ISO 27001:2022 A 5.33 Protection of records

Audio version of the article

ISO defines record as “information created, received and maintained as evidence and as an asset by an organization or person, in pursuit of legal obligations or in the transaction of business” Records, within the scope of IS, are another term for the data and information an organisation retains and/or uses to carry out its day to day business activities, including but not limited to Individual events, Transactions, Work processes, Activities, Functions. Organisation has an obligation to ensure that any record it has including but not limited to any persons, financial information or areas of operations kept safe and secure, and internal procedures remain compliant with all prevailing requirements. This control deals with the protection of records against Loss, Destruction, Falsification, Unauthorized ,access, Unauthorized release or publication.


Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release.


To ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records.

ISO 27002 Implementation Guidance

The organization should take the following steps to protect the authenticity, reliability, integrity and usability of records, as their business context and requirements for their management change over time:
a) issue guidelines on the storage, handling chain of custody and disposal of records, which includes prevention of manipulation of records. These guidelines should be aligned with the organization’s topic-specific policy on records management and other records requirements;
b) draw up a retention schedule defining records and the period of time for which they should be retained.
The system of storage and handling should ensure identification of records and of their retention period taking into consideration national or regional legislation or regulations, as well as community or societal expectations, if applicable. This system should permit appropriate destruction of records after that period if they are not needed by the organization.
When deciding on protection of specific organizational records, their corresponding information security classification, based on the organization’s classification scheme, should be considered.
Records should be categorized into record types (e.g. accounting records, business transaction records, personnel records, legal records), each with details of retention periods and type of allowable storage media which can be physical or electronic.
Data storage systems should be chosen such that required records can be retrieved in an acceptable time frame and format, depending on the requirements to be fulfilled.
Where electronic storage media are chosen, procedures to ensure the ability to access records (both storage media and format readability) throughout the retention period should be established to safeguard against loss due to future technology change. Any related cryptographic keys and programs associated with encrypted archives or digital signatures, should also be retained to enable decryption of the records for the length of time the records are retained (see 8.24).
Storage and handling procedures should be implemented in accordance with recommendations provided by manufacturers of storage media. Consideration should be given to the possibility of deterioration of media used for storage of records.

Other information

Records document individual events or transactions or can form aggregations that have been designed to document work processes, activities or functions. They are both evidence of business activity and information assets. Any set of information, regardless of its structure or form, can be managed as a record. This includes information in the form of a document, a collection of data or other types of digital or analogue information which are created, captured and managed in the course of business. In the management of records, metadata is data describing the context, content and structure of records, as well as their management over time. Metadata is an essential component of any record. It can be necessary to retain some records securely to meet legal, statutory, regulatory or contractual requirements, as well as to support essential business activities. National law or regulation can set the time period and data content for information retention. Further information about records management can be found in ISO 15489.

A good control describes how records are protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with the legislator, regulatory, contractual and business requirements. Different types of record will likely require different levels and methods of protection. It is critical that records are adequately and proportionality protected against loss, destruction, falsification, unauthorized access or release. The protection of records must comply with any relevant legislation, regulation or contractual obligations. It is especially important to understand how long records must, should or could be kept for and what technical or physical issues might affect these over time – bearing in mind that some legislation might trump others for retention and protection. The auditor will be checking to see that considerations for the protection of records have been made based on business requirements, legal, regulatory and contractual obligations. The organizations deal with the issues inherent in managing organizational records and data, whether electronic or in the paper. As part of the compliance controls at every organization, important records as well as records we are legally obligated to retain the need to be protected from loss, destruction, and falsification.An established record is valuable if it is authentic, reliable, usable, and well-maintained integrity. Regardless of the format of data, whether it is on paper or digital, it requires protection. Evidently, there are pros and cons to both formats of data-keeping. While paper documents are less susceptible to issues such as non-availability and tampering; issues such as consumption of storage, transport, and physical damage are common vulnerabilities of paper-based documents. On the other hand, digital records are flexible, amendable, easily movable, and so forth. Nonetheless, digital records are susceptible to attacks capable of compromising confidentiality, integrity, and availability of digital records. Moreover, digital records require to be safe while at rest, in transit, and in processing, which in a sense makes them more susceptible to cyber-attacks.An organisation should establish, implement, and communicate record-keeping policies and procedures. Some organisations might prefer to have the whole subject in a separate document, while others keep it as a part of the information security policy. A better practice is to establish a label handling and transfer policy/procedure. An organisation’s needs are fluid when it comes to the amount and type of records that are required to do business from one day to the next. Records can be categorized as

  • Authenticity
  • Reliability
  • Integrity
  • Useability

Within the scope of these attributes, organisations must draft and publish guidelines that deal with four main functions, alongside topic-specific policies that caters to the underlying nature of the records in question:

  • Record storage
  • Record handling chain of custody
  • Record disposal
  • Preventing manipulation

It must maintain a functional records retention schedule that clearly outlines the length of time that records of differing types should be retained, relating to their individual business function. I must create storage and handling procedures that take into account:

  • any prevailing laws that deal with commercial record keeping
  • “community and societal” expectations of how an organisation should handle its records

It implement procedures that destroy records in a safe and appropriate manner the moment they’re not needed after leaving the retention period and classify records for protection (including appropriate retention periods and storage media used) based on their security risk, and various types, including (but not limited to):

  • Accounting records
  • Business transactions
  • Personnel records
  • Legal records

It must ensure that any storage procedures cater for an acceptable time frame for retrieval, should the organisation be asked to produce them by a third party, or for internal use. Where electronic media is used to store records, consider and mitigate the possibility of access to or retrieval of records being inhibited by technological amendments, including the retention of cryptographic information and adhere to manufacturer guidelines when storing or handling records on or via electronic media, including adequate consideration for the natural deterioration of said media.

ISO has a separate standard, ISO 15489 “Information and Documentation — Records Management.” This standard goes into greater detail about how an organizations recognizes the context in which records are created, received, used, stored, and destroyed as an implicit part of the data governance process. This “records management” function may be placed anywhere in organizations, and sometimes it is part of an organization’s IT structure. Regardless, records management has components of compliance that are unavoidable. Organization’s policies and guidelines on retention, storage, handling, and disposal of records should be reviewed. Oftentimes this will require a security control to ensure that these policies and guidelines are carried out properly. Policies that protect records from loss, destruction, or falsification. The related classification based on the organization’s classification scheme is to be taken into account when determining whether to secure relevant organizational documents. Categorized records in the following types of records, such as accounting records, database records, transaction records, audit logs, and operating procedures, should include details on retention periods and the type of media permitted for storage, such as paper, microfiche, magnetic, optical. Any associated encryption keys and programs related to encrypted or digital signatures must also be stored so that records are decrypted for a period of time during which records are kept. The possibility of media deterioration used for record storage should be taken into consideration. In accordance with the manufacturer ‘s recommendations, storage and handling procedures should be implemented. When electronic storage media are selected, protocols should be developed in order to protect against loss due to potential technical changes to ensure access for data (either media or format readability) over the retention period. Data storage systems should be assigned so that the data required can be recovered, depending on the requirements to be fulfilled, in a time and format acceptable. The storage and handling system should, if appropriate, ensure that records and their retention periods are known as specified in national or regional laws. After that period, if records are not required by the organization, this system should allow appropriate destruction. The following steps should be taken by an organization in order to achieve these record safeguarding goals:

  • Guidelines should be provided with regard to documents and information processing, storage, handling and disposal;
  • A schedule for retention of records and the period for which they should be retained should be defined.
  • An inventory of main information sources should be maintained.

Those documents need to be maintained safely to satisfy legislative, regulatory, or contractual requirements and to maintain key business operations. Examples include documents that might be necessary to show the legislative or regulatory operation of an entity to protect it from the potential civil or criminal acts of the public and to clarify to shareholders, external parties, and auditors the financial position of an organization. The period of time and data content for the retention of information may be determined by national law or regulation.

Leave a Reply