Organizations should not keep sensitive information longer than necessary. This guideline will lessen the risk of unlawful access. If deleting information, the organization should consider the appropriate deletion method, record the aftermath of deletion, and obtain evidence of deletion from service providers. Organizations should also include information deletion requirements in third-party contracts to ensure compliance during and after termination of services. See Clause 7.5.3, also.
Conformance1
Tools for conforming to standards, goals and processes
