Protection of Records

ISO 27001 Protection of Records is an ISO 27001 control called ISO 27001:2022 Annex A 5.33 Protection Of Records. It is about keeping important records and documents safe from damage, loss, or unauthorised changes. It ensures that information is protected throughout its life, from when it’s created until it’s no longer needed. This includes both physical and digital records. The goal is to make sure records are available, accurate, and trustworthy whenever they are needed.

Examples

• Financial Records: Keeping bank statements and invoices safe for seven years so they can be reviewed by auditors.
• HR Files: Storing employee contracts and performance reviews in a locked cabinet or a secure, encrypted digital folder.
• Legal Documents: Making sure that contracts and agreements are signed and then stored in a way that prevents them from being changed without permission.
• Medical Records: Protecting patient health information in a secure database that only authorised medical staff can access.

Context

Organisations create many kinds of records, and many of these records are crucial for legal, business, and historical reasons. The Protection of Records control helps a company meet legal requirements, such as those related to data privacy and financial reporting. It also supports good business practices by making sure that reliable information is always available. By protecting records, a company can prove its actions, defend itself in legal disputes, and ensure a clear history of its operations. This control is vital for maintaining trust and transparency.

Relevant ISO 27001 Controls

The following controls from the ISO/IEC 27001:2022 standard are related to protection of records:

• ISO 27001:2022 Annex A 5.33 Protection Of Records: the main ISO 27001 control for protecting records.
• ISO 27001:2022 Annex A 5.1: Policies for Information Security: Policies and rules that guide how records should be protected.
• ISO 27001:2022 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets: Making sure employees handle records correctly and with care.
• ISO 27001:2022 Annex A 5.18 Access Rights: Limiting who can view, edit, or delete records.
• ISO 27001:2022 Annex A 5.19 Information Security In Supplier Relationships: Ensuring that any company you work with also protects your records.
• ISO 27001:2022 Annex A 5.23 Information Security For Use Of Cloud Services: Securing records stored on cloud platforms.
• ISO 27001:2022 Annex A 6.4: Disciplinary Process: Having a process to handle situations where someone misuses or mishandles records.
•  ISO 27001:2022 Annex A 7.4: Physical Security Monitoring Using cameras or guards to protect physical records from theft or damage.
• ISO 27001:2022 Annex A 8.8: Management of Technical Vulnerabilities: Finding and fixing weaknesses in systems that store digital records.
• ISO 27001:2022 Annex A 8.9: Configuration Management: Making sure the settings on systems that store records are secure and correct.
•  ISO 27001:2022 Annex A 8.28: Secure Coding: Writing software code in a way that protects digital records from being misused or stolen.