Records don’t just document what happened. They’re the evidence organizations rely on during regulatory audits, legal disputes, and security investigations. When record protection fails, it’s not a filing problem. It’s an operational crisis where the proof you need to defend your organization no longer exists or can no longer be trusted.
ISO 27001 control 5.33 addresses this directly by requiring organizations to protect records from loss, destruction, falsification, unauthorized access, and unauthorized release throughout their entire retention lifecycle.
What 5.33 requires
Control 5.33 mandates that organizations actively protect records from loss, destruction, falsification, unauthorized access, and unauthorized release. Protection must span the full retention lifecycle, from creation through archival to eventual secure destruction.
The control rests on three pillars. Integrity ensures records remain unaltered and tamper-proof. Availability guarantees they can be retrieved when needed, whether for an audit next week or a legal hold three years from now. Confidentiality restricts access to authorized personnel only.
“Records” in this context means any documented evidence the organization is required to retain. That includes audit logs, contracts, Human Resources (HR) files, financial transactions, system configurations, and meeting minutes. The scope is broad because the consequences of losing any of these categories are specific and severe.
The critical dimension most teams underestimate is the legal and regulatory obligation layer. Retention periods for tax records, employment files, and audit trails are set by statute, regulation, or contract. They aren’t discretionary. Control 5.33 requires that protection measures align with these obligations, ensuring records survive intact for the full legally mandated period.
Why 5.33 matters
An organization preparing for a regulatory audit discovers that its backup encryption keys were rotated 18 months earlier without archiving the old keys. Years of encrypted records are now unreadable. The records exist, but they’re functionally destroyed. The audit fails, the regulator escalates, and the organization faces both fines and a mandatory remediation program.
This scenario represents the core risk 5.33 addresses. Record protection failures create three overlapping risk categories:
- Regulatory non-compliance: Triggers penalties and mandatory corrective actions.
- Legal exposure: Arises when tampered or missing records undermine defensibility in disputes.
- Operational disruption: Follows when teams can’t retrieve the documentation they need to function.
These aren’t hypothetical patterns. Ransomware campaigns increasingly target backup systems specifically because attackers understand that destroying an organization’s ability to recover records maximizes leverage. These campaigns exploit gaps in attack surface management that leave backup infrastructure exposed. According to IBM’s 2025 Cost of a Data Breach Report, the global average cost of a data breach reached $4.44 million, with incidents involving destroyed or compromised records driving costs significantly higher through extended detection and recovery timelines.
What attackers exploit
- Unencrypted record repositories accessible through lateral movement after initial compromise
- Backup systems with shared or stale credentials that haven’t been rotated since deployment
- Audit logs stored on the same systems they monitor, creating a single point of failure where an attacker can cover their tracks
- Retention gaps where records are destroyed before legal hold requirements are met, leaving organizations unable to produce evidence during investigations
- Missing integrity verification with no checksums or Write Once Read Many (WORM) storage, enabling silent tampering that goes undetected for months
- Over-permissioned access to record management systems where administrative privileges are broadly distributed
How to implement 5.33
For your organization (first-party)
Effective implementation follows a structured sequence where each step builds on the previous one.
1. Build a records inventory. Catalog every record type across the organization, identifying the owner, storage location, format, and applicable retention period for each category. Most organizations discover record types they didn’t know they were responsible for during this exercise.
2. Define a retention schedule. Map each record category to specific legal, regulatory, or contractual retention requirements. Tax records, employment files, audit logs, and contractual documents each carry different retention timelines. Document the legal citation for each retention period so the rationale is auditable.
3. Implement access controls. Apply role-based access with least privilege to all record repositories. Administrative access to record stores should require Multi-Factor Authentication (MFA). Quarterly access reviews verify that permissions haven’t drifted beyond what’s necessary.
4. Deploy integrity protections. Use cryptographic hashing to detect unauthorized modifications. For immutable audit trails, deploy WORM storage that prevents records from being overwritten or deleted before their retention period expires. Enable versioning with tamper detection on all critical record stores.
5. Establish backup and recovery. Automate backups to geographically separate locations. Encrypt backup media and manage encryption keys independently from the backup systems themselves. Test restore procedures at least quarterly, because backup systems that haven’t been tested are assumptions, not controls.
6. Automate lifecycle management. Configure retention rules in your Document Management System (DMS) or cloud storage platform with automated archival workflows and secure destruction triggers. Manual lifecycle management doesn’t scale and introduces human error at every stage.
7. Manage encryption keys. Archive decryption keys separately from the encrypted records they protect. During key rotation, verify that previously encrypted records remain decryptable with archived keys. This is the specific failure mode that causes the most preventable record loss.
8. Document and train. Maintain a records management policy that staff can actually follow. Train personnel on handling classified records and establish incident response procedures for record compromise events.
Common implementation mistakes:
- Treating storage as protection. Backing up records without integrity verification or access controls creates copies of vulnerable data, not protected records.
- Ignoring media degradation. Records on aging storage media become unreadable over time if media health isn’t monitored and refreshed.
- Missing key archival. Encrypting records then losing decryption keys during routine key rotation is one of the most common and most preventable causes of record loss.
- No destruction verification. Deleting files without confirming secure erasure leaves recoverable data that may violate retention and disposal requirements.
- Siloed retention schedules. Different departments maintaining conflicting retention periods for the same record types creates compliance gaps that auditors will find.
For your vendors (third-party assessment)
When assessing vendors against 5.33, start with targeted questions that reveal operational maturity rather than policy existence. A structured vendor risk assessment process, supported by a mature vendor risk management workflow, ensures consistent evaluation across your supply chain.
Security questionnaire questions:
- “Describe your records retention policy and how retention periods are determined.”
- “How do you protect audit logs from tampering or unauthorized access?”
- “What encryption is applied to records at rest and in transit?”
- “How do you handle record destruction at contract termination?”
Evidence to request: Records management policy, documented retention schedule, backup configuration documentation, access control logs for record repositories, and secure destruction certificates.
Red flags to watch for:
- No formal retention schedule
- Records stored without encryption at rest
- Backup systems using shared credentials
- No documented destruction process
- Inability to produce records from 12 or more months ago on request
Verification beyond self-attestation: Request a System and Organization Controls (SOC) 2 Type II report covering the CC6 and CC7 criteria. Ask for sample destruction certificates. Test record retrieval by requesting specific historical documents during the assessment period.
Audit evidence for 5.33
Auditors expect documented proof that your organization has implemented, operates, and reviews record protection controls. The following evidence types map directly to what external auditors assess.
| Evidence type | Example artifact |
|---|---|
| Policy documentation | Records Management Policy defining record categories, retention periods, ownership, and destruction procedures |
| Retention schedule | Documented schedule mapping record types to statutory retention periods with legal citations |
| Access control evidence | Role-based access matrix for record repositories with quarterly access review logs |
| Backup and recovery records | Automated backup configuration, restore test results from the last 12 months, off-site storage attestation |
| Integrity verification | Cryptographic hash logs or WORM storage configuration for immutable audit trails |
| Secure destruction records | Certificates of destruction for records past retention, secure erasure verification logs |
| Encryption documentation | Encryption standards applied to records at rest and in transit, key management procedures including key archival |
| Training records | Staff completion records for records management awareness training |
Cross-framework mapping
Control 5.33 maps to equivalent requirements across major compliance frameworks. This mapping is particularly useful for organizations maintaining multiple certifications or transitioning between standards.
| Framework | Equivalent control(s) | Coverage |
|---|---|---|
| National Institute of Standards and Technology (NIST) 800-53 | AC-03 (Access Enforcement) | Full |
| NIST 800-53 | AU-09 (Protection of Audit Information) | Full |
| NIST 800-53 | CP-09 (System Backup) | Full |
| NIST 800-53 | SC-08 (Transmission Confidentiality and Integrity) | Full |
| NIST 800-53 | SC-28 (Protection of Information at Rest) | Full |
| NIST 800-53 | SC-28(01) (Cryptographic Protection) | Full |
| SOC 2 trust criteria | CC6.1 (Logical and Physical Access Controls) | Partial |
| CIS Controls v8.1 | Control 3 (Data Protection) | Partial |
| NIST CSF 2.0 | PR.DS (Data Security) | Partial |
| Digital Operational Resilience Act (DORA) (EU) | Article 12 (Data Management and Record-keeping) | Partial |
The NIST 800-53 mappings represent full coverage because each NIST control addresses a specific dimension of record protection that 5.33 requires. SOC 2, CIS, and NIST CSF provide partial coverage, meaning they address the same risk domain but with different scope or specificity. Organizations using these frameworks in combination can satisfy overlapping requirements through a single control implementation.
Related ISO 27001 controls
Control 5.33 operates within a network of related controls. Understanding these connections helps teams implement record protection as part of a coherent security program rather than in isolation.
| Control ID | Control name | Relationship |
|---|---|---|
| 5.10 | Acceptable use of information and other associated assets | Governs how records are used day-to-day |
| 5.12 | Classification of information | Classification drives the protection level applied to each record category |
| 5.13 | Labelling of information | Labels ensure records are handled according to their classification |
| 5.14 | Information transfer | Protects records during transmission between systems or parties |
| 5.31 | Legal, statutory, regulatory and contractual requirements | Defines the retention obligations that 5.33 enforces |
| 5.34 | Privacy and protection of PII | Personally Identifiable Information (PII) records require additional protections under 5.33 |
| 8.10 | Information deletion | Secure deletion procedures for records past their retention period |
| 8.11 | Data masking | Protects sensitive record content during testing or analysis |
| 8.24 | Use of cryptography | Encryption mechanisms referenced by 5.33 for records at rest and in transit |
Frequently asked questions
What is ISO 27001 5.33?
ISO 27001 control 5.33 requires organizations to protect records from loss, destruction, falsification, unauthorized access, and unauthorized release throughout their retention period. It covers all record types, including audit logs, contracts, financial data, and HR files, and mandates that protection aligns with legal, regulatory, and contractual obligations.
What happens if 5.33 is not implemented?
Without record protection controls, organizations risk producing tampered or incomplete evidence during audits, failing regulatory inspections, and losing legal defensibility in disputes. Ransomware targeting unprotected backup systems can destroy years of operational records. Missing retention schedules may also violate data protection laws like the General Data Protection Regulation (GDPR), compounding regulatory exposure.
How do you audit 5.33?
Auditors verify that a documented records management policy exists, retention schedules align with legal requirements, access controls restrict record repositories to authorized personnel, and teams test backup and restore procedures regularly. They will request sample records from prior periods to confirm retrievability and check that secure destruction procedures are followed for expired records.
How UpGuard helps with record protection
Record protection depends on visibility into the workforce behaviors that undermine it. Shadow SaaS applications, compromised credentials, and risky permissions create gaps in record protection controls that traditional tools miss.
- User Risk: Discovers hidden workforce risks including Shadow SaaS usage, compromised credentials from third-party breaches, and over-permissioned application access that can expose protected records. User Risk synthesizes these signals into prioritized risk scores and delivers real-time coaching to drive measurable behavior change.
See how UpGuard User Risk strengthens your security program →