Protection of Records
Ensure records are safe from loss, damage, falsification, and unauthorised access.
Plain language
This control is about keeping important records safe and accurate. Imagine losing important documents like contracts or employee records due to damage or hacking. This could lead to serious legal and business issues, so it's crucial to protect these records from being lost, changed, or accessed by unauthorised people.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
Why it matters
Loss or falsification of records can lead to severe legal liabilities and inability to demonstrate compliance or operational continuity.
Operational notes
Audit record access logs, run integrity checks, and ensure backups meet retention policies to prevent unauthorised access, loss, or tampering.
Implementation tips
- IT managers should create a secure system for storing records. This means using reliable software that keeps data safe and makes backups regularly, ensuring that records can be recovered if something goes wrong.
- HR departments must set clear rules for who can access different types of personnel records. This involves setting permissions in the system so only authorised staff can view and alter sensitive information.
- Legal teams need to establish a retention policy aligning with Australian laws like the Privacy Act 1988. They should define how long records should be kept based on legal requirements and ensure they're disposed of securely once they're no longer needed.
- Office managers should ensure proper physical storage conditions for paper records. This includes using fireproof cabinets and controlling access to storage areas to prevent damage or unauthorised access.
- Senior management should oversee the implementation of a training program for employees. This program should inform staff about the importance of handling records securely and the procedures they should follow.
Audit / evidence tips
-
Askthe organisation's records retention schedule
-
Goodsetup includes regular, automated backups with an easy recovery process that is periodically tested
-
Askto see the access control policy for records
Goodpolicy tightly controls access with regular audits and documented logs showing who accessed which records and when
-
Goodprogram includes comprehensive materials and shows high participation from relevant staff
-
Askdocumentation on the disposal process of obsolete records
Goodprocess ensures confidential destruction of no longer needed records in compliance with legal and organisational standards
Cross-framework mappings
How Annex A 5.33 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| E8-RA-ML2.8 | E8-RA-ML2.8 requires event logs to be protected from unauthorised modification and deletion | |
| E8-AH-ML2.13 | E8-AH-ML2.13 requires event logs to be protected from unauthorised modification and deletion to preserve their integrity for detection an... | |
| handshake Supports (1) expand_less | ||
| E8-RB-ML1.6 | Annex A 5.33 requires records to be protected against loss, destruction, falsification, unauthorised access and unauthorised release | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0407 | Annex A 5.33 requires records to be protected from loss, destruction, falsification, unauthorised access and unauthorised release | |
| ISM-1586 | ISM-1586 mandates keeping logs to record all imports and exports of data, which ensures evidentiary records of transfers | |
| handshake Supports (7) expand_less | ||
| ISM-0316 | Annex A 5.33 requires records to be protected from unauthorised release and from loss/destruction across their lifecycle | |
| ISM-0371 | Annex A 5.33 requires records to be protected from unauthorised access and unauthorised release, including during end-of-life handling | |
| ISM-0373 | Annex A 5.33 requires records be protected from loss, destruction, falsification, unauthorised access and unauthorised release across the... | |
| ISM-1059 | Annex A 5.33 requires protection of records against unauthorised access and unauthorised release as well as loss and falsification | |
| ISM-1080 | ISM-1080 requires that encryption of media uses an AACA or high assurance algorithm, reducing the likelihood that stored records can be a... | |
| ISM-1814 | Annex A 5.33 requires protection of records from loss and destruction as well as unauthorised changes | |
| ISM-1989 | Annex A 5.33 requires records to be protected from loss and destruction, which includes having appropriate retention and preservation arr... | |
| link Related (2) expand_less | ||
| ISM-1815 | Annex A 5.33 requires records to be protected from loss, destruction, falsification, unauthorised access and unauthorised release | |
| ISM-1985 | Annex A 5.33 requires records to be protected from loss, destruction, falsification, unauthorised access and unauthorised release | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.