ISO 27001 Annex A 5.33 Audit Checklist

Q: 1. Record Retention and Disposal Schedule Verified

Verification Criteria: A formalised schedule exists that categorises record types and defines specific retention periods based on statutory, regulatory, and business requirements. Required Evidence: Approved Document Retention and Disposal Schedule (RDS) with version history and management sign-off.

Q: 2. Physical Record Storage Security Confirmed

Verification Criteria: Physical records are stored in secure environments that protect against unauthorised access and environmental hazards (fire, flood, humidity). Required Evidence: Physical access logs for archive rooms, fire suppression system certificates, and environmental monitoring logs.

Q: 3. Digital Record Encryption and Confidentiality Validated

Verification Criteria: Records containing sensitive or classified information are protected with cryptographic controls during storage to prevent unauthorised disclosure. Required Evidence: Technical configuration report showing AES-256 (or equivalent) encryption at rest for the primary document management system (DMS) or file servers.

Q: 4. Record Integrity and Falsification Controls Verified

Verification Criteria: Technical measures such as digital signatures, hashing, or WORM (Write Once Read Many) storage are used to prevent unauthorised modification of records. Required Evidence: System logs showing hash verification success or configuration settings for immutable storage buckets.

Q: 5. Personal Identifiable Information (PII) Alignment Confirmed

Verification Criteria: The protection of records aligns with relevant data privacy legislation (e.g., UK GDPR) regarding the processing of personal data. Required Evidence: Data Privacy Impact Assessment (DPIA) for the record management system and evidence of PII masking or pseudonymisation where required.

Q: 6. Secure Disposal of Expired Records Evidenced

Verification Criteria: Records reaching the end of their retention period are destroyed or deleted using secure methods that prevent reconstruction. Required Evidence: Certificates of destruction from certified third-party shredding vendors or secure erasure logs for digital media (e.g., Blancco reports).

Q: 7. Statutory and Regulatory Retention Alignment Verified

Verification Criteria: The retention periods defined in internal policies are cross-referenced and aligned with specific local and international laws (e.g., Companies Act, Tax laws). Required Evidence: Legal and Regulatory Register showing the mapping of specific laws to internal record-keeping procedures.

Q: 8. Record Access Control Lists (ACLs) Validated

Verification Criteria: Access to records is strictly restricted based on the principle of least privilege and "need-to-know" criteria. Required Evidence: Permissions report from the DMS or File Server showing restricted access to sensitive folders based on job roles.

Q: 9. Metadata and Audit Trail Integrity Confirmed

Verification Criteria: Metadata (author, creation date, modifications) is preserved with the record, and audit logs of record access are maintained and protected. Required Evidence: Sample of record properties showing preserved metadata and a protected log of administrative access to the archive.

Q: 10. Record Redundancy and Recovery Testing Verified

Verification Criteria: Essential records are backed up or replicated to a secondary location to ensure availability following a disaster or system failure. Required Evidence: Backup success logs for the record management system and a successful restore test report from within the last 12 months.

Auditing ISO 27001 Annex A 5.33 is the critical verification of an organization’s record lifecycle management to ensure legal and operational evidence remains accessible. The Primary Implementation Requirement is a formal retention and disposal schedule, providing the Business Benefit of regulatory compliance and protected institutional knowledge.

1. Record Retention and Disposal Schedule Verified
2. Physical Record Storage Security Confirmed
3. Digital Record Encryption and Confidentiality Validated
4. Record Integrity and Falsification Controls Verified
5. Personal Identifiable Information (PII) Alignment Confirmed
6. Secure Disposal of Expired Records Evidenced
7. Statutory and Regulatory Retention Alignment Verified
8. Record Access Control Lists (ACLs) Validated
9. Metadata and Audit Trail Integrity Confirmed
10. Record Redundancy and Recovery Testing Verified

1. Record Retention and Disposal Schedule Verified

Verification Criteria: A formalised schedule exists that categorises record types and defines specific retention periods based on statutory, regulatory, and business requirements.

Required Evidence: Approved Document Retention and Disposal Schedule (RDS) with version history and management sign-off.

Pass/Fail Test: If the organisation cannot produce a schedule that maps record types to specific legal or business retention durations, mark as Non-Compliant.

2. Physical Record Storage Security Confirmed

Verification Criteria: Physical records are stored in secure environments that protect against unauthorised access and environmental hazards (fire, flood, humidity).

Required Evidence: Physical access logs for archive rooms, fire suppression system certificates, and environmental monitoring logs.

Pass/Fail Test: If sensitive physical records are stored in an unlocked or unmonitored area lacking environmental protection, mark as Non-Compliant.

3. Digital Record Encryption and Confidentiality Validated

Verification Criteria: Records containing sensitive or classified information are protected with cryptographic controls during storage to prevent unauthorised disclosure.

Required Evidence: Technical configuration report showing AES-256 (or equivalent) encryption at rest for the primary document management system (DMS) or file servers.

Pass/Fail Test: If “Confidential” or “Secret” digital records are stored in clear-text on shared drives accessible to non-authorised personnel, mark as Non-Compliant.

ISO 27001 TOOLKIT: CONSULTANT EDITION

THE ULTIMATE PROFESSIONALS ISO 27001 TOOLKIT.

ISO 27001 Toolkit: Consultant Edition

DOWNLOAD DEMO

4. Record Integrity and Falsification Controls Verified

Verification Criteria: Technical measures such as digital signatures, hashing, or WORM (Write Once Read Many) storage are used to prevent unauthorised modification of records.

Required Evidence: System logs showing hash verification success or configuration settings for immutable storage buckets.

Pass/Fail Test: If a record can be edited or deleted by a standard user without a corresponding entry in a protected audit trail, mark as Non-Compliant.

5. Personal Identifiable Information (PII) Alignment Confirmed

Verification Criteria: The protection of records aligns with relevant data privacy legislation (e.g., UK GDPR) regarding the processing of personal data.

Required Evidence: Data Privacy Impact Assessment (DPIA) for the record management system and evidence of PII masking or pseudonymisation where required.

Pass/Fail Test: If records containing PII are retained beyond the statutory limit defined in the privacy policy without a legal hold, mark as Non-Compliant.

6. Secure Disposal of Expired Records Evidenced

Verification Criteria: Records reaching the end of their retention period are destroyed or deleted using secure methods that prevent reconstruction.

Required Evidence: Certificates of destruction from certified third-party shredding vendors or secure erasure logs for digital media (e.g., Blancco reports).

Pass/Fail Test: If expired sensitive records are found in standard waste bins or deleted via simple “Recycle Bin” emptying without secure overwriting, mark as Non-Compliant.

7. Statutory and Regulatory Retention Alignment Verified

Verification Criteria: The retention periods defined in internal policies are cross-referenced and aligned with specific local and international laws (e.g., Companies Act, Tax laws).

Required Evidence: Legal and Regulatory Register showing the mapping of specific laws to internal record-keeping procedures.

Pass/Fail Test: If internal retention periods for financial or tax records are shorter than the legally mandated minimums, mark as Non-Compliant.

8. Record Access Control Lists (ACLs) Validated

Verification Criteria: Access to records is strictly restricted based on the principle of least privilege and “need-to-know” criteria.

Required Evidence: Permissions report from the DMS or File Server showing restricted access to sensitive folders based on job roles.

Pass/Fail Test: If “Read” or “Write” access to sensitive HR or Legal records is granted to the “Everyone” or “All Users” group, mark as Non-Compliant.

9. Metadata and Audit Trail Integrity Confirmed

Verification Criteria: Metadata (author, creation date, modifications) is preserved with the record, and audit logs of record access are maintained and protected.

Required Evidence: Sample of record properties showing preserved metadata and a protected log of administrative access to the archive.

Pass/Fail Test: If system administrators can modify or delete record audit trails to hide unauthorised access, mark as Non-Compliant.

10. Record Redundancy and Recovery Testing Verified

Verification Criteria: Essential records are backed up or replicated to a secondary location to ensure availability following a disaster or system failure.

Required Evidence: Backup success logs for the record management system and a successful restore test report from within the last 12 months.

Pass/Fail Test: If no backup exists for essential records, or if the most recent restoration test for the archive failed, mark as Non-Compliant.

ISO 27001 Annex A 5.33 SaaS / GRC Platform Failure Checklist
Control Requirement	The ‘Checkbox Compliance’ Trap	The Reality Check
Retention Compliance	GRC tool identifies that a “Retention Policy” exists and marks it green.	The auditor must verify that the dates in the policy actually match current UK tax/employment laws.
Secure Disposal	SaaS tool assumes “deletion” in the cloud is “secure disposal”.	Auditor must verify if the cloud provider offers a “Certificate of Destruction” or if data persists in backups/logs.
Physical Protection	Tool ignores physical records as they aren’t “digital assets”.	Real auditors must physically walk to the off-site archive to check for flood/fire risk and physical locks.
Integrity Verification	Platform checks if a file has an “Owner” attribute.	Verify if the system uses SHA-256 hashing. An “owner” tag doesn’t prove the record hasn’t been tampered with.
Access Review	Tool identifies that “Access Control” is turned on.	Examine “Orphaned Accounts.” Users who left 6 months ago often still have “Read” access to archives in GRC tools.
Environmental Controls	SaaS tool assumes the data centre handles this.	Verify the SLA or SOC2 report of the host. If they don’t guarantee humidity levels for tapes, the control fails.
Metadata Preservation	Tool verifies the file exists in the repository.	Download a record; check if the “Created Date” survived the migration. If metadata is wiped, the record is legally useless.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents