should distinguish policy intent from deletion scope, execution proof, exception authority, and residual copies that are intentionally retained under legal, contractual, backup, or business-continuity requirements.

Coverage Gaps

Missed variant 1: primary-store deletion does not cover derived and operational copies

record_id: customer-123
primary_database_deleted: true
object_storage_exports_deleted: unknown
search_index_deleted: false
siem_logs_containing_identifier: retained_365_days
analytics_warehouse_deleted: unknown
test_dataset_copy: not inventoried
backup_expiry_date: unknown

Why it should be caught:
A.8.10 is about deleting information when it is no longer required, not only deleting rows from the production database. The assessment should require a deletion scope map across repositories, derived stores, logs, archives, test data, and backup/restore media, then record which stores are physically deleted, cryptographically erased, tombstoned, or retained until a defined expiry.

Missed variant 2: deletion exceptions lack authorization, expiry, and SoA/risk traceability

retained_after_deletion_request:
  reason: legal hold
  approver: missing
  authority: missing
  scope: all customer data
  expiration_or_review_date: missing
  residual_risk_owner: missing
  linked_risk_or_requirement: missing

Why it should be caught:
Retention exceptions can be legitimate, but they should be narrow, approved, time-bounded, and traceable to legal, regulatory, contractual, risk-treatment, or business-continuity requirements. Without exception evidence, an organization can claim deletion while silently retaining more data than necessary.

Missed variant 3: downstream providers and sub-processors are outside the deletion proof

processor: support_saas
contains_personal_or_confidential_data: true
delete_request_forwarded_at: 2026-06-01T10:00:00Z
confirmation_received: missing
sla: missing
backup_retention_disclosed: missing

Why it should be caught:
The ISO gap review already considers suppliers and cloud services in other controls, but A.8.10 needs its own evidence that deletion or retention obligations propagate to outsourced systems that store scoped information.

Edge Cases

• Backups may not support targeted deletion. That can be acceptable only if backup retention, restore handling, access restrictions, and expiry dates are documented.
• Legal hold, litigation preservation, tax retention, and incident evidence retention can override deletion, but each exception needs authority, scope, owner, and review date.
• Cryptographic erasure can satisfy deletion for encrypted datasets only when key destruction evidence, key scope, and unrecoverability are documented.
• Logs may retain identifiers for security or fraud purposes; the review should require minimization, masking, retention schedule, and access controls rather than treating all log retention as either safe or unsafe.
• Multi-tenant SaaS and cloud object storage may have lifecycle policies, replication, versioning, and soft-delete settings that extend retention beyond the application-level delete operation.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: Add an A.8.10 information deletion evidence gate to the ISO 27001 gap workflow and output. The gate should require deletion scope mapping, retention basis, execution proof, exception handling, backup/log handling, downstream processor confirmations, and residual-risk traceability.

Recommended fields:

Field	Purpose
Information class / asset	Identifies what data is subject to deletion.
Repository / copy type	Primary DB, object storage, search index, logs, backup, analytics, test data, SaaS processor.
Retention basis	Legal, contractual, business, security, backup, or no longer required.
Deletion method	Physical delete, lifecycle expiry, tombstone, anonymization, cryptographic erasure, retained exception.
Proof artifact	Job run, lifecycle policy, key-destruction record, processor confirmation, restore test handling.
Exception owner and authority	Who approved retention and why.
Expiry / review date	When retained copies expire or are re-reviewed.
Residual risk / SoA linkage	Risk ID, requirement driver, or treatment decision tied to the SoA.

Suggested scoring guardrails:

1. Cap A.8.10 maturity at Managed when only a policy exists without repository-level deletion proof.
2. Mark A.8.10 Not Evaluable when backup/log/downstream processor handling is unknown.
3. Treat unbounded or ownerless deletion exceptions as a minor or major nonconformity depending on scope and sensitivity.
4. Credit legitimate legal-hold or backup-retention exceptions when they are documented, access-controlled, time-bounded, and linked to risk or legal requirements.

Comparison to Other Tools

Tool / Framework	Catches this?	Notes
ISO/IEC 27001:2022 / ISO/IEC 27002:2022	Partial	A.8.10 establishes the control objective, but this skill needs portable evidence fields for an actual gap review.
GRC platforms	Partial	They can store retention policies and control evidence, but the assessor still needs deletion scope and exception proof.
Data discovery / DLP tools	Partial	They can find retained sensitive data, but do not by themselves prove authorized deletion or exception handling.
Backup platforms	Partial	They show retention and expiry mechanics, but not SoA traceability or downstream processor deletion.

Overall Assessment

Strengths:

• The skill has broad ISO 27001:2022 coverage across Clauses 4-10 and all 93 Annex A controls.
• It correctly flags A.8.10 as one of the new 2022 controls needing specific attention.
• It already warns against treating Annex A as a simple checklist.

Needs improvement:

• A.8.10 is listed but lacks evidence requirements, unlike the level of detail auditors need for deletion, retention, and exception handling.
• The current output can over-credit a policy or primary-store delete job without proving deletion across derived stores, logs, backups, SaaS tools, and processors.
• The review should link deletion exceptions to SoA/risk-treatment evidence so legitimate retention is not confused with uncontrolled data hoarding.

Priority recommendations:

1. Add an A.8.10 evidence checklist under Annex A technological controls.
2. Add an information deletion scope matrix to the output for repositories, derived copies, backups, logs, and third-party systems.
3. Add retention-exception fields for authority, owner, scope, expiry/review date, and residual-risk acceptance.
4. Add scoring caps / Not Evaluable reasons for missing deletion proof, unknown backup/log handling, and missing downstream confirmations.

Sources Checked

• Current skill reviewed: https://github.com/UnitOneAI/SecuritySkills/blob/main/skills/compliance/iso27001-gap/SKILL.md
• ISO/IEC 27001 overview: https://www.iso.org/standard/27001
• ISO/IEC 27002 overview: https://www.iso.org/standard/75652.html
• Existing related reviews checked to avoid duplication: [REVIEW] iso27001-gap: add SoA risk-treatment traceability evidence #453, [REVIEW] iso27001-gap: add control-attribute and SoA traceability evidence #891, [REVIEW] iso27001-gap: add 2024 Climate Change amendments and 2026 supply-chain wiper resilience #1107, [REVIEW] iso27001-gap: add A.5.23 cloud services evidence gates #1335, [REVIEW] ai-data-privacy: add AI data deletion propagation gates #1382

This review is distinct from #453 and #891 because it focuses specifically on A.8.10 deletion execution, retention exceptions, backups/logs, and downstream processors rather than general SoA traceability. It is distinct from #1335 because it is not limited to cloud-service lifecycle governance. It is distinct from #1382 because it covers ISO 27001 information deletion across ISMS-scoped assets, not AI-specific vector stores, training data, or model artifacts.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: GitHub Sponsors; other payout details can be provided privately after maintainer acceptance.

[bozicovichsantiago20-oss]

/attempt #1400

I am taking a focused implementation pass for skills/compliance/iso27001-gap/ covering ISO 27001:2022 A.8.10 information deletion evidence, deletion scope mapping, retention basis, backup/log/downstream processor handling, exceptions, expiry/review dates, and SoA/risk traceability.

Bounty target: Improver Moderate if accepted. Payment details can be provided privately after maintainer acceptance.

[wowsofine]

For maintainer context: this issue was submitted as a Reviewer-tier Skill Review under the CONTRIBUTING.md bounty terms. The implementation attempt above appears to be based on the ISO 27001 A.8.10 deletion-scope, retention-basis, backup/log/downstream-processor, exception, expiry/review-date, and SoA/risk traceability gaps described in this review. Please keep #1400 available for maintainer evaluation of the original review report as well. Payment details can be provided privately if the review is accepted.

[bozicovichsantiago20-oss]

Implemented in PR #1415: #1415

Validation completed:

• git diff --check
• Markdown fence balance
• Marker checks for A.8.10, deletion scope, backup, downstream processor, legal hold, SoA, Not Evaluable, cryptographic erasure, and residual risk
• New fixture ASCII scan

[bozicovichsantiago20-oss]

Clarification: PR #1415 is submitted only as an Improver-tier implementation for the A.8.10 gap described here. It does not claim the Reviewer-tier bounty for the original review issue. I also removed the closing keyword from the PR body so #1400 can remain available for maintainer evaluation of the review report.