CISM Question #227: Real Exam Question with Answer & Explanation

The correct answer is C: Regulatory requirements. Regulations such as HIPAA, GDPR, SOX, and PCI-DSS impose legally binding minimum and maximum retention periods for specific categories of data. Disposing of records too early or too late can result in legal penalties, failed audits, or liability. Capacity constraints are operatio

Submitted by khalil_dz· Apr 18, 2026Information Security Governance

Question

Which of the following is the BEST source of information for determining when to dispose of data records?

Options

ACapacity constraints
BIndustry best practices
CRegulatory requirements
DInternal audit reports

Explanation

Regulations such as HIPAA, GDPR, SOX, and PCI-DSS impose legally binding minimum and maximum retention periods for specific categories of data. Disposing of records too early or too late can result in legal penalties, failed audits, or liability. Capacity constraints are operational concerns that should never override legal obligations. Industry best practices are useful guidance but are not enforceable and may not reflect jurisdiction-specific legal mandates. Internal audit reports assess compliance after the fact and do not define the retention schedule itself. Regulatory requirements are the authoritative, binding source.

Topics

#Data Retention#Data Disposal#Regulatory Compliance#Information Governance

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions