Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.”
Plain-language meaning
The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released without authorization.
Why this matters
Records prove business activity, legal compliance, audit history, transactions, system activity, and operational decisions. If records are missing, altered, unreadable, or disclosed incorrectly, the organization may fail audits, lose legal defensibility, breach regulations, or be unable to reconstruct what happened.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
- Identify record types that must be retained, including financial records, legal records, audit logs, transaction logs, database records, customs/environmental records, operational procedures, and security records.
- List required records in the asset or records inventory with owner, location, retention period, protection need, legal/regulatory/contractual source, and disposal rule.
- Protect records from loss, destruction, falsification, unauthorized access, and unauthorized release through access control, backup, immutability where appropriate, encryption, logging, version control, and secure storage.
- Perform documented inventory checks at least annually to confirm required records still exist and remain accessible.
- Plan for long retention periods by checking media deterioration, obsolete formats, required software, readers, cryptographic keys, and ability to produce records through the end of retention.
- Define secure disposal after retention expires, including approval, evidence, legal hold exceptions, and destruction method.
- Check legal admissibility and integrity requirements when records are scanned, converted, encrypted, migrated, or stored electronically.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should verify that required records are identified, retention requirements are known, storage and protection controls are defined, inventory accuracy is checked, and records remain accessible and intact through their retention period. They should pay special attention to electronic records, scanned records, encryption keys, media deterioration, and disposal controls.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Records inventory lists record type, owner, location, retention period, legal/contractual source, protection requirement, and disposal rule. | Supports design, implementation, operation, or review |
| Annual documented inventory checks confirm required records still exist and | Supports design, implementation, operation, or review |
| Access controls, backups, integrity protections, and logging protect records from loss, falsification, unauthorized access, and unauthorized release. | Supports design, implementation, operation, or review |
| Long-term records have format, software, reader, media, and cryptographic key availability considered. | Supports design, implementation, operation, or review |
| Scanned or electronic records have legal admissibility and integrity requirements reviewed where relevant. | Supports design, implementation, operation, or review |
Strong evidence
- Records inventory lists record type, owner, location, retention period, legal/contractual source, protection requirement, and disposal rule.
- Annual documented inventory checks confirm required records still exist and are accessible.
- Access controls, backups, integrity protections, and logging protect records from loss, falsification, unauthorized access, and unauthorized release.
- Long-term records have format, software, reader, media, and cryptographic key availability considered.
- Scanned or electronic records have legal admissibility and integrity requirements reviewed where relevant.
- Secure disposal records show approved destruction after retention or documented legal hold.
Weak evidence
- Records are kept in shared folders without ownership or retention rules.
- Retention periods are guessed or copied from old practice without legal review.
- Electronic records are encrypted but key retention is not planned.
- Old media or file formats are retained but no one can read them.
- Inventory checks are informal or not documented.
- Disposal happens manually without approval or evidence.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Records inventory omits key business or security records | Retention and protection requirements cannot be proven |
| Long-term records become unreadable | The organization keeps records but cannot use them when needed |
| Encryption keys are not retained for encrypted archives | Protected records may become permanently inaccessible |
| Records are editable without integrity control | Falsification or accidental alteration may go undetected |
| Retention and disposal are unmanaged | Records may be destroyed too early or kept too long |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- A.5.33 protects records against loss, destruction, falsification, unauthorized access, and unauthorized release.
- Protection must last until the end of the retention period.
- Records should be in the asset or records inventory and checked at least annually.
- Long retention requires considering media deterioration, obsolete tools, software, readers, and cryptographic keys.
- Electronic or scanned records may require legal admissibility and integrity review.
Related controls and concepts
- A.5.31 Legal, Statutory, Regulatory and Contractual Requirements
- Information and Associated Asset Inventory
- Evidence Collection and Chain of Custody Log
- Internal Audit
- Management Review
- Risk Assessment
- Legal and Contractual Requirements Register
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.33 requires practical protection of legally or operationally important information. The audit question is whether the organization can show what must be protected, why, where it is, who owns it, how long it is retained, who can access it, and how protection remains effective over time.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Compliance
- Audit
- Records management
- Retention
- Integrity
- Confidentiality
Note Metadata
Aliases: A.5.33, Protection of Records
Source: 02 Annex A Organizational Controls/A.5.33 Protection of Records.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Internal Audit
- Management Review
- Risk Assessment
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.34 - Privacy and Protection of PII
- A.5 Organizational Controls MOC
- ISO 27001 A.6.1 - Screening
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment
- A.5.33 Audit Evidence Pack
- AQ-ISO27001-A.5.33 Protection of Records
- ISO 27001 A.8.10 - Information Deletion
- ISO 27001 A.8.13 - Information Backup
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.33 Protection of Records
- A.5 Controls Implementation Audit Risk Mapping
- EXAM-014 - Records, Privacy, and PII
- ISO 27002 Annex A Control Interpretation Map
- A.5.33 Audit Checklist
- Evidence Collection and Chain of Custody Log
- Information and Associated Asset Inventory
- Information Deletion and Destruction Register
- Information Retention and Deletion Rules
- Legal and Contractual Requirements Register
- Long-Term Archive Recoverability Checklist
- Personnel Screening Register
- Records Inventory Review Checklist
- Records Retention and Protection Register
- Secure Media Disposal and Destruction Register
- Annex A Controls MOC