Data life cycle governance, classification, metadata, retention, and destruction.
This chapter explains how data should be governed from creation through destruction. ISC uses this area to test whether you can connect data handling choices to integrity, privacy, retention, and assurance concerns.
Data governance questions are rarely about storage alone. The exam usually asks whether classification, access, metadata, retention, or destruction controls are appropriate for the type of information and the stage of the data life cycle.
| Life-cycle issue | Control question | Common ISC trap |
|---|---|---|
| Creation and capture | Was the data complete, accurate, authorized, and properly sourced? | Focusing on later storage controls while ignoring poor input quality. |
| Classification and metadata | Does the organization know sensitivity, ownership, source, and intended use? | Applying the same controls to public, confidential, regulated, and mission-critical data. |
| Active use | Are access, changes, extraction, and reporting governed? | Assuming data is reliable because the system storing it is available. |
| Retention and destruction | Are legal, privacy, operational, and evidence needs balanced? | Keeping data indefinitely or destroying it before obligations expire. |
| Step | What to establish | Control implication |
|---|---|---|
| Identify data type | Financial, personal, confidential, regulated, operational, or analytical data. | Data type drives classification and control strength. |
| Assign ownership | Business owner, data steward, system owner, and custodian roles. | Governance fails when responsibility is unclear. |
| Map life-cycle stage | Creation, storage, use, sharing, archival, or destruction. | Controls change as data moves through the life cycle. |
| Set access and metadata rules | Sensitivity, source, lineage, changes, and authorized users. | Data cannot be trusted if ownership and meaning are unclear. |
| Validate retention and disposal | Legal hold, retention period, privacy requirement, and destruction evidence. | Over-retention and premature destruction both create risk. |
| Checkpoint | What to test | Assurance implication |
|---|---|---|
| Creation controls | Source authorization, completeness checks, validation rules, and input review. | Poor capture can make later analytics unreliable even if storage is secure. |
| Classification accuracy | Sensitivity labels, ownership, regulatory status, and business criticality. | Incorrect classification leads to undercontrolled or overretained data. |
| Metadata and lineage | Source, transformations, field definitions, changes, and downstream use. | Without lineage, reports and models are harder to rely on. |
| Retention authority | Legal, tax, privacy, contractual, and operational retention requirements. | Retention must be long enough for obligations but not indefinite by default. |
| Destruction evidence | Approval, method, completeness, logs, and exception handling. | Disposal controls support privacy, security, and defensible records management. |