Auditing ISO 27001 Annex A 5.33 is the critical verification of an organization’s record lifecycle management to ensure legal and operational evidence remains accessible. The Primary Implementation Requirement is a formal retention and disposal schedule, providing the Business Benefit of regulatory compliance and protected institutional knowledge.
This technical verification tool is designed for lead auditors to establish the legal, regulatory, and operational integrity of organisational archives. Use this checklist to validate compliance with ISO 27001 Annex A 5.33 (Protection of records).
1. Record Retention and Disposal Schedule Verified
Verification Criteria: A formalised schedule exists that categorises record types and defines specific retention periods based on statutory, regulatory, and business requirements.
Required Evidence: Approved Document Retention and Disposal Schedule (RDS) with version history and management sign-off.
Pass/Fail Test: If the organisation cannot produce a schedule that maps record types to specific legal or business retention durations, mark as Non-Compliant.
2. Physical Record Storage Security Confirmed
Verification Criteria: Physical records are stored in secure environments that protect against unauthorised access and environmental hazards (fire, flood, humidity).
Required Evidence: Physical access logs for archive rooms, fire suppression system certificates, and environmental monitoring logs.
Pass/Fail Test: If sensitive physical records are stored in an unlocked or unmonitored area lacking environmental protection, mark as Non-Compliant.
3. Digital Record Encryption and Confidentiality Validated
Verification Criteria: Records containing sensitive or classified information are protected with cryptographic controls during storage to prevent unauthorised disclosure.
Required Evidence: Technical configuration report showing AES-256 (or equivalent) encryption at rest for the primary document management system (DMS) or file servers.
Pass/Fail Test: If “Confidential” or “Secret” digital records are stored in clear-text on shared drives accessible to non-authorised personnel, mark as Non-Compliant.
4. Record Integrity and Falsification Controls Verified
Verification Criteria: Technical measures such as digital signatures, hashing, or WORM (Write Once Read Many) storage are used to prevent unauthorised modification of records.
Required Evidence: System logs showing hash verification success or configuration settings for immutable storage buckets.
Pass/Fail Test: If a record can be edited or deleted by a standard user without a corresponding entry in a protected audit trail, mark as Non-Compliant.
5. Personal Identifiable Information (PII) Alignment Confirmed
Verification Criteria: The protection of records aligns with relevant data privacy legislation (e.g., UK GDPR) regarding the processing of personal data.
Required Evidence: Data Privacy Impact Assessment (DPIA) for the record management system and evidence of PII masking or pseudonymisation where required.
Pass/Fail Test: If records containing PII are retained beyond the statutory limit defined in the privacy policy without a legal hold, mark as Non-Compliant.
6. Secure Disposal of Expired Records Evidenced
Verification Criteria: Records reaching the end of their retention period are destroyed or deleted using secure methods that prevent reconstruction.
Required Evidence: Certificates of destruction from certified third-party shredding vendors or secure erasure logs for digital media (e.g., Blancco reports).
Pass/Fail Test: If expired sensitive records are found in standard waste bins or deleted via simple “Recycle Bin” emptying without secure overwriting, mark as Non-Compliant.
7. Statutory and Regulatory Retention Alignment Verified
Verification Criteria: The retention periods defined in internal policies are cross-referenced and aligned with specific local and international laws (e.g., Companies Act, Tax laws).
Required Evidence: Legal and Regulatory Register showing the mapping of specific laws to internal record-keeping procedures.
Pass/Fail Test: If internal retention periods for financial or tax records are shorter than the legally mandated minimums, mark as Non-Compliant.
8. Record Access Control Lists (ACLs) Validated
Verification Criteria: Access to records is strictly restricted based on the principle of least privilege and “need-to-know” criteria.
Required Evidence: Permissions report from the DMS or File Server showing restricted access to sensitive folders based on job roles.
Pass/Fail Test: If “Read” or “Write” access to sensitive HR or Legal records is granted to the “Everyone” or “All Users” group, mark as Non-Compliant.
9. Metadata and Audit Trail Integrity Confirmed
Verification Criteria: Metadata (author, creation date, modifications) is preserved with the record, and audit logs of record access are maintained and protected.
Required Evidence: Sample of record properties showing preserved metadata and a protected log of administrative access to the archive.
Pass/Fail Test: If system administrators can modify or delete record audit trails to hide unauthorised access, mark as Non-Compliant.
10. Record Redundancy and Recovery Testing Verified
Verification Criteria: Essential records are backed up or replicated to a secondary location to ensure availability following a disaster or system failure.
Required Evidence: Backup success logs for the record management system and a successful restore test report from within the last 12 months.
Pass/Fail Test: If no backup exists for essential records, or if the most recent restoration test for the archive failed, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Retention Compliance | GRC tool identifies that a “Retention Policy” exists and marks it green. | The auditor must verify that the dates in the policy actually match current UK tax/employment laws. |
| Secure Disposal | SaaS tool assumes “deletion” in the cloud is “secure disposal”. | Auditor must verify if the cloud provider offers a “Certificate of Destruction” or if data persists in backups/logs. |
| Physical Protection | Tool ignores physical records as they aren’t “digital assets”. | Real auditors must physically walk to the off-site archive to check for flood/fire risk and physical locks. |
| Integrity Verification | Platform checks if a file has an “Owner” attribute. | Verify if the system uses SHA-256 hashing. An “owner” tag doesn’t prove the record hasn’t been tampered with. |
| Access Review | Tool identifies that “Access Control” is turned on. | Examine “Orphaned Accounts.” Users who left 6 months ago often still have “Read” access to archives in GRC tools. |
| Environmental Controls | SaaS tool assumes the data centre handles this. | Verify the SLA or SOC2 report of the host. If they don’t guarantee humidity levels for tapes, the control fails. |
| Metadata Preservation | Tool verifies the file exists in the repository. | Download a record; check if the “Created Date” survived the migration. If metadata is wiped, the record is legally useless. |
About the author
