If you’re paying close attention to ISO27001 and read it carefully, you’ll see that the only place the word ‘records’ appears is in Annex A control, A5.33.  Up to now we’ve almost focused all our attention on information security and data. 

It would be useful to think of Data as the building blocks upon which we derive information. Data is individual characters, numbers, symbols, or multimedia elements, that brought together becomes information.  We often visualise Data as the scattered pieces of a jigsaw puzzle.  Individually, they don’t tell us anything.

Data becomes Information as we put pieces together and build a picture of a person, company or a community. For example, Your name alone could be considered as Data, but your name along with your address is information; I know who you are and where you live. Add to this other pieces of data and the information becomes increasingly valuable.  Again, we can visualise this as building the jigsaw, focusing on one section to build up a part of the puzzle so we know how it looks. It’s not the entire the picture, and we don’t know everything. But we can make some assumptions at this point.

Finally, we have records. This is information in context, and presented in a meaningful format or way so that we have a complete understanding of a topic, person, company or community.  This is the completed jigsaw puzzle.  We know its size, shape and context.

What does the standard require?

The standard states that “Records shall be protected from loss, destruction, falsification, unauthorised access and unauthorised release.” (A5.33 – Protection of Records).

Why is this required?

If the protection of individual data elements is important, then the protection of complete records should be of equal importance.  Imagine for a moment that due to a system error, your Doctors surgery exposed your name, email address and last appointment.  This would be unfortunately and is certainly a data breach.

But now imagine that they discover it was in fact your entire medical history that was exposed. All your medical records shared with your local community. This would be a severe data breach and would most likely cause you considerable distress and anxiety.

You can replace the fictional Doctors surgery, and medical records mentioned above with any other form of data and records. From banking to your shopping and browsing history, the release of a complete picture of what you do or who you are, would be a severe data breach and could be seriously damaging.

We worked with a large law firm who, when archiving completed cases would place all the physical records in storage. This required the boxes to be collected and taken by courier to a storage facility. On auditing the process we discovered that prior to collection, boxes (around 10 at a time) would be in the reception area for up to 3 or 4 hours.  This wasn’t’ acceptable, so we changed the process.

What the auditor is looking for

The auditor will be looking at various controls that evidence you are considering the protection of data, which ultimately leads to the development of records.

This includes evidence of;

• Data Retention Policies – (A5.1 – Information Security Policies)

• Classification and treatment of data (A5.12 – Classification of Information)

• Controls around how information is transferred (A5.14 - Information transfer)

• Managing access to data (A5.15 – Access Control)

• Assigning appropriate access rights (A5.18 – Access Rights)

• Handing incidents effectively (A5.24 - Information security incident management planning and preparation)

• Protection of Personal Data (A5.34 - Privacy and protection of PII)  

Of course they will want to see that technical controls are in place too, and audits are conducted to evidence that the controls are operating as expected.

What do you need to do?

This is possibly one of the easiest controls to work with due to the fact that you simply need to evidence all the other controls are in place.  Review the list above and ask if you have missed anything? 

For example, when transferring complete records, are the controls the same? Are there additional controls you need to put in place? In the example provided above in the law firm, we changed the process so that files were not stored in an unsecure area prior to collection.

As always, don’t over complicate this. If you’re acting diligently with data and information, then the protection of records should be relatively simple to achieve.

Q & A

Do I need a policy?

No, you don’t need a policy for the protection of records, but you should be able to evidence this control is being catered for by the various other policies, procedures and activities taking place.

Are there any records that need special attention?

Only you can answer this, and in truth you should have already considered this when you looked at Annex A control, A5.12 – Classification of Information.  In reality, you will most likely have some records which need special consideration, and these are personal records, such as health and financial records. If you process this kind of data, then you’ll most likely have records that need to be handled with care.

Difficulty rating

We rate this a 1 out of 5 difficulty rating. This control requires no real technical skill, and if you have implemented the other controls diligently and conscientiously then you should find that you can evidence compliance with this control relatively easily.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.