Retention Period for visitor's log

Elsmar Forum Sponsor

John Broomfield

Staff member
Super Moderator
#2
It depends on the organization, their stakeholders and what they need to provide the required degree of security.

If the auditee has yet to determine this then issue your finding to strengthen their system weakness.

As the auditor you should not do the auditee’s job as this further weakens their system by becoming overly dependent on the auditor.
 

Jim Wynne

Staff member
Admin
#3
It depends on the organization, their stakeholders and what they needed to provide the required degree of security.

If the auditee has yet to determine this then issue your finding to strengthen their system weakness.
How do we know that a "finding" is appropriate? Is there a requirement in the standard, or in the auditee's system?
 

Mike S.

Happy to be Alive
Trusted Information Resource
#4
I am working on a Physical security audit. Can someone please advise on how long a company can retain the visitor's log?
I'm not familiar with the IAC standard, does it specify any minimum or maximum retention time requirement?

Unless the standard has a shall stating otherwise, I'd say they "can" keep it as long as they want.

As to how long they need to or "shall" retain it (minimum retention time) if not mentioned in the standard should be specified by the organization to meet their needs and the needs of their stakeholders. A "finding" (not necessarily a nonconformance) may be appropriate if they don't mention any retention time.
 

John Broomfield

Staff member
Super Moderator
#5
A finding is simply a statement of fact from the audit.

In this case it looks as if the auditee has yet to determine the retention period.
 

Jim Wynne

Staff member
Admin
#6
A finding is simply a statement of fact from the audit.

In this case it looks as if the auditee has yet to determine the retention period.
A retention period may be expressed as minimum. The OP was asking about maximum. Is there a maximum retention period expressed in the standard? If so, do visitor logs qualify? If not, there should be no "finding."
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#8
I am working on a Physical security audit. Can someone please advise on how long a company can retain the visitor's log?
The answer, if one is available, would be found in the requirements that comprise the audit criteria. You posted this discussion in the ISO 27001 forum, but that standard does not have any specific requirement for this. So, as Jim mentioned, if there is a requirement, it would be found in the organization command media for information security or any other relevant and applicable information security document the organization ascribes to, either voluntarily or due to contractual requirements, not mentioning any potential regulatory mandate as well.

Obviously, the context of the organization you are auditing would have a tremendous impact on the importance of the visitor's logs. If you are a visitor to Area 51, a nuclear power plant, an ITAR impacted plant, an R&D Lab involved with highly classified projects, etc...the criticality of such logs is different, compared to a more mundane location.
 

Richard Regalado

Trusted Information Resource
#9
I am working on a Physical security audit. Can someone please advise on how long a company can retain the visitor's log?
Hello.
You may retain it for as long as you want or as long as you need.

Need would be dependent on:
- contractual obligations
- legal and regulatory requirements
- requirements of your business

Your want depends on your storage capacity and your risk tolerance for keeping that particular information.

It becomes a bit more tricky if the visitor's log contain personally-identifiable information.
 
Thread starter Similar threads Forum Replies Date
H Document retention period Canada Medical Device Regulations 2
M Retention period of documents and records ISO 13485:2016 - Medical Device Quality Management Systems 1
N ISO 13485 Quality Record Retention Period ISO 13485:2016 - Medical Device Quality Management Systems 4
T MDR - Regarding the “Retention Period” of Documents and Records CE Marking (Conformité Européene) / CB Scheme 9
A Determining Retention Period for Medical Device QMS documents Document Control Systems, Procedures, Forms and Templates 5
x-files Control of Records - Retention Time vs. Retention Period Document Control Systems, Procedures, Forms and Templates 5
R Retention Period requirements for DMFs (Drug Master Files) US Food and Drug Administration (FDA) 4
R Verifying Documents have been removed or destroyed once the Retention Period expires ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
K Retention Period Requirements for all Documents in ISO9001:2008 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
T Retention Period for IQA (Internal Audit) Records Internal Auditing 12
S Minimum Record Retention Period for ISO 14001 Records and Data - Quality, Legal and Other Evidence 2
M Confused about Control Plan and PFMEA Retention Period Document Control Systems, Procedures, Forms and Templates 2
D Can we destroy original paper files before retention period if we scan them? Records and Data - Quality, Legal and Other Evidence 17
Anerol C Retention Period of Dead Time Sheets Records and Data - Quality, Legal and Other Evidence 8
P ANSI NCSL Z540.1 Calibration Record Retention Period General Measurement Device and Calibration Topics 3
L Customer Requirements related to Retention Documents and Records period Records and Data - Quality, Legal and Other Evidence 1
Ajit Basrur Sample Retention - Quantity, Retention Period, Storage ISO 13485:2016 - Medical Device Quality Management Systems 15
G Bombardier Aerospace Imposes Infinite Record Retention Period Records and Data - Quality, Legal and Other Evidence 2
S 25 Year Retention period - Records of destroyed or discarded controlled documents ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
M Record Retention Verbiage Needed for "Lifetime" Retention EU Medical Device Regulations 14
E Raw data retention for Diagnosis Results EU Medical Device Regulations 4
P Retention Samples for medical devices ISO 13485:2016 - Medical Device Quality Management Systems 2
Q ISO 9001/IATF 16949 Audit Finding Question - Document Retention IATF 16949 - Automotive Quality Systems Standard 11
E Record Retention - Raw Material (Steel Certs) Records and Data - Quality, Legal and Other Evidence 3
C Retention of QMS Plans and Reports ISO 13485:2016 - Medical Device Quality Management Systems 5
J Requirement for Retention of Records of Withdrawn Documents of External Origin Document Control Systems, Procedures, Forms and Templates 3
P PPAP samples retention time IATF 16949 - Automotive Quality Systems Standard 5
B Retention Samples when Customer Leaves Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
D IATF16949 7.5.3.2.1 Record Retention - Our Product or Customer Product? Elsmar Cove Forum Suggestions, Complaints, Problems and Bug Reports 1
R Document Retention - Discard hard-copies after scanning? ISO 13485:2016 - Medical Device Quality Management Systems 2
M Defining and Documenting Record Retention CE Marking (Conformité Européene) / CB Scheme 5
Q AS9120B flow down to external providers: Records Retention AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
WEAVER Retention of golden samples for GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 0
L VDA 1 Documented Information and Retention (new revision 4, August 2018) VDA Standards - Germany's Automotive Standards 0
Gman2 Quality Record Retention (Internal Audits, CA's) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
S Mobile app data privacy - Length of record retention in a software app Medical Information Technology, Medical Software and Health Informatics 1
L Pest Control Log Retention Time Frame ISO 13485:2016 - Medical Device Quality Management Systems 5
S Record Retention - How long must a company keep the following records? Records and Data - Quality, Legal and Other Evidence 17
K Our local sterilizer is closing - Record Retention Question 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
C Record retention for defunct customers? ISO 13485:2016 - Medical Device Quality Management Systems 11
D Document Retention Policy IATF 16949 - Automotive Quality Systems Standard 5
B Interpretation of Customer Specific Requirements of Continental - Records Retention Customer and Company Specific Requirements 6
T Record Retention Requirements - IATF 16949 Clause 7.5.3.2.1 Records and Data - Quality, Legal and Other Evidence 15
D PMA A&P Document (i.e. Promotional Brochures, Flyers) Retention Requirements Other US Medical Device Regulations 10
J Retention Requirements of Complaint Medical Devices Customer Complaints 2
Pmarszal FDA Global UDI Database: Record Submission Retention Other US Medical Device Regulations 1
WCHorn Flowdown of Aerospace record retention requirements (AS9100) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
L GMW15920-2010 Records Retention for GM Customer and Company Specific Requirements 3
S Retention time requirement for various for quality records Records and Data - Quality, Legal and Other Evidence 1
V Tie-wrap pull test to verify contact retention Manufacturing and Related Processes 6

Similar threads

Top Bottom