Exam focus
A.5.33 protects required records through retention. A.5.34 protects privacy and PII according to applicable laws, regulations, and contracts.
Topic Summary
These controls are easy to confuse because both involve retained information. The exam distinction is purpose: records protection is about preserving required records; privacy/PII is about meeting personal-data protection requirements.
Key Concepts
| Control | Exam cue |
|---|---|
| A.5.33 | Records must remain protected, intact, accessible, and controlled until retention ends |
| A.5.34 | PII requirements must be identified and met for actual data holdings and uses |
Common Exam Traps
- Treating backup as full records protection.
- Forgetting media deterioration, obsolete formats, software, readers, and cryptographic keys.
- Treating privacy as confidentiality only.
- Assuming a privacy policy proves compliance without a PII inventory.
- Ignoring contractual PII requirements that go beyond local law.
Related Notes
- Iso27001
- Exam
- Privacy
- Records
Note Metadata
Source: 09-Exam-Preparation/EXAM-014-Records-Privacy-and-PII.md