In the background, you hear the same “wah wah wah wah” noise that Charlie Brown’s teacher made as your internal auditor requests information about records management and document retention. You know you have the documents stored so that your retention time can be audited. However, records management and compliance mean more than keeping data for a certain number of years. Today, record retention requires protecting the information as well.

Records Management & Compliance

What is records management?

Often referred to as records and information management, the term refers to protecting information over the course of its lifecycle. In an information based society, data drives business objectives.

You’re collecting information before you even meet people. Whether its job applications or marketing materials, you collect, store, and dispose of information about people you’ve never met and with whom you may never do business.

While some laws focus solely on customer and employee data, under others, all data becomes a data breach risk. For example, under the General Data Protection Regulation (GDPR), information you collect and store, even without processing it, must be protected against a data breach.

For example, email marketers often collect information as part of their lead generation programs. Any information that can be connected back to an individual needs to be protected. What might previously have been “cold information” after completing the email cycle now become a data risk.

What are typical retention schedules?

Record retention schedules vary by industry. Banks need to keep customer information for five years after someone closes an account. Schools need to keep information for anywhere from three years to forever depending on the type of records. The same is true for small businesses — the information’s classification defines the time frame.

More often than not, records fall into a classification of 3 year retention, 5 year retention, 7 year retention, 10 year retention, or permanently.

What does this mean for my organization?

Ay, but there’s the rub! Records management compliance no longer simply means locking the information in a warehouse. Today, you’re collecting and storing information in a variety of digital locations.

As an organization, therefore, you need to make sure that you catalog all information – even that which is no longer in use – as part of your information management program. Moreover, you need to make sure that you’re creating the appropriate workflows for dispoing of records on time.

5 Steps to Creating a Records Management Policy

ISO 15489 offers guidance for creating a records management policy. Using this as a foundation, you can work through the process to ensure continuing compliance and protection over information.

Review assets and storage locations

No matter what industry you’re in, you need to know what you store and where you store it. However, understanding the types of information that you need to protect can feel overwhelming in a data saturated world.

Categories of Records

  • Operational: Information necessary for continued operations
    • Employee records
    • Customer information
    • Marketing information that identifies individuals
    • Tax information
    • Board of Directors meeting minutes
    • Human Resources documents
    • Organization charts
    • Data access and authorizations
  • Legal: Information pertaining to legal responsibities or legal liabilities
    • Lawsuits
    • Articles of Incorporation
    • Insurance policy information
    • Consent forms
    • Third-party contracts
  • Emergency: Information needed to maintain business continuity and disaster recovery
    • Emergency access authorizations
    • Policies and procedures – including disaster recovery
    • Technical system documentation
    • Facility blueprints
    • Security codes
  • Financial: Information regarding your financial history, assets, or liabilities
    • Payroll information
    • Banking information
    • General ledgers
    • Investments


  • Servers
  • Networks
  • Onsite and offsite storage facilities
  • Cloud storage
  • Backup and Recovery locations

Review Data Importance and Rate Risk

All record management policies should focus first on vital information. The more important the information is to maintaining business operations and mitigating financial loss, the more vital it is to your organization.

  • Is it necessary to continue business operations?
  • Will there be a significant monetary loss if the data is lost?
  • How difficult is it to reconstruct the information?
  • How rapidly do you need to recover or reproduce the information?
  • Is the information unobtainable from other sources?
  • Are the records physical or digital?

Review Risks to the Information

Retention requires focusing on long term impacts to information that you may not access often. Therefore, you need to review the security controls in place.

  • Who is responsible for the information?
  • Do you maintain appropriate technological controls (firewalls, data segregation, at rest encryption, in transit encryption)
  • What format is the information in?
  • Can you document records transaction?
  • What are the physical controls over the facility and servers where the information resides?
  • Who has access to the records?
  • How do you control access and authentication of users?

Monitoring Records Protections

Despite not using the information, you can’t just leave the data unmonitored. Ignoring the information makes the protections unreliable leading to data integrity noncompliance.

  • Are you consistently monitoring the servers, networks, and software for vulnerabilities?
  • Are you regularly reviewing software for security updates?
  • Are you monitoring external threats to your environment?
  • Are you engaging in access reviews?
  • Do you have human resources policies that remove access upon employment termination?

Disposal of Records

You need to have an appropriate plan in place for record disposal. If you maintain records past the required retention period, you may be violating a regulatory requirement.

  • How long do you need to retain the information?
  • How do you erase data to ensure all metadata is erased?
  • How do you dispose of end-of-life devices?
  • How do you control data backup to ensure records are disposed of?
  • Do you have procedures in place to dispose of records within regulatory timeframes?
  • Have you verified disposal adequacy?

How ZenGRC Enables Records Management

From start to finish, records management requires an efficient workflow to coordinate the information each department stores.

ZenGRC allows you to prioritize tasks so that everyone knows what to do and when to do it so that you can maintain records – up until the time you need to dispose of them.

With our workflow tagging, you can assign tasks to the individuals in your organization responsible for the activities involved in records management.

Finally, with our audit trail capabilities, you can document remediation activities to prove that you maintained data confidentiality, integrity, and availability as required by law.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.