ISO 27001 Protection of Records | Annex A 5.33 | The Lead Auditor’s Implementation and Audit Guide

/ By

ISO 27001 Annex A 5.33 is a security control that mandates the protection of records against loss, destruction, and falsification to ensure legal and regulatory compliance. Implementing a strict retention schedule and secure disposal protocols provides the business benefit of audit readiness and reduced legal liability.

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.33 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.33 Protection of Records

ISO 27001 Annex A 5.33 requires organizations to protect their records from loss, destruction, falsification, and unauthorized access. It ensures that critical business evidence from financial invoices to system logs is retained for as long as legally required and then securely destroyed when no longer needed.

Core requirements for compliance include:

  • Retention Schedule: You must define exactly how long each type of record is kept. This is not a guess; it must be based on specific laws (e.g., tax laws, GDPR) or business needs.
  • Protection vs. Storage: It is not enough to just “store” records; you must protect their integrity (preventing tampering) and availability (ensuring they can be retrieved when needed, even years later).
  • Secure Destruction: When a record’s life is over, it must be destroyed securely. Simply deleting a file is often insufficient; you need a process that ensures it cannot be recovered.
  • Media Management: If records are stored on physical media (tapes, hard drives, paper), you must account for deterioration over time and manufacturer guidelines for storage.

Audit Focus: Auditors will ask to see your Retention Policy and check if it matches reality. They will look for:

  1. Justification: Can you explain why you keep customer data for 7 years? (e.g., “Because HMRC tax law requires it”).
  2. Retrieval: Can you actually find and open a record from 3 years ago, or is it locked in an obsolete file format?

Common Retention Examples (Reference Only):

Record Category Compliance Retention Period Statutory or Regulatory Justification ISO 27001:2022 Mapping
Financial / Invoices 7 Years Tax Law and Auditing requirements (e.g., HMRC/IRS). 5.33 (Protection of records)
Employee Contracts Termination + 6 Years Statute of Limitations regarding potential legal and employment claims. 5.33 (Protection of records)
System Logs 1 Year Forensic investigation requirements and technical standards (e.g., PCI-DSS). 8.15 (Logging)
CCTV Footage 30 Days Data Privacy compliance (UK GDPR) unless a security incident occurs. 5.34 (Privacy and protection of PII)
Board Minutes Permanent Corporate Governance and legal entity history. 5.33 (Protection of records)

Table of contents

ISO 27001 Certainty™: The Ultimate ISO 27001 Certification System & Toolkit

Learn More
Fay Barker - High Table - ISO27001 Director

What is ISO 27001 Annex A 5.33?

ISO 27001 Annex A 5.33 Protection of Records is an ISO 27001 control that wants you to protect records in line with legal, regulatory, statutory and contractual requirements as well as societal and community expectations. It is about protecting records from unauthorised access, loss or destruction, tampering or falsification and unauthorised release and sharing.

What is the purpose of ISO 27001 Annex 5.33?

The purpose of ISO 27001 Annex A 5.33 Protection of Records is to ensure you comply with legal, statutory, regulatory and contractual requirements related to the protection and availability of records.

Organisations should have a clear understanding of their obligations when it comes to the protection of records and make sure that they adhere to those requirements.

What is the definition of ISO 27001 Annex 5.33?

The ISO 27001 standard defines ISO 27001 Annex A 5.33 Protection of Records as:

Records should be protected from loss, destruction, falsification, unauthorised access and unauthorised release.

ISO 27001:2022 Annex A 5.33

Watch the ISO 27001 Annex A 5.33 Tutorial

In this video I show you how to implement ISO 27001 Annex A 5.33 and how to pass the audit.

ISO 27001 Annex A 5.33 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.33 Protection Of Records. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex 5.33 Implementation Guidance

Decide what kinds of protection are included

The kinds of protection expected include protecting the authenticity, reliability, integrity and usability of records. You will consider this protection in the context of the business and its requirements and how that changes over time.

Decide what kind of records are included

Records is just another term for the data and information an organisation retains and/or uses to carry out its day to day business activities. It can include

  1. Individual events
  2. Transactions
  3. Work processes
  4. Activities
  5. Functions

You can manage any set of information as a record, irrespective of either its structure or its form.

Issue Guidelines

Guidelines on how you store, transfer and dispose of records will be issued.

Topic specific policy on records management

You are going to implement an ISO 27001 Documents and Records Policy.

Retention schedule

A retention schedule for records will be implemented that sets out how long you retain records.

Legislation

Where you operate and the legislation that applies to you as recorded in your ISO 27001 legal register and covered in ISO 27001 Annex A 5.31 Legal, regulatory, statutory and contractual requirements.

Record Destruction

You will implement procedures that destroy records in a safe and appropriate manner the moment they’re not needed and / or after the end of the retention period defined in the retention schedule.

Classification

Following your information classification and handling policy and your classification scheme you will apply that to records.

Retrieval times

You will make sure that any storage procedures and process include an acceptable timeframe for retrieval. These will also take into account and third party or external requests for records.

Encryption

Where encryption is implemented as a control to mitigate risk you will, of course, ensure that they keys to decrypt are available. Consider the guidance in ISO27001 Annex A 8.24 Use of Cryptography.

Manufacture Guidelines

You will follow the guidelines from the suppliers and manufacturers for storage and handling and you will take into account the possibility of media deteriorating over time.

Meta Data

The data that describes a record, its context, structure and other attributes is referred to as meta data and is seen as an essential component of any record.

I’ve sat in the Auditor’s chair for 30 years. Use the exact system and tools I use to guarantee a pass.

Learn More
Stuart Barker - High Table - ISO27001 Director

How to implement ISO 27001 Annex 5.33

Implementing ISO 27001 Annex A 5.33 ensures your organisation safeguards its most critical information from loss, destruction, and unauthorised access. As an ISO 27001 Lead Auditor, I expect to see a lifecycle approach to data: from the moment a record is created to its final, secure destruction. Follow these ten technical steps to formalise your record protection framework and satisfy rigorous audit requirements.

1. Formalise a Topic-Specific Policy on Protection of Records

Formalise a mandatory policy that defines the organisation’s requirements for record identification, classification, and storage: this ensures a clear legal and operational baseline is established across the workforce.

  • Identify the specific legal, regulatory, and contractual requirements for record retention.
  • Define clear roles and responsibilities for record owners and custodians.
  • Document the consequences for policy violations to ensure staff accountability.

2. Provision a Detailed Record Inventory within the Asset Register

Provision the Asset Register to include specific entries for all critical records, whether physical or digital: this provides the visibility needed to apply appropriate technical and administrative controls.

  • Identify the “Owner” for every category of record documented.
  • Record the location of records, including cloud storage buckets, local file shares, or physical archives.
  • Link record assets to your broader ISMS risk assessment process.

3. Categorise Records by Security Classification and Sensitivity

Categorise all identified records according to the organisation’s information classification scheme: this ensures that security efforts are prioritised for high-value or highly sensitive data.

  • Apply labels to digital records via metadata or file-naming conventions.
  • Label physical record containers or storage areas clearly to prevent accidental disclosure.
  • Define the specific protection requirements (e.g., encryption, fireproofing) for each classification level.

4. Provision Secure Storage Environments for Physical Records

Provision physical storage areas that protect paper-based records from environmental hazards and unauthorised access: this ensures the physical integrity of non-digital information assets.

  • Deploy fire-resistant cabinets and water-leak detection systems in archive rooms.
  • Restrict physical access to record storage areas using keycards or biometric locks.
  • Implement a “Clean Desk” policy to ensure sensitive records are not left unattended in open offices.

5. Implement Role-Based Access Control via IAM

Implement strict Identity and Access Management (IAM) roles to limit access to digital record repositories: this ensures that only authorised personnel can view or modify sensitive information.

  • Apply the principle of least privilege to file servers, databases, and document management systems.
  • Mandate Multi-Factor Authentication (MFA) for all administrative or privileged access to record stores.
  • Review access logs monthly to identify any anomalous behaviour surrounding sensitive records.

6. Provision Automated Retention and Disposal Schedules

Provision automated systems or formal procedures to manage the lifecycle of records according to legal retention periods: this prevents the storage of unnecessary data and reduces legal liability.

  • Configure “Auto-Delete” or “Archive” rules for cloud storage and email systems based on data age.
  • Document a formal retention schedule that maps record types to specific statutory timeframes.
  • Perform quarterly reviews of stored data to identify records that have reached their end-of-life.

7. Implement Cryptographic Protections for Records at Rest and In Transit

Implement encryption for all records classified as sensitive or confidential: this ensures that data remains unreadable even if the underlying storage media is compromised.

  • Enforce full-disk encryption for laptops and mobile devices containing company records.
  • Use TLS 1.2 or higher for the transmission of records across public networks.
  • Manage cryptographic keys securely within a dedicated Key Management System (KMS).

8. Provision Redundant Backup and Recovery Systems

Provision secure backup procedures to ensure the availability of records in the event of technical failure or disaster: this ensures the organisation can recover critical information within defined timeframes.

  • Automate daily backups of all digital record repositories to a secure, off-site location.
  • Test record recovery procedures semi-annually to verify the integrity of backup data.
  • Protect backups with the same level of encryption and access control as production records.

9. Review Legal, Regulatory, and Contractual Compliance Regularly

Review the record protection framework against changing legal requirements, such as GDPR or sector-specific regulations: this ensures the ISMS remains aligned with external statutory obligations.

  • Consult with legal counsel to verify that retention periods meet current local laws.
  • Update the Record Protection Policy whenever new regulations are enacted.
  • Audit third-party supplier contracts to ensure they adhere to your record protection standards.

10. Audit the Effectiveness of Record Protections Regularly

Audit your record protection controls through the internal audit programme to verify ongoing compliance: this provides the final assurance needed for a successful ISO 27001 certification audit.

  • Test a sample of records to verify they are classified, stored, and retained correctly.
  • Review logs of record disposal to ensure destruction was performed securely and witnessed where required.
  • Document all findings in the Corrective Action Log to drive continuous ISMS improvement.

Common Retention Periods

Record TypeRetention PeriodReason
Financial / Invoices7 YearsTax Law (e.g., HMRC/IRS).
Employee ContractsTermination + 6 YearsStatute of Limitations (Legal claims).
System Logs1 YearForensic investigation (PCI-DSS standard).
CCTV Footage30 DaysPrivacy/GDPR (unless incident occurs).
Board MinutesPermanentCorporate Governance.

How to Audit ISO 27001 Annex A 5.33

Auditing ISO 27001 Annex A 5.33 requires a technical deep dive into how your organisation identifies, classifies, and safeguards its critical data throughout its lifecycle. As a Lead Auditor, I am looking for evidence that goes beyond a simple policy: I want to see technical asset mapping, encryption configurations, and airtight retention schedules. Use this 10 step technical roadmap to ensure your record protection controls are robust enough to withstand a certification audit.

1. Audit the Records Retention and Protection Policy

Audit the topic-specific policy for record protection to confirm it defines the organisation’s approach to safeguarding internal data and respecting third-party privacy: result: establishes the legal and procedural baseline for the entire ISMS.

  • Verify that the policy explicitly covers retention periods for financial, legal, and operational records.
  • Check for clear definitions of record types and their required protection levels.
  • Confirm the policy is reviewed annually and signed off by senior management.

2. Inspect the Asset Register for Record Mapping

Inspect the Asset Register to ensure that all critical records and data stores are identified and classified: result: provides the visibility required to apply granular security controls to high-value information.

  • Review the register for entries including databases, physical archives, and cloud storage buckets.
  • Verify that an “Asset Owner” is assigned to every category of protected records.
  • Check that the classification levels, such as Highly Confidential, align with the sensitivity of the data.

3. Review Encryption Standards for Electronic Records

Review the technical configuration for records at rest and in transit to verify that encryption meets industry standards: result: ensures the confidentiality and integrity of electronic records against unauthorised access.

  • Compare technical settings against the organisation’s encryption policy requirements.
  • Audit key management procedures to ensure cryptographic keys are stored securely.
  • Verify that TLS 1.2 or higher is enforced for all data transmission involving sensitive records.

4. Audit IAM Roles for Record Repositories

Audit Identity and Access Management (IAM) roles for all file servers, databases, and document management systems: result: ensures that access to core records follows the principle of least privilege.

  • Inspect access control lists (ACLs) for platforms such as SharePoint, AWS S3, or local file shares.
  • Verify that users only have access to the specific record sets required for their current roles.
  • Audit the process for revoking access to record repositories within 24 hours of staff departure.

5. Provision MFA for Record Access Points

Verify that Multi-Factor Authentication (MFA) is mandated for every technical interface that hosts or manages protected records: result: provides a critical defensive layer against credential theft and unauthorised data release.

  • Check configuration settings on cloud storage, ERP systems, and backup consoles.
  • Ensure MFA is enforced for all administrative accounts and privileged users.
  • Review logs for any instances where MFA was bypassed or disabled.

6. Examine Physical Security for Paper Records

Examine the physical environment where paper-based records are stored to confirm protection against environmental threats and theft: result: ensures the availability and integrity of physical information assets.

  • Inspect the use of fire-resistant cabinets and water-leak detection in archive rooms.
  • Verify that physical access to record storage areas is logged and restricted via keycards or locks.
  • Check for “Clean Desk” compliance to ensure sensitive records are not left unattended.

7. Audit Backup and Disaster Recovery Procedures

Audit the backup logs and recovery test results for all critical record repositories: result: confirms the availability of records in the event of technical failure or a ransomware attack.

  • Verify that backups are performed according to the frequency defined in the ISMS.
  • Check for evidence of periodic restoration tests to prove record recoverability.
  • Inspect the security of off-site or cloud-based backup storage to ensure it is isolated from the production network.

8. Inspect Legal and Regulatory Compliance Clauses

Examine a sample of contracts and legal requirements to ensure records are maintained in accordance with statutory obligations: result: confirms that the organisation is not at risk of legal penalties for premature record destruction.

  • Verify compliance with jurisdiction-specific laws such as GDPR, HIPAA, or local Companies Acts.
  • Check for “Legal Hold” procedures that prevent the deletion of records during litigation.
  • Review the Rules of Engagement (ROE) for third-party storage providers to ensure data sovereignty.

9. Audit Secure Disposal and Destruction Logs

Audit the disposal logs for decommissioned hardware and shredded physical records to ensure data is destroyed securely: result: prevents the accidental disclosure of protected records via legacy media.

  • Verify certificates of destruction for all physical disks and confidential waste.
  • Check that cloud-based storage volumes were securely wiped before being released.
  • Inspect the Asset Register to ensure disposed assets are formally decommissioned.

10. Audit Records of Access and Modification

Audit the audit logs and file integrity monitoring records to verify that record modifications are authorised: result: provides evidence that the organisation maintains a reliable audit trail for its protected information.

  • Review the logs for any reports of unauthorised attempts to modify or delete records.
  • Verify that log files themselves are protected from tampering or unauthorised deletion.
  • Check for evidence of regular log reviews being conducted by the security team.

The Tools We Use.

100% Audit Success. Zero AI Guesswork.

Get the Auditor-Proven Toolkit.
Stuart and Fay High Table

Applicability of ISO 27001 Annex A-5.33 across different business models.

Business Type Applicability Examples of Control Implementation
Small Businesses Highly applicable for meeting legal and tax obligations. The focus is on ensuring that basic business evidence like invoices and employee contracts is protected from loss and deleted once the legal retention period ends.
  • Maintaining a Retention Schedule that mandates keeping financial invoices for 7 years to comply with tax laws.
  • Enforcing a policy to securely shred physical employee files 6 years after their termination date.
  • Protecting digital records from falsification by using “read-only” permissions for finalized project contracts in a shared cloud drive.
Tech Startups Critical for protecting high-value intellectual property and ensuring forensic readiness. Compliance involves managing digital records across multiple SaaS tools and ensuring they aren’t lost during rapid system migrations.
  • Implementing Write-Once-Read-Many (WORM) storage for system logs to ensure they cannot be tampered with during a security investigation.
  • Configuring automated data lifecycle policies in cloud storage to move older “closed” project records to encrypted, low-cost archive tiers.
  • Maintaining a Digital Evidence Locker for storing signed board minutes and shareholder agreements with verified timestamping.
AI Companies Vital for protecting massive training datasets and proprietary research records. Focus is on ensuring the long-term availability of research data while meeting strict privacy and ethical retention standards.
  • Ensuring Model Training Records (including hyperparameter logs and dataset versions) are retained for 10+ years to support future auditability and bias testing.
  • Implementing automated “secure erase” protocols for training datasets once the research project has concluded and the legal retention period is met.
  • Using redundant, geographically separated cloud regions to protect high-value research records from accidental destruction or regional disasters.

Fast Track ISO 27001 Annex A 5.33 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.33 (Protection of records), the requirement is to protect records from loss, destruction, falsification, unauthorised access, and unauthorised release. This ensures that your organisational data, whether it’s financial transactions, HR files, or board minutes, is maintained in accordance with legal, regulatory, and contractual obligations.

Compliance Factor SaaS Compliance Platforms High Table ISO 27001 Toolkit Audit Evidence Example
Data Custody Rents access to your evidence; if you cancel the subscription, your documented retention schedules and destruction history vanish. Total Ownership: Your policies, standards, and logs stay on your secure servers. You own the IP forever. A localized “Retention Schedule” stored on your secure drive defining specific rules for HR and financial files.
Operational Simplicity Attempts to “automation” archiving via dashboards that cannot interpret specific local tax laws or verify fireproof safe storage. Governance-First: Formalizes your existing file management (SharePoint, Drive, Paper) into an auditor-ready framework. A completed “Record of Destruction” log providing a formal audit trail for the secure disposal of expired documents.
Financial Impact Charges a “Storage Tax” based on data volume or record count, creating a compounding cost that drains your security budget. One-Off Investment: Pay once for the professional templates and never receive another invoice, regardless of record volume. Reallocating saved SaaS fees toward physical security upgrades or professional off-site archiving services.
Strategic Freedom Mandates rigid reporting formats that often fail to account for unique data structures or niche jurisdictional requirements. 100% Agnostic: Standardized document formats mean you can move, edit, or migrate your files to any system at any time. The ability to evolve your records strategy (e.g., moving from physical to digital) without reconfiguring a rigid SaaS module.

Summary: For Annex A 5.33, the auditor wants to see that you have a formal process for protecting records and a retention schedule that meets legal requirements. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

To ensure full compliance with international laws and industry standards, the following table provides a technical mapping for ISO 27001 Annex A 5.33. This mapping covers the specific requirements for record integrity, retention, and protection across diverse regulatory frameworks.

Standard / Law Relevant Control / Article Mapping and Requirements
NIST CSF v2.0 PR.DS-01, PR.DS-10 Requires that data is managed throughout its lifecycle, including protection of records at rest and formalised destruction protocols.
NIS2 Directive (EU) Article 21(2) Mandates business continuity and the security of information systems, requiring that essential records are resilient to cyber-attacks.
DORA (EU) Article 12 Financial entities must maintain ICT backup management and recovery procedures to ensure the integrity and availability of financial records.
SOC 2 (Trust Criteria) CC6.5, CC6.7 Organisations must implement technical controls to protect records against unauthorized access and ensure data is retained per policy.
EU AI Act Article 10, Article 12 Mandates strict record-keeping for high-risk AI systems, including logs of data training sets and model performance documentation.
ISO/IEC 42001 (AI) Annex A.4 Directly addresses data lifecycle management for AI, requiring integrity of training data and protection of model output records.
GDPR / UK GDPR Article 5(1)(f), Article 32 The integrity and confidentiality principle requires that personal data records are protected against accidental loss or damage.
UK Data (Use & Access) Act 2025 Smart Data Clauses Focuses on reduced administrative burdens while maintaining high security thresholds for mandatory data portability and smart data schemes.
Cyber Security & Resilience Bill (UK) Article 11 (MSP Obligations) Expands mandatory reporting requirements for Managed Service Providers, ensuring record integrity is maintained across client environments.
CIRCIA (USA) Section 2242 Mandates 72-hour reporting for critical sectors when records are compromised or destroyed during a cyber incident.
EU Product Liability Directive (PLD) Article 4 (Defectiveness) Extends strict liability to software providers; failure to maintain records of security-by-design can be used as evidence of product defects.
ECCF (EU Cert Framework) High Assurance Labels Requires harmonised security labels where record integrity and protection of evidence are verified for EU-wide product certification.
HIPAA (USA) 164.312(c)(1) The Integrity rule requires policies and procedures to protect electronic protected health information (ePHI) from improper alteration or destruction.
CCPA / CPRA (California) 1798.150 Allows statutory damages if records containing personal information are breached due to a failure to implement reasonable security procedures.

The Impact of Artificial Intelligence on ISO 27001 Record Protection

As an ISO 27001 Lead Auditor, I am increasingly scrutinising how organisations handle records generated by or used for Artificial Intelligence (AI). If you are deploying machine learning models, utilising generative AI, or embedding Large Language Models (LLMs) into your infrastructure, your record protection scope has fundamentally expanded. AI systems consume and generate vast amounts of data, and you must protect these records with the same rigour as your traditional financial or HR files.

Auditors now expect to see specific controls around AI data lineage, prompt logging, and model output retention. Failure to protect these records can lead to non-conformities, especially when algorithmic decisions are challenged legally or ethically.

AI Record Categories and Retention Strategies

To satisfy Annex A 5.33 in an AI-driven environment, you must update your Asset Register and Retention Schedule to include the following AI-specific records:

AI Record Category Description and Protection Requirement Recommended Retention Period
Training Data Lineage Records detailing the origin, consent mechanisms, and sanitisation of datasets used to train AI models. Must be protected from falsification to prove ethical AI development. Life of the AI model plus 3 years.
Prompt and Interaction Logs User inputs and system prompts sent to LLMs. These must be protected against unauthorised access as they often inadvertently contain sensitive or proprietary corporate data. 90 days to 1 year, depending on privacy impact.
Algorithmic Decision Logs Records of automated decisions made by the AI (e.g., loan approvals, CV screening). Crucial for defending against bias claims and regulatory audits. 7 years (aligns with statutory legal defence limitations).
Model Weights and Checkpoints The mathematical parameters of the trained model. These are highly sensitive intellectual property records that require strict cryptographic protection and secure backups. Permanent (for core proprietary models).

Automating Record Retention with AI and Machine Learning

Organisations are no longer relying solely on manual deletion schedules. You can deploy AI and machine learning tools to automatically categorise records, enforce retention periods, and execute secure disposal. However, from an audit perspective, you must prove that this automation is accurate and reliable.

  • Automated Classification: Use Natural Language Processing (NLP) to scan documents and automatically apply metadata tags based on your Information Classification Scheme.
  • Smart Archiving: Implement algorithms that monitor file interaction and automatically move dormant records to encrypted, cold storage after a predefined period of inactivity.
  • Auditor Verification: If you use AI to delete expired records, you must retain an automated disposal log. The auditor will ask to see the mathematical or procedural proof that the AI did not delete records prematurely.

Cloud Computing and the Shared Responsibility Model

A common failure during certification audits is the assumption that your cloud provider handles record protection for you. Whether you use AWS, Microsoft Azure, or Google Cloud, Annex A 5.33 operates on a shared responsibility model. You cannot outsource your compliance accountability.

  1. Data Residency and Sovereignty: You must configure your cloud storage buckets so that records are stored in geographically compliant regions (e.g., UK-only data centres) to meet statutory requirements.
  2. Immutable Storage: For highly sensitive records like system audit logs, you must utilise cloud features like AWS S3 Object Lock or Azure Immutable Blob Storage. This enforces a strict Write-Once-Read-Many (WORM) policy that prevents even administrators from tampering with the records.
  3. Vendor Audits: You must regularly review your cloud provider’s SOC 2 or ISO 27001 certificates to ensure their physical data destruction processes align with your internal policies.

Chain of Custody: Protecting Records During a Security Incident

When a data breach occurs, everyday files instantly become forensic evidence. Annex A 5.33 requires that you maintain a strict chain of custody for these records to ensure they remain admissible in a court of law or regulatory investigation.

If you suspect a breach, you must immediately isolate system logs, network traffic captures, and access records. You must store copies of these records in an isolated, offline environment. The auditor will look for a documented procedure detailing exactly who accessed the compromised records, at what time, and for what purpose. If your incident response logs can be altered by the attacker, you will fail the control.

People Also Asked: Advanced ISO 27001 Annex A 5.33 Compliance

Can we use cloud backups to satisfy record retention requirements?

Yes, cloud backups can satisfy retention requirements, provided they are configured correctly. The backups must be encrypted, access-controlled, and tested regularly. Furthermore, the retention period of the backup must match the legal requirements defined in your Retention Schedule. You cannot simply overwrite backups every 30 days if tax laws require a 7-year retention period.

What is Write-Once-Read-Many (WORM) storage?

WORM storage is a data storage method that dictates information, once written, cannot be modified or deleted until a specific retention period has passed. This is a critical technical control for protecting system logs, financial transactions, and legal evidence from falsification or ransomware encryption.

How does Annex A 5.33 apply to employee emails?

Employee emails are considered corporate records and must be protected and retained accordingly. Organisations must implement email archiving solutions that capture communications before they can be deleted by the user. You must define an email retention period (for example, 3 years) and enforce automated deletion once that period expires to reduce litigation exposure.

Does Annex A 5.33 require us to keep metadata?

Yes, protecting records includes protecting their associated metadata. Metadata (such as creation dates, author details, and modification histories) provides the context required to prove the authenticity and integrity of a record during a legal dispute or an audit investigation.

ISO 27001:2013 vs 2022: What Changed for Record Protection?

If you are transitioning your Information Security Management System (ISMS) from the older standard, you need to understand exactly what shifted. In the 2013 version, this control was known as A.18.1.3 Protection of records. In the ISO 27001:2022 update, it has been consolidated into the new Annex A structure under Control 5.33 within the Organisational controls domain.

While the core objective remains the same, the 2022 update places a much stronger emphasis on cloud environments, privacy regulations (like the UK GDPR), and the data lifecycle. As an auditor, I am no longer just looking at a dusty filing cabinet. I expect to see how you manage the protection and eventual destruction of digital records across distributed networks, SaaS applications, and AI data lakes.

Top Reasons Companies Fail ISO 27001 Annex A 5.33 Audits

Common Audit Failure The Auditor’s Perspective How to Fix It
The “Keep Everything Forever” Approach Storing records indefinitely violates data minimisation principles and statutory laws. It shows a lack of governance and increases risk exposure during a breach. Implement and enforce a strict Data Retention Schedule. Use automated deletion policies where possible.
Orphaned Cloud Data Companies migrate systems but leave legacy records sitting in old, unmonitored AWS S3 buckets or deprecated SaaS platforms. Include all legacy and cloud storage locations in your Asset Register. Audit them quarterly.
Lack of Destruction Evidence A policy states records are destroyed after 7 years, but nobody can produce a destruction log or a certificate of secure shredding to prove it actually happened. Maintain a formal Record of Destruction log. Require supplier certificates for hard drive destruction.
Unprotected System Logs IT teams collect system logs, but system administrators have the permission to alter or delete their own activity records, rendering the audit trail useless. Forward all critical logs to an isolated, append-only SIEM or logging server with strict WORM protections.
Ignoring Physical Records The company has excellent cloud security but leaves printed employee contracts or financial ledgers sitting on open desks overnight. Enforce a Clean Desk and Clear Screen Policy. Mandate secure, locked bins for confidential waste.

Securing the Supply Chain and Third-Party Records

  1. Supplier Security Questionnaires: Before sharing any sensitive records, you must evaluate the supplier’s security posture. Ask for their ISO 27001 certificate or SOC 2 report to verify they meet your standard for Annex A 5.33.
  2. Right to Audit Clauses: Your contracts must include the right to audit the supplier to ensure they are storing, protecting, and destroying your records exactly as agreed.
  3. AI Vendor Risks: If you use third-party AI tools, check their Terms of Service. Many vendors retain your prompts and input records to train their future models. You must opt out of this data sharing to protect your corporate records from unauthorised release.

Physical Record Protection in a Hybrid Working Environment

  • Secure Printing: Mandate “pull printing” in the corporate office, where a document only prints when the user physically authenticates at the printer with a keycard.
  • Home Office Rules: Update your Teleworking Policy to explicitly ban the printing of Highly Confidential records at home. Require staff to purchase cross-cut shredders if their role dictates handling physical records remotely.
  • Physical Archiving: If you use an off-site archiving facility, ensure they provide climate-controlled environments to prevent paper deterioration, alongside strict physical access controls.

Incident Response: What to Do When Records are Breached

Your record protection controls will occasionally fail. When they do, Annex A 5.33 intersects directly with your incident response procedures. An auditor will want to see evidence that your team knows exactly how to handle compromised records.

If ransomware encrypts your financial records, or a rogue employee deletes a client database, you must trigger your Information Security Incident Response Plan immediately. Your priority is containment and assessing the impact. You must then execute your backup restoration procedures to recover the lost records within the Maximum Tolerable Period of Disruption (MTPD) defined in your Business Continuity Plan. Document every step in your Incident Log to satisfy the auditor during your next surveillance visit.

ISO 27001 Annex A 5.33 FAQ

What is ISO 27001 Annex A 5.33?

ISO 27001 Annex A 5.33 (previously A.18.1.3) is an organisational control requiring that records be protected from loss, destruction, falsification, unauthorised access, and unauthorised release in accordance with legislative, regulatory, and business requirements.

  • It ensures the integrity and availability of evidence within the Information Security Management System (ISMS).
  • It mandates that records are stored in a manner that allows for timely retrieval.
  • It requires organisations to align their record management with specific statutory retention periods.
  • It covers both physical (paper) and digital (electronic) record formats.

Is a record retention schedule mandatory for ISO 27001?

Yes, a formal record retention schedule is a core requirement for ISO 27001 compliance to demonstrate that the organisation manages the lifecycle of its data effectively.

  • The schedule must define what records are kept and for how long.
  • It must cite the specific legal or business justification for each retention period.
  • It serves as evidence for auditors that data is not kept longer than necessary, supporting GDPR compliance.
  • It must include instructions for the secure disposal of records once the retention period expires.

What is the difference between a document and a record?

The primary difference is that a document is a “live” file that can be edited or updated (such as a policy), whereas a record is historical evidence of an activity that has already occurred and must not be altered.

  • Documents provide instructions; records provide proof of execution.
  • Records are static and require “write-once-read-many” (WORM) style protection to prevent falsification.
  • Common records include audit logs, training certificates, signed contracts, and incident reports.

How should electronic records be protected from falsification?

Electronic records must be protected using technical controls such as digital signatures, hashing, and strict access permissions to ensure their integrity and authenticity over time.

  • Utilise Role-Based Access Control (RBAC) to ensure only authorised personnel can view archived records.
  • Implement audit logging to track every instance of access or attempted modification of a record.
  • Use cryptographic hashing to verify that a record has not been altered since it was originally saved.
  • Maintain regular backups and verify their restorability to prevent loss or destruction.

How long must ISO 27001 records be retained?

ISO 27001 does not specify a single retention period; instead, it requires organisations to define periods based on specific legal, regulatory, and contractual obligations.

  • Financial records are typically kept for 6 or 7 years to satisfy HMRC and tax laws.
  • Personnel records may have varying periods based on local employment legislation.
  • Contracts and agreements often require retention for the duration of the relationship plus a statutory limitation period (usually 6 years).
  • Technical logs may have shorter periods (e.g., 90 days or 1 year) depending on the organisation’s risk appetite.

What are the requirements for the secure disposal of records?

Records must be disposed of using methods that ensure the information is irrecoverable, thereby protecting the confidentiality of the data even after its lifecycle has ended.

  • Physical records should be shredded (cross-cut) or incinerated by a certified provider.
  • Digital records must be securely deleted or overwritten using industry-standard sanitisation methods.
  • Disposal activities should be documented to maintain a clear audit trail of the record’s destruction.
  • Storage media (hard drives, tapes) must be physically destroyed or cryptographically erased before being recycled.

ISO 27001 Annex A 5.12 Classification Of Information

Further Reading

ISO 27001 Data Retention Policy Beginner’s Guide

ISO 27001 Data Protection Policy Template

Data Retention Policy Template

ISO 27001 Information Classification and Handling Policy Beginner’s Guide

ISO 27001 Controls and Attribute values

Control typeInformation security propertiesCybersecurity conceptsOperational capabilitiesSecurity domains
PreventiveAvailabilityIdentifyLegal and complianceDefence
IntegrityProtectAsset management
ConfidentialityInformation protection
, , , , , , , , ,

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top