UnixTime

Research Note

EXAM-014 - Records, Privacy, and PII

These controls are easy to confuse because both involve retained information. The exam distinction is purpose: records protection is about preserving required records; privacy/P...

On this page

Exam focus

A.5.33 protects required records through retention. A.5.34 protects privacy and PII according to applicable laws, regulations, and contracts.

Topic Summary

These controls are easy to confuse because both involve retained information. The exam distinction is purpose: records protection is about preserving required records; privacy/PII is about meeting personal-data protection requirements.

Key Concepts

Control Exam cue
A.5.33 Records must remain protected, intact, accessible, and controlled until retention ends
A.5.34 PII requirements must be identified and met for actual data holdings and uses

Common Exam Traps

  • Treating backup as full records protection.
  • Forgetting media deterioration, obsolete formats, software, readers, and cryptographic keys.
  • Treating privacy as confidentiality only.
  • Assuming a privacy policy proves compliance without a PII inventory.
  • Ignoring contractual PII requirements that go beyond local law.