Description
It is possible for organisational data to be deleted from devices remotely by a device management system, if they actively make a connection or based on an interval without any connection.
Encrypted data to which the keys are made unrecoverable complies with this standard.
Specification
Deletion of data follows NIST Guidelines for Media Sanitization for the level ‘Clear’ or higher: https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
Example: https://www.umsystem.edu/ums/is/infosec/data-disposal
The recommended period to wipe data after devices have not made a connection should be set taking into account common use-cases, such as employees who regularly spend longer periods without a connection. Employees should be made aware of these restrictions on managed devices on a regular basis.
ISO 27001 & 27002:2022
A6.7,
A8.1
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.03 Mobiele apparaten en telewerken