This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.33 Protection of records.
ISO 27001: 2022 Control Description
Records shall be protected from loss, destruction, falsification, unauthorised access and unauthorised release.
Purpose
To ensure compliance with legal, statutory, regulatory, and contractual requirements related to the protection and availability of records.
Guidance on implementation
The organisation should take the following steps to protect the authenticity, reliability, integrity, and usability of records, as their business context and requirements for their management change over time:
a) Issue guidelines on the storage, handling, chain of custody, and disposal of records, including prevention of manipulation of records. These guidelines should be aligned with the organisation’s topic-specific policy on records management and other records requirements;
b) Determine a retention schedule defining records and the period for which they should be retained. The system of storage and handling should ensure identification of records and their retention period, taking into consideration national or regional legislation or regulations, as well as community or societal expectations, if applicable. This system should permit appropriate destruction of records after that period if they are no longer needed by the organisation.
When deciding on the protection of specific organisational records, their corresponding information security classification, based on the organisation’s classification scheme, should be considered. Records should be categorised into record types (e.g. accounting records, business transaction records, personnel records, legal records), each with details of retention periods and the type of allowable storage media, whether physical or electronic.
Data storage systems should be selected so that required records can be retrieved in an acceptable time frame and format, depending on the requirements to be fulfilled.
Where electronic storage media are chosen, procedures to ensure the ability to access records (both storage media and format readability) throughout the retention period should be established to safeguard against loss due to future technology changes. Any related cryptographic keys and programmes associated with encrypted archives or digital signatures should also be retained to enable decryption of the records for the length of time they are retained.
Storage and handling procedures should be implemented in accordance with recommendations provided by manufacturers of storage media. Consideration should be given to the possibility of deterioration of the media used for storage of records.
Other Information
Records document individual events or transactions, or can form aggregations designed to document work processes, activities, or functions. They are both evidence of business activity and information assets. Any set of information, regardless of its structure or form, can be managed as a record. This includes information in the form of a document, a collection of data, or other types of digital or analogue information created, captured, and managed in the course of business.
In the management of records, metadata is data describing the context, content, and structure of records, as well as their management over time. Metadata is an essential component of any record.
It may be necessary to retain some records securely to meet legal, statutory, regulatory, or contractual requirements, as well as to support essential business activities. National law or regulation can set the time period and data content for information retention.