nerdexam
(ISC)2

CISSP · Question #606

How long should the records on a project be retained?

The correct answer is B. Until they are no longer useful or required by policy. Project records should be retained until they are no longer useful or required by organizational policy, balancing operational need with compliance obligations.

Submitted by carlos_mx· Mar 5, 2026Asset Security

Question

How long should the records on a project be retained?

Options

  • AFor the duration of the project, or at the discretion of the record owner
  • BUntil they are no longer useful or required by policy
  • CUntil five years after the project ends, then move to archives
  • DFor the duration of the organization fiscal year

How the community answered

(27 responses)
  • A
    4% (1)
  • B
    89% (24)
  • C
    7% (2)

Why each option

Project records should be retained until they are no longer useful or required by organizational policy, balancing operational need with compliance obligations.

AFor the duration of the project, or at the discretion of the record owner

Retaining records only for the project's duration ignores post-project audit, legal, or compliance needs, and leaving retention to the record owner's discretion introduces inconsistency and risk of premature destruction.

BUntil they are no longer useful or required by policyCorrect

Record retention best practice dictates that records should be kept as long as they serve a business purpose or are mandated by applicable policy, regulation, or legal requirement. This flexible, policy-driven approach ensures compliance with varying legal and organizational requirements while avoiding unnecessary storage of obsolete information. It aligns with standard records management frameworks such as ISO 15489, which emphasize that retention periods must be determined by the value and regulatory context of the records.

CUntil five years after the project ends, then move to archives

A fixed five-year post-project archive period is an arbitrary rule that does not account for varying regulatory requirements, project types, or organizational policies that may demand shorter or longer retention periods.

DFor the duration of the organization fiscal year

Tying record retention to the fiscal year is inappropriate for project records, as projects often span multiple fiscal years and retention obligations extend well beyond financial reporting cycles.

Concept tested: Records retention policy and lifecycle management

Source: https://www.iso.org/standard/62542.html

Topics

#data retention#information lifecycle#policy compliance

Community Discussion

No community discussion yet for this question.

Full CISSP Practice