A.5.33 ISO 27001

ISO 27001 A.5.33: Protection of records

What This Control Requires

Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release in accordance with legal, statutory, regulatory and contractual requirements.

In Plain Language

Records are not just files sitting on a server - they are evidence. Financial records, audit logs, personnel files, contracts, risk assessments, incident reports - these all need to be protected from loss, tampering, unauthorised access, and accidental destruction for as long as the law or your contracts require.

The retention periods and protection standards are usually dictated by legal and regulatory requirements. You cannot decide to delete financial records after two years because you are running low on storage. And you cannot store sensitive personnel records on an unprotected shared drive.

Auditors will check that you can guarantee the integrity, availability, and confidentiality of records throughout their entire retention period. That includes protection against deliberate tampering, accidental loss, and something people often forget - technology obsolescence making old electronic records unreadable.

How to Implement

Create a records management policy and classification scheme. Identify every type of record your organisation must maintain and the applicable retention requirements. Build a retention schedule covering the record type, the legal or regulatory basis for keeping it, minimum and maximum retention periods, storage location and format, access restrictions, and disposal method.

Choose appropriate storage for different record types. Electronic records belong in managed repositories with access controls, version control, and backup. Use records management systems that enforce retention policies and prevent premature deletion. For anything you need to keep long-term, think carefully about format longevity and plan for migration as technology changes.

Protect records from unauthorised modification. Set access controls that restrict who can create, modify, and delete records. Log all access and changes with audit trails. For critical records, consider write-once storage, digital signatures, or other integrity verification mechanisms. The goal: no one can alter a record without it being detected.

Back up records properly and include records storage in your business continuity plan with appropriate RTOs and RPOs. Keep off-site copies of critical records. For physical records, ensure proper storage conditions - climate control and fire suppression - and consider digitising them for preservation.

Set up secure disposal procedures for when retention periods expire. Use cross-cut shredding for physical records and cryptographic erasure or physical destruction for electronic media. Document every disposal: what was destroyed, when, by whom, and how. Get certificates of destruction where appropriate.

Audit your records management practices regularly. Check that retention schedules are followed, records are properly protected, and disposal happens securely and on time.

Evidence Your Auditor Will Request

Records retention schedule with legal and regulatory basis for retention periods
Records management policy and procedures
Access control configurations for records storage systems
Backup and disaster recovery provisions for records
Records disposal logs with destruction certificates where applicable

Common Mistakes

No records retention schedule defining what must be kept and for how long
Records are stored in unmanaged locations without access controls or backup
No protection against unauthorized modification of records
Records disposal is ad hoc without documented secure destruction procedures
Electronic records become inaccessible due to technology obsolescence

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	CC6.1	Partial overlap
GDPR	Art.5(1)(e)	Related
GDPR	Art.17	Partial overlap
NIS2	Art.21(2)(a)	Partial overlap

Frequently Asked Questions

How do we determine retention periods for records?

Start with your legal counsel - they will know the applicable laws for your jurisdiction. Some common examples: financial records are typically 7 years in most jurisdictions, employee records need to be kept for the duration of employment plus a defined period afterwards, ISMS records should be kept at least 3 years for certification purposes, and audit logs follow whatever your regulatory requirements specify. When multiple requirements apply and conflict, go with the longest retention period.

How do we protect electronic records from technology obsolescence?

Use open standard formats for long-term storage - PDF/A for documents, CSV for structured data. Regularly check that stored records can actually be opened and read. Plan for format migration when technology shifts. Enterprise content management systems can handle format conversion automatically. Keep metadata alongside records so future readers understand what they are looking at. And keep an eye on storage media lifespan - plan to migrate before your disks or tapes start degrading.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment