In this article I lay bare ISO 27001 Annex 5.33 Protection of Records.
Using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I am going to show you what’s new, give you templates, an ISO 27001 toolkit, show you examples and do a walkthrough.
In this ISO 27001 certification guide I show you exactly what changed in the ISO 27001:2022 update.
I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001 Annex A 5.33 Protection of Records.
Table of contents
- What is ISO 27001 Annex A 5.33 Protection Of Records?
- ISO 27001 Annex A 5.33 Protection Of Records Implementation Guide
- ISO 27001 Protection of Records Templates
- What are the Benefits of ISO 27001 Annex A 5.33 Protection of Records?
- Why are ISO 27001 5.33 Protection of Records important?
- Matrix of ISO 27001 Controls and ISO 27001 Attribute values
What is ISO 27001 Annex A 5.33 Protection Of Records?
ISO 27001 Annex A 5.33 Protection of Records is an ISO 27001 control that wants you to protect records in line with legal, regulatory, statutory and contractual requirements as well as societal and community expectations. It is about protecting records from unauthorised access, loss or destruction, tampering or falsification and unauthorised release and sharing.
What is the purpose of ISO 27001 Annex 5.33?
The purpose of ISO 27001 Annex A 5.33 Protection of Records is to ensure you comply with legal, statutory, regulatory and contractual requirements related to the protection and availability of records.
Organisations should have a clear understanding of their obligations when it comes to the protection of records and make sure that they adhere to those requirements.
What is the definition of ISO 27001 Annex 5.33?
The ISO 27001 standard defines ISO 27001 Annex A 5.33 Protection of Records as:
Records should be protected from loss, destruction, falsification, unauthorised access and unauthorised release.ISO 27001:2022 Annex A 5.33
ISO 27001 Annex A 5.33 Protection Of Records Implementation Guide
What kinds of protection are included?
The kinds of protection expected include protecting the authenticity, reliability, integrity and usability of records. You will consider this protection in the context of the business and its requirements and how that changes over time.
What kind of records are included?
Records is just another term for the data and information an organisation retains and/or uses to carry out its day to day business activities. It can include
- Individual events
- Work processes
You can manage any set of information as a record, irrespective of either its structure or its form.
Guidelines on how you store, transfer and dispose of records will be issued.
Topic specific policy on records management
You are going to implement an ISO 27001 Documents and Records Policy.
A retention schedule for records will be implemented that sets out how long you retain records.
Where you operate and the legislation that applies to you as recorded in your ISO 27001 legal register and covered in ISO 27001 Annex A 5.31 Legal, regulatory, statutory and contractual requirements.
You will implement procedures that destroy records in a safe and appropriate manner the moment they’re not needed and / or after the end of the retention period defined in the retention schedule.
You will make sure that any storage procedures and process include an acceptable timeframe for retrieval. These will also take into account and third party or external requests for records.
Where encryption is implemented as a control to mitigate risk you will, of course, ensure that they keys to decrypt are available. Consider the guidance in ISO 27001 Annex A 8.24.
You will follow the guidelines from the suppliers and manufacturers for storage and handling and you will take into account the possibility of media deteriorating over time.
The data that describes a record, its context, structure and other attributes is referred to as meta data and is seen as an essential component of any record.
ISO 27001 Protection of Records Templates
Having an ISO 27001 template for control 5.33 can help fast track your implementation. The ISO 27001 Document Toolkit is a the ultimate resource for your ISO 27001 implementation including all the documents and templates that you need for Annex A 5.33 Protection of Records. As always, we recommend that you should seek legal advice.
The Most Ruthlessly Effective and Aggressively Priced ISO 27001 Toolkit in the World.
Join over 1,500+ Empowered Consultants & Business Owners
What are the Benefits of ISO 27001 Annex A 5.33 Protection of Records?
Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 5.33 Protection of Records:
- You cannot get ISO 27001 certification without it.
- Improved security: You will have an effective information security implementation that meets your external requirements for law, regulation, statute and contracts
- Reduced risk: You will reduce the information security risks of not meeting external requirements and obligations
- Improved compliance: Standards and regulations require you to meet your external requirements
- Reputation Protection: In the event of a breach having an effective legal, regulatory, statutory and contract protection of records process in place will reduce the potential for fines and reduce the PR impact of an event
Why are ISO 27001 5.33 Protection of Records important?
By putting in procedures and addressing protection of records requirements we seek to ensure that the business remains compliant with any legislation and protects records based on risk, business need, legal, regulatory, statutory or society exceptions.
Matrix of ISO 27001 Controls and ISO 27001 Attribute values
|Preventive||Availability||Identify||Legal and compliance||Defence|