When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this during internal audits to test whether A.5.33 Protection of Records is designed, implemented, operating, and evidenced.
Audit checklist
- Records inventory lists record type, owner, location, retention period, legal/contractual source, protection requirement, and disposal rule.
- Annual documented inventory checks confirm required records still exist and are accessible.
- Access controls, backups, integrity protections, and logging protect records from loss, falsification, unauthorized access, and unauthorized release.
- Long-term records have format, software, reader, media, and cryptographic key availability considered.
- Scanned or electronic records have legal admissibility and integrity requirements reviewed where relevant.
- Secure disposal records show approved destruction after retention or documented legal hold.
Evidence requested
- Inventory or register reviewed.
- Responsible owner interviewed.
- Sample records/systems selected.
- Evidence location recorded.
- Gaps converted into findings or corrective actions.
Related notes
- Iso27001
- ISO27002
- Template
- Audit
- A5 33
Note Metadata
Aliases: A.5.33 Checklist
Source: 90 Templates/A.5.33 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.