Audit evidence retention and disposal
as a governed lifecycle on the engagement record, not a shared drive that grows forever

Without retention classes, every artefact gets the same indefinite shelf. Twelve years of scanner outputs, screenshots, and signed attestations pile up. The disposal cycle never runs because nobody owns it. Storage costs and legal-discovery exposure both grow linearly with time, but the audit-readiness benefit plateaus after the framework retention floor. Treat retention as a class on the artefact at capture, not as a folder structure to clean up later.

When the disposition cycle runs once every two or three years as a clean-up sprint, decisions are not documented at the moment of decision. The destruction record is reconstructed afterwards from email threads, sometimes from leaver-account inboxes. The audit reads the missing decision record as a control failure even when the underlying disposition was correct. Run disposition on a quarterly cadence so the activity log captures every decision in real time.

A hold placed by an email from legal three years ago is the most common over-retention shape. Nobody is sure which artefacts are still in scope. The disposition cycle either over-retains everything to be safe or destroys artefacts that should still be on hold. Record holds on the engagement as explicit overrides with named scope, hold owner, and release condition so the disposition queue can read the hold flag rather than a leaver inbox.

A programme that operates against five frameworks defaults to "keep everything for the longest framework retention" and never sets per-artefact classes. Activity logs that need twelve months for PCI DSS Requirement 10 are kept for seven years for HIPAA-aligned policy reasons. Configuration screenshots that need three years for SOC 2 are kept indefinitely. The implicit policy generates indefensible retention because the audit asks for the per-artefact class and the team cannot point to one.

Evidence is silently deleted from a shared drive when storage runs short or a folder is reorganised. There is no destruction reference, no disposition decision, no activity-log entry. The audit lookback reads the silence as a control failure even when the underlying disposition was correct against the retention class. The fix is capturing the destruction reference (method, date, owner, matter-resolution note) on the activity log at the moment of disposal.

When PCI DSS 3.2.1 moved to 4.0, when ISO 27001:2013 moved to 2022, when NIST SP 800-53 Rev 4 moved to Rev 5, retention expectations shifted in subtle ways. Programmes that did not consume the version change as a retention-class update carry stale retention windows for eighteen or twenty-four months. Retention drift has to be an item on the framework version-transition checklist alongside control mapping, evidence cadence, and audit narrative updates.

Each retention class records the floor (framework-driven minimum), the ceiling (legal-discovery and storage-cost cap), the default disposition rule (destroy, archive, supersede, retire), and the named owner. Classes typically include audit-log retention (twelve months minimum, often seven years for healthcare and seven for financial services), control-evidence retention (three to seven years depending on framework), policy-document retention (six years for HIPAA, often longer for ISO certification cycles), and engagement-deliverable retention (varies with contract terms). The catalogue is the basis for the per-artefact stamp.

Every artefact captured into document management or compliance tracking is stamped with its retention class, its capture date, its retention end date, the framework references the artefact supports, and the named disposition owner. The metadata travels with the artefact from capture so the disposition path is automatic when the retention window closes. Capture without metadata is the source of indefinite drift; the metadata stamp is the discipline that closes the lifecycle.

Every active hold records the matter reference, the hold owner, the hold start date, the named scope (engagement, control, asset, finding, time period, or jurisdiction), and the release condition. Artefacts in scope of an active hold surface in the disposition queue with the hold flag and are not eligible for destruction until the hold is released. The register is the override the disposition cycle reads alongside the per-artefact retention metadata.

Each disposition decision records the artefact reference, the linked control, the retention class, the disposition type (archive inside retention, destroy, supersede, retire), the disposition method (for destroyed artefacts), the disposition date, the disposition owner, and the matter-resolution note for hold-released artefacts. The decision template is the activity-log entry that produces a reproducible disposition record.

A named GRC or security operations owner reviews retention drift on a documented cadence (quarterly is the steady cadence; monthly during heavy disposal or hold-release windows). The reconciliation reads artefacts that should have been disposed and were not, artefacts that were disposed before their retention floor, legal holds that have outlasted the matter, and retention classes that have shifted because of framework version changes. The reconciliation report goes to the leadership read so retention drift is visible between audits.

When a framework releases a new version (PCI DSS 4.0, ISO 27001:2022, NIST CSF 2.0, NIST SP 800-53 Rev 5, HIPAA updates), the transition checklist includes a retention-class review alongside the control mapping update. Retention floors and ceilings that have shifted are recorded against the new framework references. Existing artefacts inherit the new retention class going forward; in-flight artefacts retain their original capture-time class to preserve audit reproducibility.

Retention sits downstream of the compliance audits workflow (the audit produces the evidence retention is governing) and upstream of the asset decommissioning workflow (a retired asset triggers retention class transitions on its evidence). It composes with the cross-framework control mapping crosswalk workflow because one retention class applies across many framework citations.

Retention rolls up into the security leadership reporting workflow where the disposition queue, active legal holds, destruction register, and retention drift reconciliation all become headline indicators on the leadership cadence. The control gap remediation workflow consumes retention failures (missing evidence, expired evidence) as control gaps with named owners and closure plans, and the research on audit evidence half-life informs the retention class decisions the catalogue records. The carrier-facing read of the same retained evidence at policy renewal and at claim time lives on the cyber insurance security evidence workflow, so the same retention catalogue answers the audit and the underwriter.

Capture stamps the artefact with retention class, capture date, retention end date, and named disposition owner. Capture without metadata is treated as a control event so the shared drive cannot grow forever by accident.

Every legal hold is recorded on the engagement with matter reference, scope, owner, and release condition. Holds communicated by email and not on the engagement are treated as documentation gaps to close, not as in-flight overrides to honour.

Quarterly disposition reviews run on the live record with named owners, recorded decisions, and destruction certificates captured at the moment of disposal. The clean-up sprint becomes a routine cadence the audit can read.

Over-retention, under-retention, hold-outlasted-matter cases, and framework version-transition mismatches are reported at the quarterly leadership cadence rather than discovered at the next external assessment.