UnixTime

Research Note

A.5.33 Audit Checklist

Use this during internal audits to test whether A.5.33 Protection of Records is designed, implemented, operating, and evidenced.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this during internal audits to test whether A.5.33 Protection of Records is designed, implemented, operating, and evidenced.

Audit checklist

  • Records inventory lists record type, owner, location, retention period, legal/contractual source, protection requirement, and disposal rule.
  • Annual documented inventory checks confirm required records still exist and are accessible.
  • Access controls, backups, integrity protections, and logging protect records from loss, falsification, unauthorized access, and unauthorized release.
  • Long-term records have format, software, reader, media, and cryptographic key availability considered.
  • Scanned or electronic records have legal admissibility and integrity requirements reviewed where relevant.
  • Secure disposal records show approved destruction after retention or documented legal hold.

Evidence requested

  • Inventory or register reviewed.
  • Responsible owner interviewed.
  • Sample records/systems selected.
  • Evidence location recorded.
  • Gaps converted into findings or corrective actions.
  • Iso27001
  • ISO27002
  • Template
  • Audit
  • A5 33

Note Metadata

Aliases: A.5.33 Checklist

Source: 90 Templates/A.5.33 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.