Data Lifecycle Management: Collection, Retention, Remanence, and Secure Destruction

Data lifecycle management is the governance of data from creation to destruction. For the CISSP exam, this is tested as both a technical and a policy topic: understanding the phases of the data lifecycle, knowing which controls apply at each phase, and recognising when data must be retained versus securely destroyed. The most exam-intensive aspects are data remanence — why deleting data is not enough — and the appropriate destruction method for each type of media.

The Full Data Lifecycle

The data lifecycle describes the journey of data from creation to disposal. While different frameworks use different models, the CISSP-relevant lifecycle has six phases.

Create (or Capture) is when data is first generated, whether by a user creating a document, a sensor recording a measurement, a transaction being logged, or data being received from an external source. At creation, data should be classified and access controls applied. The data owner should be identified at this stage.

Store is when data is persisted in a storage system: a database, file server, cloud storage bucket, backup tape, or portable device. Storage security requires encryption at rest, access controls, and physical security for storage media. The sensitivity of stored data drives the physical and logical security requirements of the storage environment.

Use is when data is being processed, analysed, or acted upon. Data in use is particularly vulnerable because it exists in memory or active processing contexts where encryption may not be practical. Controls for data in use include access controls, application-level security, session management, and user behaviour monitoring.

Share (or Transmit) is when data moves between users, systems, or organisations. Data in transit is protected through encryption (TLS, IPSec), integrity verification (digital signatures, MACs), and secure transfer protocols (SFTP, HTTPS rather than FTP or HTTP).

Archive is when data is moved to long-term storage for retention purposes, typically because it is no longer actively needed but must be kept for legal, regulatory, or business reasons. Archived data must remain accessible, protected, and retrievable for the duration of the retention period.