What is the primary objective of Annex A 5.33?

The objective is protecting records from loss, destruction, or falsification. This must align with legal, regulatory, and contractual requirements. Organisations should use internal tools like SharePoint to manage record lifecycles. This ensures integrity and availability throughout the required retention period.

How does ISO 27001 define a record?

Records are documents stating results achieved or providing evidence of activities performed. Examples include audit logs, training records, and incident reports. Unlike policies, records are historical and must not be altered once created. Secure storage in native organizational repositories is required.

How should records be disposed of safely?

Records should be destroyed following their retention period using secure methods. Destruction must be documented and authorised. For digital records, this involves permanent deletion from SharePoint or file servers. Formal logs of destruction provide necessary evidence for ISO 27001 auditors.

ISO 27001:2022 Annex A 5.33 Guide

What is ISO 27001 Annex A 5.33 Protection Of Records?

ISO 27001 Annex A 5.33 is a control governing the lifecycle of organisational records. It ensures records remain legible, identifiable, and retrievable. The process must be integrated into business-as-usual tools like SharePoint. This prevents unauthorised alteration or destruction. Compliance requires following legal, statutory, and contractual retention periods.

Auditor’s Eye: The Shortcut Trap

Many organisations rely on “Black Box” SaaS platforms to store compliance evidence. This creates a dangerous decoupling from daily operations. Auditors prefer seeing records within your native environment, such as SharePoint or Jira. Automated platforms often hide the true state of record integrity. We look for version history and restricted permissions that you control directly. If an auditor cannot see how you manage record destruction internally, you risk a major non-conformity. Direct management shows true ownership of the ISMS.

2013 Control Reference	2022 Control Reference	Key Changes
A.18.1.3 Protection of records	5.33 Protection of records	The 2022 version maintains the core requirement. It clarifies the scope to include electronic and physical records.

How to Implement ISO 27001 Annex A 5.33 (Step-by-Step)

Implementing record protection requires a robust Document-Based Management System (DBMS). Use existing tools like SharePoint to create a secure environment. This approach makes record-keeping a cultural habit rather than a software task. Start by identifying every record type your ISMS generates. Answer-first: Successful implementation requires a documented retention schedule linked to specific technical access controls in your internal file systems.

Identify Records: List all logs, reports, and evidence required by the ISMS in SharePoint.
Define Retention: Set periods for each record based on GDPR or industry laws.
Secure Storage: Apply “Read-Only” permissions to historical records in Confluence or SharePoint.
Monitor Integrity: Enable audit logs to track who accesses or attempts to change records.
Authorise Disposal: Use Jira workflows to manage the approval of record destruction after expiry.

ISO 27001 Annex A 5.33 Audit Evidence Checklist

Master Record Retention Schedule with assigned owners and legal references.
SharePoint versioning history proving that records have not been altered.
Technical configuration screenshots showing restricted “Delete” permissions.
Jira tickets documenting the formal request and approval for record disposal.
Backup restoration test results for archival data stored off-site.

Relational Mapping

Clause 7.5: Documented information requirements.
Annex A 5.31: Legal, statutory, regulatory, and contractual requirements.
Annex A 8.10: Information deletion.

Auditor Interview

Auditor: How do you ensure your records are not accidentally deleted by staff?

Manager: We use SharePoint folder permissions. Most staff have “Contribute” access for policies but “Read-Only” for historical records.

Auditor: Can you show me the destruction log for 2024?

Manager: Yes. We track destruction approvals in this Jira project. It shows the manager who authorised the deletion.

Common Non-Conformities

Non-Conformity	Description	Corrective Action
Automated Complacency	Records are kept in a SaaS tool with no internal backup or control.	Migrate records to internal SharePoint libraries with managed permissions.
Mismatched Retention	Records are deleted before the legal retention period expires.	Link the SharePoint retention labels directly to the Legal Register.
Illegible Evidence	Old digital records cannot be opened due to obsolete software.	Include file format checks in the annual record review process.

Frequently Asked Questions

What is the difference between a document and a record?

A document is information that can change, such as a policy. A record is evidence of a past event and must not change. In SharePoint, you manage policies with versioning. You manage records with “lock” or “read-only” status to ensure their integrity remains intact for auditors.

How long must ISO 27001 records be kept?

The standard does not set a specific time. You must follow local laws like GDPR or specific client contracts. Usually, three years is the minimum to cover an audit cycle. Document these specific periods in your internal retention schedule in SharePoint to ensure compliance.

Do we need to encrypt all stored records?

Encryption should be based on the record’s classification. Confidential records, such as HR files or audit reports, must be encrypted at rest. Use BitLocker or SharePoint’s native encryption features. Document these technical controls in your Information Handling Procedure to provide evidence of protection.

LA CASA DE CERTIFICACIÓN