If you have been managing an Information Security Management System (ISMS) for a few years, you are likely aware that the ISO 27001 standard recently had a major refresh. While the management system itself stayed mostly the same, the Annex A controls, the specific actions we take to secure data, were rearranged and modernised. One area that saw a significant shift in its classification is the protection of records, now known as Annex A 5.33.
Table of contents
The Transition from 18.1.3 to 5.33
In the older ISO 27001:2013 version, the protection of records lived under Control 18.1.3. It was part of the “Compliance” domain, which meant it was often treated as a legal requirement or a task for the legal department to handle. The focus was heavily on ensuring that records were kept for the right amount of time to satisfy auditors and regulators.
Fast forward to the 2022 update, and this has been rebranded as Control 5.33: Protection of Records. It has moved from the compliance section into the “Organisational Controls” theme. This change is subtle but important. As highlighted by Hightable.io, moving this control into the organisational category suggests that record protection is no longer just a legal “tick-box” exercise; it is a fundamental part of how a modern business operates securely and efficiently.
What Exactly is Annex A 5.33?
The core objective remains familiar: an organisation must protect its records from loss, destruction, falsification, unauthorized access, and unauthorized release. These records can include everything from financial statements and personnel files to audit logs and customer contracts. Whether they are stored on paper or digitally in the cloud, they need to be managed throughout their entire lifecycle.
The 2022 version emphasizes that records must be kept in accordance with statutory, regulatory, contractual, and business requirements. The addition of “business requirements” is a key evolution. It acknowledges that some records are vital to the business not because a law says so, but because the business simply cannot function without them.
Key Differences You Need to Know
The most obvious difference is the consolidation. The 2022 version of the standard reduced the total number of controls from 114 to 93 by merging several similar concepts. While 5.33 remains a dedicated control, it now benefits from the new “Attributes” system. These attributes help you tag the control as “Integrity,” “Availability,” or “Confidentiality,” making it much easier to report on how you are protecting your data to stakeholders.
According to experts at Hightable.io, the 2022 version also places a greater emphasis on the “storage media” used for records. In the 2013 version, the world was still very much focused on local servers and physical filing cabinets. The 2022 version, Annex A 5.33, is designed with a “cloud-first” mindset, requiring organizations to consider how cloud service providers handle record retention and disposal.
Practical Steps for the Transition
If you are moving from the 2013 version to the 2022 version, you don’t necessarily need to reinvent the wheel for Annex A 5.33, but you do need to sharpen your focus. You should start by reviewing your record retention schedule. Does it cover digital assets, backups, and metadata? In the 2022 framework, the “protection” part of the control is just as important as the “retention” part.
You also need to ensure that your methods for destroying records are secure. It is no longer enough to just delete a file; you need to ensure that the data is unrecoverable, especially if it contains personal or sensitive information. This alignment with privacy standards like ISO 27701 is a hallmark of the 2022 update.
Why Does This Change Matter?
The shift to Annex A 5.33 reflects the reality of the modern digital landscape. We are creating more data than ever before, and that data is often spread across various platforms and jurisdictions. By treating the protection of records as an organizational control rather than just a legal one, ISO 27001:2022 encourages a more holistic and proactive approach to data management.
Ultimately, the transition is about making your ISMS more resilient. As noted by Hightable.io, when you protect your records correctly, you aren’t just passing an audit, you are protecting the historical and operational integrity of your entire company. If you are currently updating your Statement of Applicability (SoA), ensure that 5.33 is mapped correctly to your organizational policies to stay ahead of the curve.