Implementing ISO 27001 Annex A 5.33 is a critical security mandate requiring the identification, cryptographic protection, and immutable storage of organizational records to ensure their authenticity, availability, and eventual secure destruction. This control necessitates strict retention enforcement and granular access rights, providing the business benefit of defensible audit trails and resilience against legal liability or data tampering.
ISO 27001 Annex A Protection of Records Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.33. This control demands rigorous, evidence-based protection of your organisation’s records against loss, destruction, falsification, and unauthorised access, requiring manual verification of storage integrity rather than reliance on policy documents.
1. Establish a Verified Records Inventory
Control Requirement: Identify, classify, and document the existence of all business-critical records. Required Implementation Step: Manually crawl your file servers, databases, and physical archives to build a definitive asset register. Do not rely on user surveys; run scripts (e.g., PowerShell or Python) to map directory structures and identify where sensitive records (PII, financial, IP) actually reside on the disk.
Minimum Requirement: A complete, dated inventory listing record types, owners, and specific physical/digital locations, verified by system scan.
2. Define and Enforce Retention Schedules
Control Requirement: Retain records for the specific duration required by law, regulation, and business need. Required Implementation Step: Consult legal counsel to define exact retention periods for each record category (e.g., “Tax Records: 7 Years”). Configure automated retention policies at the file-system or database level (e.g., AWS S3 Lifecycle Rules, Windows Server File Management Tasks) to enforce these periods rigidly, ensuring data is neither deleted too early nor kept indefinitely.
Minimum Requirement: A published Retention Schedule linked to automated enforcement scripts or configuration settings.
3. Implement Granular Access Control Lists (ACLs)
Control Requirement: Prevent unauthorised access to records. Required Implementation Step: Bypass high-level application permissions and audit the underlying NTFS, EXT4, or S3 bucket permissions. Implement the Principle of Least Privilege by assigning permissions to security groups, not individuals, and ensuring that ‘Everyone’ or ‘Authenticated Users’ groups have no access to sensitive record repositories.
Minimum Requirement: Validated ACLs showing that only authorised personnel have read/write access to specific record directories.
4. Deploy Cryptographic Protection
Control Requirement: Protect records from unauthorised disclosure and falsification. Required Implementation Step: Enable encryption at rest for all storage media holding records (e.g., BitLocker, LUKS, AES-256 for cloud buckets). Ensure that encryption keys are managed separately from the data itself and that master keys are rotated annually.
Minimum Requirement: Full-disk or file-level encryption active on all repositories containing protected records.
5. Enforce Immutable Storage for Critical Records
Control Requirement: Protect records from destruction and falsification. Required Implementation Step: For critical audit logs and legal evidence, implement WORM (Write Once, Read Many) storage or Object Lock policies. This prevents even administrators (or ransomware) from modifying or deleting records before their retention period expires.
Minimum Requirement: Technical proof of immutability configurations for high-integrity records.
6. Secure Physical Record Storage
Control Requirement: Protect physical records from environmental threats and theft. Required Implementation Step: Move paper records to a secure, access-controlled room with environmental monitoring (humidity, fire suppression). Install distinct physical locks for cabinets containing highly sensitive data and maintain a manual sign-in/sign-out log for physical retrieval.
Minimum Requirement: A locked, monitored environment for physical archives with a tested key management procedure.
7. Verify Secure Destruction Processes
Control Requirement: Ensure records are permanently destroyed when no longer needed. Required Implementation Step: Contract a certified secure shredding provider for physical documents (obtaining Certificates of Destruction). For digital records, use secure wipe utilities (e.g., DoD 5220.22-M standard) to overwrite data sectors, rather than simple OS deletion which leaves data recoverable.
Minimum Requirement: Certificates of destruction or verified secure-wipe logs for all disposed records.
8. Validate Metadata Integrity
Control Requirement: Prevent falsification of record context (creation date, author). Required Implementation Step: Enable strict auditing on file systems to log any changes to metadata. Ensure system clocks are synchronised via NTP (Network Time Protocol) to a trusted stratum-1 source to guarantee the accuracy of timestamps on all records.
Minimum Requirement: NTP configuration evidence and audit logs tracking metadata modification attempts.
9. Test Retrieval and Readability
Control Requirement: Ensure records remain accessible and usable over time. Required Implementation Step: Conduct annual “fire drill” retrieval tests for older archives to ensure legacy file formats (e.g., old CAD files, proprietary database dumps) can still be opened with current software. Maintain a repository of legacy software if necessary.
Minimum Requirement: A documented restoration test proving 5+ year old records can be successfully retrieved and read.
10. Audit Supplier Record Handling
Control Requirement: Ensure third parties protect your records to the same standard. Required Implementation Step: Do not rely on standard contract clauses. Demand evidence of their record protection controls, such as their own ISO 27001 certificate, SOC 2 Type II report, or specific audit logs showing how they segregate and protect your data from other clients.
Minimum Requirement: A signed Data Processing Agreement (DPA) supported by current independent audit evidence from the supplier.
ISO 27001 Annex A 5.33 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Record Inventory | Manually typing a list of “assets” into a GRC portal. | If the file exists on a server but isn’t in your GRC list, you are non-compliant. Automated discovery is mandatory. |
| Retention Enforcement | Uploading a PDF “Retention Policy” to the dashboard. | A PDF cannot delete files. Without script-based enforcement, your server is hoarding liability. |
| Access Control | Assigning “Read Only” roles within the GRC tool. | Real access happens at the OS level. If a sysadmin can cat the file via SSH, the GRC role is irrelevant. |
| Secure Destruction | Clicking “Archive” or “Delete” in a SaaS app. | Did the vendor zero-fill the sectors? Likely not. The data exists in their backups and snapshots indefinitely. |
| Metadata Integrity | The GRC tool logs when you uploaded the evidence. | Does it detect if the original file’s creation date was spoofed before upload? No. Only OS-level auditing does. |
| Physical Security | Ticking “Physical Security” because you use AWS. | You still have paper contracts and HR files in the office. AWS security doesn’t lock your filing cabinet. |
| Retrieval Testing | Assuming cloud backups always work. | When was the last time you downloaded a 3-year-old backup and actually tried to open the files? |
About the author
