ISO 27001:2022 Annex A Control 5.33: Protection of Records

Annex 5.33 covers the protection of records from destruction, damage or loss, encouraging active measures to keep records safe and secure. The term ‘records’ is used to address any information and data stored or utilities by an organisation, including transactions, work processes, activities, individual events, and functions.

This can include datasets, documents, or other information which is “generated, acquired, and managed in the context of business”, according to ISO.

The importance of control 5.33

Protecting data is a key responsibility of any business, regardless of size or sector. From financial details to personal data to operational information, it’s important to adhere to all the necessary regulations at all times.

Control 5.33 aims to support businesses in these efforts, addressing the protection of business records against five notable risks: unauthorised access, unauthorised release or publication, falsification, loss and destruction.

Understanding control 5.33

An organisation’s record requirements can change from day to day, both in terms of type and quantity, and this is something that Annex 5.33 acknowledges. The control identifies four main attributes for record management, those being useability, integrity, authenticity and reliability.

There are eight essential guidelines outlined in control 5.33 which organisations must adhere to. These are:

• Publishing guidelines that address the four functions listed above, as well as topic-specific policies covering record disposal, preventing manipulations, record storage and the record handling chain of custody.

• Maintaining a records retention schedule specifying how long differing kinds of records should be kept in connection to their purpose within the business.

• Outlining storage and handling processes which consider any prevailing laws around commercial record keeping, and wider society expectations for how businesses should handle records.

• Destroying records securely as soon as their retention period comes to an end.

• Categorising records according to security risk, retention period and type. This should cover personnel records, legal records, accounting records and business transactions.

• Allowing an adequate length of time for retrieval if requested by a third party or internally.

• Reducing the risk of access or records recovery being hindered by changes in technology.

• Taking proper account for media deterioration, and following manufacturer instructions on holding and managing electronic records.

What’s changed since 2013?

Replacing ISO 27001:2013 Annex A Control 18.1.3, control 5.33 recognises how challenging it can be to define a business record, offering a range of examples from ISO which are not present in the 2013 version.

The newer version also includes two guidance points that form the basis of an organisation’s record policy, which are not included in the 2013 version. The 2022 version also references Metadata as an “essential component” in record management, whereas the 2013 version fails to mention it at all.