UnixTime

Research Note

ISO 27001 A.5.33 - Protection of Records

The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released w...

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.”

Plain-language meaning

The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released without authorization.

Why this matters

Records prove business activity, legal compliance, audit history, transactions, system activity, and operational decisions. If records are missing, altered, unreadable, or disclosed incorrectly, the organization may fail audits, lose legal defensibility, breach regulations, or be unable to reconstruct what happened.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

  1. Identify record types that must be retained, including financial records, legal records, audit logs, transaction logs, database records, customs/environmental records, operational procedures, and security records.
  2. List required records in the asset or records inventory with owner, location, retention period, protection need, legal/regulatory/contractual source, and disposal rule.
  3. Protect records from loss, destruction, falsification, unauthorized access, and unauthorized release through access control, backup, immutability where appropriate, encryption, logging, version control, and secure storage.
  4. Perform documented inventory checks at least annually to confirm required records still exist and remain accessible.
  5. Plan for long retention periods by checking media deterioration, obsolete formats, required software, readers, cryptographic keys, and ability to produce records through the end of retention.
  6. Define secure disposal after retention expires, including approval, evidence, legal hold exceptions, and destruction method.
  7. Check legal admissibility and integrity requirements when records are scanned, converted, encrypted, migrated, or stored electronically.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should verify that required records are identified, retention requirements are known, storage and protection controls are defined, inventory accuracy is checked, and records remain accessible and intact through their retention period. They should pay special attention to electronic records, scanned records, encryption keys, media deterioration, and disposal controls.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
Records inventory lists record type, owner, location, retention period, legal/contractual source, protection requirement, and disposal rule. Supports design, implementation, operation, or review
Annual documented inventory checks confirm required records still exist and Supports design, implementation, operation, or review
Access controls, backups, integrity protections, and logging protect records from loss, falsification, unauthorized access, and unauthorized release. Supports design, implementation, operation, or review
Long-term records have format, software, reader, media, and cryptographic key availability considered. Supports design, implementation, operation, or review
Scanned or electronic records have legal admissibility and integrity requirements reviewed where relevant. Supports design, implementation, operation, or review

Strong evidence

  • Records inventory lists record type, owner, location, retention period, legal/contractual source, protection requirement, and disposal rule.
  • Annual documented inventory checks confirm required records still exist and are accessible.
  • Access controls, backups, integrity protections, and logging protect records from loss, falsification, unauthorized access, and unauthorized release.
  • Long-term records have format, software, reader, media, and cryptographic key availability considered.
  • Scanned or electronic records have legal admissibility and integrity requirements reviewed where relevant.
  • Secure disposal records show approved destruction after retention or documented legal hold.

Weak evidence

  • Records are kept in shared folders without ownership or retention rules.
  • Retention periods are guessed or copied from old practice without legal review.
  • Electronic records are encrypted but key retention is not planned.
  • Old media or file formats are retained but no one can read them.
  • Inventory checks are informal or not documented.
  • Disposal happens manually without approval or evidence.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Records inventory omits key business or security records Retention and protection requirements cannot be proven
Long-term records become unreadable The organization keeps records but cannot use them when needed
Encryption keys are not retained for encrypted archives Protected records may become permanently inaccessible
Records are editable without integrity control Falsification or accidental alteration may go undetected
Retention and disposal are unmanaged Records may be destroyed too early or kept too long

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • A.5.33 protects records against loss, destruction, falsification, unauthorized access, and unauthorized release.
  • Protection must last until the end of the retention period.
  • Records should be in the asset or records inventory and checked at least annually.
  • Long retention requires considering media deterioration, obsolete tools, software, readers, and cryptographic keys.
  • Electronic or scanned records may require legal admissibility and integrity review.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.33 requires practical protection of legally or operationally important information. The audit question is whether the organization can show what must be protected, why, where it is, who owns it, how long it is retained, who can access it, and how protection remains effective over time.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Compliance
  • Audit
  • Records management
  • Retention
  • Integrity
  • Confidentiality

Note Metadata

Aliases: A.5.33, Protection of Records

Source: 02 Annex A Organizational Controls/A.5.33 Protection of Records.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01

Requirement context

Primary control text, framework notes, or adjacent controls this note points to.

02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.