ISO 27001 Annex A 5.33, called Protection of Records, is a rule that asks you to keep records safe. You must protect your records based on rules from the law, government, and contracts. You also need to meet what society and the community expect. This means you must keep your records from being accessed by people who should not see them. It also means stopping them from being lost, broken, changed, or shared without permission.
Table of contents
What Is Information Classification?
Information classification is a way to sort different kinds of data. You decide how much security each piece of data needs. The purpose is to know what level of protection is right for each piece of information. The rule says you should classify information based on its confidentiality, integrity, and availability.
What is ISO 27001 Annex A 5.33?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Protection Of Records”.
What is the ISO 27001 Annex A 5.33 control objective?
The formal definition and control objective in the standard is: “Records should be protected from loss, destruction, falsification, unauthorised access and unauthorised release.“
What is the purpose of ISO 27001 Annex A 5.33?
The purpose of ISO 27001 Annex A 5.33 is “to ensure you comply with legal, statutory, regulatory and contractual requirements related to the protection and availability of records.“
Is ISO 27001 Annex A 5.33 Mandatory?
ISO 27001 Annex A control 5.33 (Protection Of Records in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.33 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
Decide on the Kinds of Protection
You need to figure out what kinds of safeguards your records will have. These safeguards should include keeping the records authentic, dependable, complete, and easy to use. You will think about this protection based on your business needs and how those needs might change later on.
Decide on the Kinds of Records
“Records” is simply another word for the facts and details your organization keeps and uses to do its daily work. This can include:
- Single events
- Deals
- Work steps
- Actions
- Duties
You can treat any group of information as a record, no matter what it looks like or how it is put together.
Issue Rules for Records
You will put out rules on how to keep, move, and get rid of your records.
Set Up a Policy for Records
You are going to put in place a specific policy for managing records, following the guidance of the ISO 27001 standard.
Make a Schedule for Keeping Records
You will start using a schedule that states exactly how long you must keep each record.
Mind the Law
You must follow the laws that apply to you and where you work. These laws are written down in your ISO 27001 legal list and are part of the ISO 27001 rules about legal and other requirements.
Destroy Records
You will set up steps to safely and correctly get rid of records as soon as they are no longer needed or once the time set by your keeping schedule has passed.
Classify Records
You will label your records according to your rules for information types and how to handle them, using your classification plan.
Set Time Limits for Finding Records
You must make sure your steps for storing records include an acceptable amount of time for finding them again. This must also take into account any times outside groups ask for your records.
Use Encryption
If you use encryption to help lower risk, you must, of course, make sure you have the keys to unlock the information. Look at the advice in the ISO 27001 guidance on using encryption.
Follow Maker’s Rules
You will follow the rules from the sellers and makers about how to store and handle your records. You will also keep in mind that storage items may wear out over time.
Use Meta Data
The facts that describe a record, why it exists, how it is set up, and other key details are called meta data. This data is thought to be a necessary piece of any record.
