ISO 27001 Annex A 5.33

Records are evidence - protect them through their full retention period.

ISO 27001 Annex A 5.33 - Protection of Records

Records are not the same as live working data. They are the formal evidence the organisation needs to keep - financial records, regulatory records, contracts, employment records, audit logs, training records, the management system records themselves. Each of those carries an obligation that may run for years and the protection has to match the obligation.

The protection covers the full range of risks. Loss through technical failure or accidental deletion needs to be prevented through backup, replication and retention controls. Destruction through deliberate or accidental action needs to be prevented through access control and authorisation. Falsification needs to be prevented through audit logs and integrity controls. Unauthorised access and release need to be prevented through classification and access controls applied at record level.

Retention has to be defined. Records held forever are a risk in their own right, particularly for personal data which has to be deleted when no longer needed under UK GDPR. The retention schedule should set the period for each category of record, the trigger for deletion and the secure disposal route. The schedule needs to balance regulatory minimums against the data minimisation principle.

The retention schedule is the practical anchor for this control. Without it, records pile up because no one wants to be the person who deleted something they should have kept. With it, deletion becomes routine and defensible. The schedule needs to be linked to the legal register so the retention periods reflect the actual regulatory requirements.

Practical Compliance Guidance

Records protection is described across several sections of the IMS1 manual including section 4 on management system documentation, section 7.5 on documented information, and section 8.5 alongside the topic-specific Backup and Privacy policies.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
F-IMS20 Document Register	The document register holding the master record of controlled documents including retention periods. Use as the basis for tracking which records exist, who owns them, and when they should be reviewed or disposed of.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What is the difference between records and documents?

Documents describe how the organisation does things - policies, procedures, manuals - and tend to evolve over time. Records are the evidence that things have been done - signed forms, completed checklists, audit reports - and tend to be fixed once created. ISO 27001 Clause 7.5 covers documented information generally; A.5.33 focuses on the protection of records specifically.

How long should records be kept?

For as long as legal, regulatory or contractual obligations require, plus any period the organisation needs them for operational reasons. The retention schedule should set the period for each category. Common UK reference points include seven years for many financial records, six years after end of employment for staff records, and varying periods for specific regulatory categories.

Should records be deleted at the end of the retention period?

Yes, particularly for personal data which has to be deleted when no longer needed under UK GDPR. Deletion should be secure - simple file deletion is not enough for sensitive records. The disposal route should be documented in the retention schedule, with evidence of disposal kept where required.

Further Resources