Legal and regulatory frameworks are the primary and most authoritative source for defining data retention periods, especially for financial systems. Financial data is subject to numerous laws (e.g., tax laws, anti-money laundering regulations, data privacy acts like GDPR) that mandate specific minimum retention periods and eventual deletion requirements. Company policies and procedures must be built upon and comply with these legal obligations. Therefore, consulting the relevant legislation first is the mandatory starting point to ensure the policy is legally compliant and sound.

A. In company policies: Company policies are internal guidelines that must be derived from and compliant with external legislation; they are not the primary source.

B. In finance management procedures: These procedures describe how to handle data operationally but do not define the legally mandated retention periods themselves.

1. ISO/IEC 27002:2022 - Information security, cybersecurity and privacy protection — Information security controls.

Reference: Section 5.33, "Protection of records."

Quote/Paraphrase: The guidance for this control explicitly states that "Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislation, regulation, contract and business requirements." This places legislation and regulation as foundational inputs for record management, which includes retention.

2. ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Reference: Annex A, Control 8.10, "Information deletion."

Quote/Paraphrase: This control requires that "information stored in information systems, devices or in any other storage media should be deleted when no longer required." The determination of "when no longer required" is primarily driven by legal, statutory, regulatory, and contractual retention requirements.

3. NIST Special Publication 800-88, Revision 1, "Guidelines for Media Sanitization."

Reference: Section 2.3, "Information Disposition."

Quote/Paraphrase: The document states, "An information disposition policy should be created in accordance with applicable laws, regulations, and organizational policy." It emphasizes that legal and regulatory requirements are a key factor in the information disposition lifecycle, which includes retention and deletion.