ISO 27001 Protection Of Records
In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.33 (Protection Of Records) and ensure you pass your audit.
You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and ISO 27001 toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with a free training video, an explainer video, a podcast and plain-English advice to get you certified.
Table of contents
- ISO 27001 Protection Of Records
- What is ISO 27001 Annex A 5.33?
- Watch the ISO 27001 Annex A 5.33 Tutorial
- ISO 27001 Annex A 5.33 Podcast
- How to implement ISO 27001 Annex 5.33
- Common Retention Periods
- ISO 27001 Annex A 5.33 FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 Controls and Attribute values
What is ISO 27001 Annex A 5.33?
ISO 27001 Annex A 5.33 Protection of Records is an ISO 27001 control that wants you to protect records in line with legal, regulatory, statutory and contractual requirements as well as societal and community expectations. It is about protecting records from unauthorised access, loss or destruction, tampering or falsification and unauthorised release and sharing.
What is the purpose of ISO 27001 Annex 5.33?
The purpose of ISO 27001 Annex A 5.33 Protection of Records is to ensure you comply with legal, statutory, regulatory and contractual requirements related to the protection and availability of records.
Organisations should have a clear understanding of their obligations when it comes to the protection of records and make sure that they adhere to those requirements.
What is the definition of ISO 27001 Annex 5.33?
The ISO 27001 standard defines ISO 27001 Annex A 5.33 Protection of Records as:
Records should be protected from loss, destruction, falsification, unauthorised access and unauthorised release.
ISO 27001:2022 Annex A 5.33
DO IT YOURSELF
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
Watch the ISO 27001 Annex A 5.33 Tutorial
In this video I show you how to implement ISO 27001 Annex A 5.33 and how to pass the audit.
ISO 27001 Annex A 5.33 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.33 Protection Of Records. The podcast explores what it is, why it is important and the path to compliance.
How to implement ISO 27001 Annex 5.33
Decide what kinds of protection are included
The kinds of protection expected include protecting the authenticity, reliability, integrity and usability of records. You will consider this protection in the context of the business and its requirements and how that changes over time.
Decide what kind of records are included
Records is just another term for the data and information an organisation retains and/or uses to carry out its day to day business activities. It can include
- Individual events
- Transactions
- Work processes
- Activities
- Functions
You can manage any set of information as a record, irrespective of either its structure or its form.
Issue Guidelines
Guidelines on how you store, transfer and dispose of records will be issued.
Topic specific policy on records management
You are going to implement an ISO 27001 Documents and Records Policy.
Retention schedule
A retention schedule for records will be implemented that sets out how long you retain records.
Legislation
Where you operate and the legislation that applies to you as recorded in your ISO 27001 legal register and covered in ISO 27001 Annex A 5.31 Legal, regulatory, statutory and contractual requirements.
Record Destruction
You will implement procedures that destroy records in a safe and appropriate manner the moment they’re not needed and / or after the end of the retention period defined in the retention schedule.
Classification
Following your information classification and handling policy and your classification scheme you will apply that to records.
Retrieval times
You will make sure that any storage procedures and process include an acceptable timeframe for retrieval. These will also take into account and third party or external requests for records.
Encryption
Where encryption is implemented as a control to mitigate risk you will, of course, ensure that they keys to decrypt are available. Consider the guidance in ISO27001 Annex A 8.24 Use of Cryptography.
Manufacture Guidelines
You will follow the guidelines from the suppliers and manufacturers for storage and handling and you will take into account the possibility of media deteriorating over time.
Meta Data
The data that describes a record, its context, structure and other attributes is referred to as meta data and is seen as an essential component of any record.
Common Retention Periods
| Record Type | Retention Period | Reason |
| Financial / Invoices | 7 Years | Tax Law (e.g., HMRC/IRS). |
| Employee Contracts | Termination + 6 Years | Statute of Limitations (Legal claims). |
| System Logs | 1 Year | Forensic investigation (PCI-DSS standard). |
| CCTV Footage | 30 Days | Privacy/GDPR (unless incident occurs). |
| Board Minutes | Permanent | Corporate Governance. |
ISO 27001 Annex A 5.33 FAQ
Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 5.33 Protection of Records:
You cannot get ISO 27001 certification without it.
Improved security: You will have an effective information security implementation that meets your external requirements for law, regulation, statute and contracts
Reduced risk: You will reduce the information security risks of not meeting external requirements and obligations
Improved compliance: Standards and regulations require you to meet your external requirements
Reputation Protection: In the event of a breach having an effective legal, regulatory, statutory and contract protection of records process in place will reduce the potential for fines and reduce the PR impact of an event
By putting in procedures and addressing protection of records requirements we seek to ensure that the business remains compliant with any legislation and protects records based on risk, business need, legal, regulatory, statutory or society exceptions.
Related ISO 27001 Controls
ISO 27001 Annex A 5.12 Classification Of Information
Further Reading
ISO 27001 Data Retention Policy Beginner’s Guide
ISO 27001 Data Protection Policy Template
Data Retention Policy Template
ISO 27001 Information Classification and Handling Policy Beginner’s Guide
ISO 27001 Controls and Attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Availability | Identify | Legal and compliance | Defence |
| Integrity | Protect | Asset management | ||
| Confidentiality | Information protection |
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
