AQ-ISO27001-A.5.33 Protection of Records
Audit question set for ISO27001-A.5.33. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
ISO27001 domain with 188 resources grouped for implementation and audit work.
Domain guide
A.5 controls for governance, policies, suppliers, incidents, business continuity, legal requirements, and information handling.
Guide + resources
Implementation context, reference notes, and explanatory material.
Audit question set for ISO27001-A.5.33. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.34. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.35. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.36. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.37. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.23. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.24. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.25. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.26. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.27. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.28. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.29. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.30. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.31. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.32. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.1. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.10. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.11. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.12. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.13. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.14. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.15. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.16. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.17. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.18. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.19. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.2. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.20. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.21. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.22. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.3. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.4. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.5. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.6. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.7. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.8. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Audit question set for ISO27001-A.5.9. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.
Control-level notes and control-domain references.
Organizational controls establish governance, accountability, policy, process, and oversight for the ISMS.
Research note.
Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant...
People must know how they are allowed to use organizational information and assets, and how they must handle information based on sensitivity and classification.
When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or s...
Information must be grouped by protection need so people know how carefully to handle it.
If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.
The organization must define how information can be transferred safely, both internally and externally.
The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.
Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.
The organization must control how secret authentication information is issued, changed, protected, reset, and handled.
Access rights must be granted, changed, reviewed, and removed through a controlled process.
The organization must manage information security risks created by suppliers, supplier products, and supplier services.
Information security roles and responsibilities must be defined and allocated according to organizational needs.
The organization must put the right security requirements into supplier contracts or agreements before the supplier receives access to information, systems, facilities, or servi...
The organization must manage security risks that come through ICT suppliers and the suppliers behind those suppliers.
Supplier security does not end when the contract is signed. The organization must keep checking whether the supplier is delivering the agreed service securely, whether controls...
Cloud services must be governed from selection to exit. The organization needs defined processes for buying, configuring, using, monitoring, changing, and leaving cloud services...
The organization must prepare before incidents happen. It needs defined and communicated incident management processes, roles, responsibilities, escalation paths, and recovery c...
The organization must review reported security events and make a clear, recorded decision: is this just an event, or is it an information security incident that needs formal res...
Once an event is categorized as an incident, the organization must respond using documented procedures rather than improvising.
The organization must turn incident experience into better controls, procedures, awareness, risk treatment, and response capability.
The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.
The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.
No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.
The organization must plan, build, maintain, and test ICT continuity capability so priority systems and services can recover in line with business continuity objectives.
The organization must know which legal, statutory, regulatory, and contractual information security requirements apply, document them, keep them current, and define how it will...
The organization must have procedures that prevent unauthorized use, copying, distribution, modification, or licensing misuse of software, documents, designs, source code, trade...
The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released w...
The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then...
The organization must have its information security management approach and actual implementation independently reviewed at planned intervals and when significant changes happen.
The organization must regularly check whether people, processes, and systems comply with its information security policies, rules, standards, and technical implementation requir...
The organization must document operating procedures for information processing facilities and make the current approved procedures available to the people who need to use them.
Management must require all personnel to apply information security in accordance with the organization's information security policy, topic-specific policies, and procedures.
The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory reques...
The organization should stay connected to credible external security knowledge sources. Security teams should not rely only on internal experience, vendor marketing, or outdated...
The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.
Projects must handle information security from the start, not as a late review before go-live.
The organization must know what information and related assets it has, where they are, who owns them, how important they are, and how they are protected.
The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released without authorization.
The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then implement controls to meet those requirements.
The organization must have its information security management approach and actual implementation independently reviewed at planned intervals and when significant changes happen.
The organization must regularly check whether people, processes, and systems comply with its information security policies, rules, standards, and technical implementation requirements.
The organization must document operating procedures for information processing facilities and make the current approved procedures available to the people who need to use them.
Cloud services must be governed from selection to exit. The organization needs defined processes for buying, configuring, using, monitoring, changing, and leaving cloud services in line with its security requirements.
The organization must prepare before incidents happen. It needs defined and communicated incident management processes, roles, responsibilities, escalation paths, and recovery coordination.
The organization must review reported security events and make a clear, recorded decision: is this just an event, or is it an information security incident that needs formal response?
Once an event is categorized as an incident, the organization must respond using documented procedures rather than improvising.
The organization must turn incident experience into better controls, procedures, awareness, risk treatment, and response capability.
The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.
The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.
The organization must plan, build, maintain, and test ICT continuity capability so priority systems and services can recover in line with business continuity objectives.
The organization must know which legal, statutory, regulatory, and contractual information security requirements apply, document them, keep them current, and define how it will meet them.
The organization must have procedures that prevent unauthorized use, copying, distribution, modification, or licensing misuse of software, documents, designs, source code, trademarks, patents, subscription content, and AI-generated or AI-assisted material.
The organization needs a formal information security policy structure, not random documents sitting in a shared folder.
People must know how they are allowed to use organizational information and assets, and how they must handle information based on sensitivity and classification.
When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or securely removed.
Information must be grouped by protection need so people know how carefully to handle it.
If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.
The organization must define how information can be transferred safely, both internally and externally.
The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.
Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.
The organization must control how secret authentication information is issued, changed, protected, reset, and handled.
Access rights must be granted, changed, reviewed, and removed through a controlled process.
The organization must manage information security risks created by suppliers, supplier products, and supplier services.
People must know what they are responsible for, and the organization must be able to prove those responsibilities were assigned, communicated, accepted, and kept current.
The organization must put the right security requirements into supplier contracts or agreements before the supplier receives access to information, systems, facilities, or services.
The organization must manage security risks that come through ICT suppliers and the suppliers behind those suppliers.
Supplier security does not end when the contract is signed. The organization must keep checking whether the supplier is delivering the agreed service securely, whether controls still work, and whether supplier changes create new risk.
No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.
Managers must actively ensure that people follow information security requirements.
The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory request, or emergency happens.
The organization should stay connected to credible external security knowledge sources. Security teams should not rely only on internal experience, vendor marketing, or outdated training.
The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.
Projects must handle information security from the start, not as a late review before go-live.
The organization must know what information and related assets it has, where they are, who owns them, how important they are, and how they are protected.
Audit evidence packs, registers, proof records, and evidence examples.
The auditor wants to confirm that information security policies are defined, approved, published, communicated, acknowledged, controlled, and reviewed.
The auditor wants to confirm that acceptable use rules and information handling procedures are defined, communicated, acknowledged, implemented, and enforced for relevant users...
The auditor wants to confirm that employees, contractors, third-party users, and other relevant parties return organizational assets when employment, contract, agreement, or rol...
The auditor wants to confirm that the organization has a clear, usable classification scheme and that information is classified according to confidentiality, integrity, availabi...
The auditor wants to confirm that labelling procedures exist, align with the classification scheme, and are implemented across relevant physical and digital forms of information.
The auditor wants to confirm that the organization has documented and implemented rules, procedures, or agreements for transferring information internally and externally across...
The auditor wants to confirm that physical and logical access rules are defined, implemented, approved, reviewed, and based on business and information security requirements.
The auditor wants to confirm that identities are uniquely registered where possible and managed through the full lifecycle: creation, authorization, change, review, disabling, d...
The auditor wants to confirm that secret authentication information is issued, managed, changed, reset, stored, and handled through a controlled process, and that users understa...
The auditor wants to confirm that access rights are formally provisioned, reviewed, modified, and removed according to access control rules.
The auditor wants to confirm that supplier information security risks are identified, assessed, controlled, contractually addressed, and reviewed.
The auditor wants to confirm that information security roles and responsibilities are defined, allocated, documented, communicated, understood, accepted, current, and applied to...
The auditor wants to confirm that supplier security requirements are established, agreed, authorized, and appropriate to the supplier relationship before access or information s...
The auditor wants to confirm that ICT supply-chain risks are identified and managed, including inherited risks from subcontractors, cloud providers, support parties, hosting pro...
The auditor wants to confirm that supplier security practices and service delivery are monitored, reviewed, evaluated, and changed through a controlled process.
The auditor wants to confirm that cloud service acquisition, use, management, and exit are governed according to the organization's information security requirements.
The auditor wants to confirm that incident management processes, roles, responsibilities, reporting routes, and preparation activities are defined, established, communicated, an...
The auditor wants to confirm that reported security events are assessed using defined criteria and that the incident/non-incident decision is recorded with justification and tim...
The auditor wants to confirm that confirmed information security incidents are responded to according to documented procedures and that response decisions, actions, responsibili...
The auditor wants to confirm that knowledge from incidents is captured and used to improve controls, procedures, awareness, risk treatment, and the ISMS.
The auditor wants to confirm that procedures exist and operate for identifying, collecting, acquiring, preserving, storing, and protecting evidence related to information securi...
The auditor wants to confirm that information security is maintained at an appropriate level during disruption and that continuity plans include security objectives, roles, requ...
The auditor wants to confirm that conflicting duties and responsibilities have been identified and segregated, or that compensating controls exist where segregation is not pract...
The auditor wants to confirm that ICT readiness is planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.
The auditor wants to confirm that applicable legal, statutory, regulatory, and contractual information security requirements are identified, documented, owned, kept current, and...
The auditor wants to confirm that procedures protect intellectual property rights and that software, content, source code, libraries, and AI-generated material are used within a...
The auditor wants to confirm that required records are identified, retained, protected from loss/alteration/unauthorized access/release, reviewed, accessible through retention,...
The auditor wants to confirm that privacy and PII requirements are identified, mapped, implemented, reviewed, and evidenced for all relevant PII holdings, roles, transfers, and...
The auditor wants to confirm that the information security approach and implementation are independently reviewed at planned intervals and after significant changes, with findin...
The auditor wants to confirm that compliance with information security policies, rules, and standards is regularly reviewed through management and technical checks, with finding...
The auditor wants to confirm that operating procedures for information processing facilities are documented, controlled, current, available to personnel who need them, and used...
The auditor wants to confirm that managers actively require personnel to apply information security according to policies and procedures.
The auditor wants to confirm that the organization has identified relevant authorities, assigned authorized liaison roles, defined contact triggers, maintained accurate contact...
The auditor wants to confirm that the organization maintains proportionate contact with relevant specialist security groups, forums, or professional associations and that useful...
The auditor wants to confirm that threat information is collected, analyzed, validated, contextualized, and used to support risk assessment, risk treatment, control improvement,...
The auditor wants to confirm that information security is integrated into the project management method and applied in real projects from initiation through transition to operat...
The auditor wants to confirm that information and associated assets are identified, owned, classified, maintained, protected, and updated through change, project, procurement, a...
Reusable implementation, audit, and operational templates.
Use this during internal audits to verify that acceptable use and handling rules are defined, acknowledged, implemented, and enforced.
Use this during internal audits to verify that assets are returned during termination, contract end, agreement end, or role change.
Use this during internal audits to verify that information classification is defined, implemented, understood, and maintained.
Use this during internal audits to verify that information labelling procedures are defined and implemented in line with the classification scheme.
Use this during internal audits to verify that information transfer rules, procedures, and agreements are defined and implemented across actual transfer channels.
Use this during internal audits to verify that physical and logical access controls are defined, implemented, approved, and reviewed.
Use this during internal audits to verify that identities are managed across the full lifecycle.
Use this during internal audits to verify that secret authentication information is allocated and managed through a controlled process.
Use this during internal audits to verify that access rights are provisioned, reviewed, modified, and removed according to access control rules.
Use this during internal audits to verify that supplier information security risks are identified, assessed, controlled, and reviewed.
Use this during internal audits to verify that supplier security requirements are formally agreed and appropriate to the supplier relationship.
Use this during internal audits to verify that ICT supply-chain dependencies and inherited security risks are identified and managed.
Use this during internal audits to verify that supplier services and security practices are monitored, reviewed, evaluated, and changed through a controlled process.
Use this during internal audits to verify that cloud services are acquired, used, managed, and exited according to information security requirements.
Use this during internal audits to verify that incident management planning and preparation are defined, communicated, and ready to operate.
Use this during internal audits to test whether A.5.25 Assessment and Decision on Information Security Events is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.26 Response to Information Security Incidents is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.27 Learning from Information Security Incidents is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.28 Collection of Evidence is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.29 Information Security During Disruption is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.30 ICT Readiness for Business Continuity is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.31 Legal, Statutory, Regulatory and Contractual Requirements is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.32 Intellectual Property Rights is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.33 Protection of Records is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.34 Privacy and Protection of PII is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.35 Independent Review of Information Security is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.36 Compliance with Policies, Rules and Standards for Information Security is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.37 Documented Operating Procedures is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether relevant authority contacts are identified, maintained, authorized, and usable.
Use this during internal audits to verify that the organization maintains relevant external security knowledge contacts and uses received information appropriately.
Use this during internal audits to verify that threat information is collected, analyzed, contextualized, and used to support ISMS decisions.
Use this during internal audits to verify that information security is embedded in project governance and applied to sampled projects.
Use this during internal audits to verify that information and associated assets are inventoried, owned, maintained, and protected.
Research note.
Research note.
Research note.
Research note.
Mappings across controls, risks, standards, and assurance views.
This table maps each covered A.5 organizational control to implementation output, audit evidence, and ISO/IEC 27005-style risk logic.
Link to this domain with /research/iso27001/annex-a-organizational-controls/ . Link directly to exact notes from any resource card above.