The basics
ISO 27001 control A.5.33 Protection of records requires companies to ensure records are not lost, disclosed, or changed without proper authorization so that they can be ready and reliable for use when needed.
Documentation
ISO 27001 control A.5.33 Protection of records can be documented:
- for smaller and mid-sized companies by writing a Procedure for Document and Record Control
- for larger companies by writing a Procedure for Protection of Records
These documents are not mandatory but are recommended.
Implementation
In order to comply with control A.5.33 Protection of records you might implement the following:
- Technology — the technology to enable the protection of records may include software (e.g., access control software, backup software, digital signatures, document management system, etc.) and hardware (e.g., secure cabinets).
- Organization/processes — you should set up a process for defining how records must be organized, the criteria on which records need what kind of protection, for how long the records are kept, and who is responsible for the protection of records. You can document those processes through a Procedure for Document and Record Control or a Procedure for Protection of Records.
- People — make employees aware of why the protection of records is needed, and train them on how to protect records under their responsibility.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.33 Protection of records: if records are not lost, disclosed, or changed without proper authorization.
