ISO 27001:2022 Annex A 5.33 Protection of records

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.33 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.33 Protection of Records

ISO 27001 Annex A 5.33 requires organizations to protect their records from loss, destruction, falsification, and unauthorized access. It ensures that critical business evidence from financial invoices to system logs is retained for as long as legally required and then securely destroyed when no longer needed.

Core requirements for compliance include:

Retention Schedule: You must define exactly how long each type of record is kept. This is not a guess; it must be based on specific laws (e.g., tax laws, GDPR) or business needs.
Protection vs. Storage: It is not enough to just “store” records; you must protect their integrity (preventing tampering) and availability (ensuring they can be retrieved when needed, even years later).
Secure Destruction: When a record’s life is over, it must be destroyed securely. Simply deleting a file is often insufficient; you need a process that ensures it cannot be recovered.
Media Management: If records are stored on physical media (tapes, hard drives, paper), you must account for deterioration over time and manufacturer guidelines for storage.

Audit Focus: Auditors will ask to see your Retention Policy and check if it matches reality. They will look for:

Justification: Can you explain why you keep customer data for 7 years? (e.g., “Because HMRC tax law requires it”).
Retrieval: Can you actually find and open a record from 3 years ago, or is it locked in an obsolete file format?

Common Retention Examples (Reference Only):

Record Category	Compliance Retention Period	Statutory or Regulatory Justification	ISO 27001:2022 Mapping
Financial / Invoices	7 Years	Tax Law and Auditing requirements (e.g., HMRC/IRS).	5.33 (Protection of records)
Employee Contracts	Termination + 6 Years	Statute of Limitations regarding potential legal and employment claims.	5.33 (Protection of records)
System Logs	1 Year	Forensic investigation requirements and technical standards (e.g., PCI-DSS).	8.15 (Logging)
CCTV Footage	30 Days	Data Privacy compliance (UK GDPR) unless a security incident occurs.	5.34 (Privacy and protection of PII)
Board Minutes	Permanent	Corporate Governance and legal entity history.	5.33 (Protection of records)

What is ISO 27001 Annex A 5.33?
Watch the ISO 27001 Annex A 5.33 Tutorial
ISO 27001 Annex A 5.33 Podcast
ISO 27001 Annex 5.33 Implementation Guidance
How to implement ISO 27001 Annex 5.33
Common Retention Periods
Applicability of ISO 27001 Annex A 5.33 across different business models.
Fast Track ISO 27001 Annex A 5.33 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 5.33 FAQ
Related ISO 27001 Controls
Further Reading
ISO 27001 Controls and Attribute values

What is ISO 27001 Annex A 5.33?

ISO 27001 Annex A 5.33 Protection of Records is an ISO 27001 control that wants you to protect records in line with legal, regulatory, statutory and contractual requirements as well as societal and community expectations. It is about protecting records from unauthorised access, loss or destruction, tampering or falsification and unauthorised release and sharing.

What is the purpose of ISO 27001 Annex 5.33?

The purpose of ISO 27001 Annex A 5.33 Protection of Records is to ensure you comply with legal, statutory, regulatory and contractual requirements related to the protection and availability of records.

Organisations should have a clear understanding of their obligations when it comes to the protection of records and make sure that they adhere to those requirements.

What is the definition of ISO 27001 Annex 5.33?

The ISO 27001 standard defines ISO 27001 Annex A 5.33 Protection of Records as:

Records should be protected from loss, destruction, falsification, unauthorised access and unauthorised release.
ISO 27001:2022 Annex A 5.33

Watch the ISO 27001 Annex A 5.33 Tutorial

In this video I show you how to implement ISO 27001 Annex A 5.33 and how to pass the audit.

ISO 27001 Annex A 5.33 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.33 Protection Of Records. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex 5.33 Implementation Guidance

Decide what kinds of protection are included

The kinds of protection expected include protecting the authenticity, reliability, integrity and usability of records. You will consider this protection in the context of the business and its requirements and how that changes over time.

Decide what kind of records are included

Records is just another term for the data and information an organisation retains and/or uses to carry out its day to day business activities. It can include

Individual events
Transactions
Work processes
Activities
Functions

You can manage any set of information as a record, irrespective of either its structure or its form.

Issue Guidelines

Guidelines on how you store, transfer and dispose of records will be issued.

Topic specific policy on records management

You are going to implement an ISO 27001 Documents and Records Policy.

Retention schedule

A retention schedule for records will be implemented that sets out how long you retain records.

Legislation

Where you operate and the legislation that applies to you as recorded in your ISO 27001 legal register and covered in ISO 27001 Annex A 5.31 Legal, regulatory, statutory and contractual requirements.

Record Destruction

You will implement procedures that destroy records in a safe and appropriate manner the moment they’re not needed and / or after the end of the retention period defined in the retention schedule.

Classification

Following your information classification and handling policy and your classification scheme you will apply that to records.

Retrieval times

You will make sure that any storage procedures and process include an acceptable timeframe for retrieval. These will also take into account and third party or external requests for records.

Encryption

Where encryption is implemented as a control to mitigate risk you will, of course, ensure that they keys to decrypt are available. Consider the guidance in ISO27001 Annex A 8.24 Use of Cryptography.

Manufacture Guidelines

You will follow the guidelines from the suppliers and manufacturers for storage and handling and you will take into account the possibility of media deteriorating over time.

Meta Data

The data that describes a record, its context, structure and other attributes is referred to as meta data and is seen as an essential component of any record.

How to implement ISO 27001 Annex 5.33

Implementing ISO 27001 Annex A 5.33 requires a robust framework to ensure that organisational records remain authentic, reliable, and accessible throughout their mandatory lifecycle. By transitioning from ad hoc storage to a formalised record management system, organisations can mitigate the risks of data falsification and unauthorised destruction while ensuring full compliance with statutory and regulatory retention obligations.

1. Formalise a Record Retention Schedule

Identify and document all record types to establish a legal and operational baseline for data preservation.

Categorise records into types such as financial, personnel, technical logs, and legal contracts.
Map each category to specific legislative requirements, such as HMRC tax regulations or the Data Protection Act 2018.
Define clear retention periods and the specific business justification for the continued storage of sensitive information.

2. Provision Secure Storage and Environmental Controls

Protect physical and digital records from environmental hazards and unauthorised physical access to maintain media integrity.

Implement fire suppression systems, flood protection, and climate control for physical archives.
Utilise off-site, secondary storage for critical physical backups to ensure redundancy in the event of a primary site failure.
Ensure all physical storage units are secured with high-quality locks and accessible only to authorised personnel.

3. Implement Technical Controls for Digital Integrity

Apply cryptographic and logical safeguards to prevent the falsification or unauthorised modification of electronic records.

Enforce the use of digital signatures and hashing algorithms to verify the authenticity and integrity of archived files.
Provision Role-Based Access Control (RBAC) to ensure that records are subject to “Write-Once-Read-Many” (WORM) protections.
Deploy comprehensive audit logging to track every instance of access, modification, or attempted deletion of a record.

4. Execute Regular Backup and Restoration Testing

Guarantee the availability of records by maintaining robust backup routines and verifying that data can be successfully recovered.

Automate daily backups of digital record repositories to a secure, encrypted cloud or off-site location.
Conduct quarterly restoration tests to ensure that archived records have not suffered from bit rot or media degradation.
Document the results of restoration tests as primary audit evidence for the Information Security Management System (ISMS).

5. Formalise Secure Disposal and Destruction Workflows

Ensure that records reaching the end of their retention period are destroyed in a manner that renders the information irrecoverable.

Utilise cross-cut shredding or incineration for physical documents, ensuring a Certificate of Destruction is obtained from the service provider.
Apply secure data sanitisation methods, such as NIST 800-88 compliant wiping, for decommissioned storage media and digital archives.
Update the Master Record Index to reflect the disposal date and method, maintaining a complete lifecycle audit trail.

Common Retention Periods

Record Type	Retention Period	Reason
Financial / Invoices	7 Years	Tax Law (e.g., HMRC/IRS).
Employee Contracts	Termination + 6 Years	Statute of Limitations (Legal claims).
System Logs	1 Year	Forensic investigation (PCI-DSS standard).
CCTV Footage	30 Days	Privacy/GDPR (unless incident occurs).
Board Minutes	Permanent	Corporate Governance.

Applicability of ISO 27001 Annex A 5.33 across different business models.

Business Type	Applicability	Examples of Control Implementation
Small Businesses	Highly applicable for meeting legal and tax obligations. The focus is on ensuring that basic business evidence—like invoices and employee contracts—is protected from loss and deleted once the legal retention period ends.	Maintaining a Retention Schedule that mandates keeping financial invoices for 7 years to comply with tax laws. Enforcing a policy to securely shred physical employee files 6 years after their termination date. Protecting digital records from falsification by using “read-only” permissions for finalized project contracts in a shared cloud drive.
Tech Startups	Critical for protecting high-value intellectual property and ensuring forensic readiness. Compliance involves managing digital records across multiple SaaS tools and ensuring they aren’t lost during rapid system migrations.	Implementing Write-Once-Read-Many (WORM) storage for system logs to ensure they cannot be tampered with during a security investigation. Configuring automated data lifecycle policies in cloud storage to move older “closed” project records to encrypted, low-cost archive tiers. Maintaining a Digital Evidence Locker for storing signed board minutes and shareholder agreements with verified timestamping.
AI Companies	Vital for protecting massive training datasets and proprietary research records. Focus is on ensuring the long-term availability of research data while meeting strict privacy and ethical retention standards.	Ensuring Model Training Records (including hyperparameter logs and dataset versions) are retained for 10+ years to support future auditability and bias testing. Implementing automated “secure erase” protocols for training datasets once the research project has concluded and the legal retention period is met. Using redundant, geographically separated cloud regions to protect high-value research records from accidental destruction or regional disasters.

Fast Track ISO 27001 Annex A 5.33 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.33 (Protection of records), the requirement is to protect records from loss, destruction, falsification, unauthorised access, and unauthorised release. This ensures that your organisational data, whether it’s financial transactions, HR files, or board minutes, is maintained in accordance with legal, regulatory, and contractual obligations.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
Data Custody	Rents access to your evidence; if you cancel the subscription, your documented retention schedules and destruction history vanish.	Total Ownership: Your policies, standards, and logs stay on your secure servers. You own the IP forever.	A localized “Retention Schedule” stored on your secure drive defining specific rules for HR and financial files.
Operational Simplicity	Attempts to “automate” archiving via dashboards that cannot interpret specific local tax laws or verify fireproof safe storage.	Governance-First: Formalizes your existing file management (SharePoint, Drive, Paper) into an auditor-ready framework.	A completed “Record of Destruction” log providing a formal audit trail for the secure disposal of expired documents.
Financial Impact	Charges a “Storage Tax” based on data volume or record count, creating a compounding cost that drains your security budget.	One-Off Investment: Pay once for the professional templates and never receive another invoice, regardless of record volume.	Reallocating saved SaaS fees toward physical security upgrades or professional off-site archiving services.
Strategic Freedom	Mandates rigid reporting formats that often fail to account for unique data structures or niche jurisdictional requirements.	100% Agnostic: Standardized document formats mean you can move, edit, or migrate your files to any system at any time.	The ability to evolve your records strategy (e.g., moving from physical to digital) without reconfiguring a rigid SaaS module.

Summary: For Annex A 5.33, the auditor wants to see that you have a formal process for protecting records and a retention schedule that meets legal requirements. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.33 FAQ

What is ISO 27001 Annex A 5.33?

ISO 27001 Annex A 5.33 (previously A.18.1.3) is an organisational control requiring that records be protected from loss, destruction, falsification, unauthorised access, and unauthorised release in accordance with legislative, regulatory, and business requirements.

It ensures the integrity and availability of evidence within the Information Security Management System (ISMS).
It mandates that records are stored in a manner that allows for timely retrieval.
It requires organisations to align their record management with specific statutory retention periods.
It covers both physical (paper) and digital (electronic) record formats.

Is a record retention schedule mandatory for ISO 27001?

Yes, a formal record retention schedule is a core requirement for ISO 27001 compliance to demonstrate that the organisation manages the lifecycle of its data effectively.

The schedule must define what records are kept and for how long.
It must cite the specific legal or business justification for each retention period.
It serves as evidence for auditors that data is not kept longer than necessary, supporting GDPR compliance.
It must include instructions for the secure disposal of records once the retention period expires.

What is the difference between a document and a record?

The primary difference is that a document is a “live” file that can be edited or updated (such as a policy), whereas a record is historical evidence of an activity that has already occurred and must not be altered.

Documents provide instructions; records provide proof of execution.
Records are static and require “write-once-read-many” (WORM) style protection to prevent falsification.
Common records include audit logs, training certificates, signed contracts, and incident reports.

How should electronic records be protected from falsification?

Electronic records must be protected using technical controls such as digital signatures, hashing, and strict access permissions to ensure their integrity and authenticity over time.

Utilise Role-Based Access Control (RBAC) to ensure only authorised personnel can view archived records.
Implement audit logging to track every instance of access or attempted modification of a record.
Use cryptographic hashing to verify that a record has not been altered since it was originally saved.
Maintain regular backups and verify their restorability to prevent loss or destruction.

How long must ISO 27001 records be retained?

ISO 27001 does not specify a single retention period; instead, it requires organisations to define periods based on specific legal, regulatory, and contractual obligations.

Financial records are typically kept for 6 or 7 years to satisfy HMRC and tax laws.
Personnel records may have varying periods based on local employment legislation.
Contracts and agreements often require retention for the duration of the relationship plus a statutory limitation period (usually 6 years).
Technical logs may have shorter periods (e.g., 90 days or 1 year) depending on the organisation’s risk appetite.

What are the requirements for the secure disposal of records?

Records must be disposed of using methods that ensure the information is irrecoverable, thereby protecting the confidentiality of the data even after its lifecycle has ended.

Physical records should be shredded (cross-cut) or incinerated by a certified provider.
Digital records must be securely deleted or overwritten using industry-standard sanitisation methods.
Disposal activities should be documented to maintain a clear audit trail of the record’s destruction.
Storage media (hard drives, tapes) must be physically destroyed or cryptographically erased before being recycled.

ISO 27001 Annex A 5.12 Classification Of Information

ISO 27001 Controls and Attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Availability	Identify	Legal and compliance	Defence
	Integrity	Protect	Asset management
	Confidentiality		Information protection

Asset Management, Availability, Confidentiality, Defence, Identify, Information Protection, Integrity, Legal and Compliance, Preventive, Protect

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents

What is ISO 27001 Annex A 5.33?

What is the purpose of ISO 27001 Annex 5.33?

What is the definition of ISO 27001 Annex 5.33?

Watch the ISO 27001 Annex A 5.33 Tutorial

ISO 27001 Annex A 5.33 Podcast

ISO 27001 Annex 5.33 Implementation Guidance

Decide what kinds of protection are included

Decide what kind of records are included

Issue Guidelines

Topic specific policy on records management

Retention schedule

Legislation

Record Destruction

Classification

Retrieval times

Encryption

Manufacture Guidelines

Meta Data

How to implement ISO 27001 Annex 5.33

1. Formalise a Record Retention Schedule

2. Provision Secure Storage and Environmental Controls

3. Implement Technical Controls for Digital Integrity

4. Execute Regular Backup and Restoration Testing

5. Formalise Secure Disposal and Destruction Workflows

Common Retention Periods

Applicability of ISO 27001 Annex A 5.33 across different business models.

Fast Track ISO 27001 Annex A 5.33 Compliance with the ISO 27001 Toolkit

ISO 27001 Annex A 5.33 FAQ

What is ISO 27001 Annex A 5.33?

Is a record retention schedule mandatory for ISO 27001?

What is the difference between a document and a record?

How should electronic records be protected from falsification?

How long must ISO 27001 records be retained?

What are the requirements for the secure disposal of records?

Related ISO 27001 Controls

Further Reading

ISO 27001 Controls and Attribute values

Stuart Barker