Control 5.33 : Protection of Records

Summary

Records should be protected from loss, destruction, falsification, unauthorized access, and unauthorized release, in accordance with legislative, regulatory, contractual, and business requirements. This ensures the long-term integrity and availability of essential organizational data.

Applicability

In-Scope: Critical for meeting legal retention requirements (e.g., tax laws, employment records, and regulatory filings). It is essential for proving compliance during audits or legal proceedings.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

Retention Policies: Use Microsoft Purview Data Lifecycle Management to configure retention labels that prevent the deletion of specific records for a defined period (e.g., 7 years).
Immutability: Apply Retention Locks to sensitive record categories to ensure that even administrators cannot delete or modify the data until the retention period expires.
Integrity Monitoring: Enable Microsoft Purview Audit to maintain a tamper-evident record of who accessed or modified specific files.

Evidence Checklist

Records Retention Schedule: A document defining how long different categories of records must be kept and when they should be destroyed.
Retention Logs: Reports from Microsoft Purview showing active retention policies and labels.
Destruction Certificates: Records showing that outdated data was securely disposed of in accordance with the retention policy.

Practical Audit Advice

Here are some questions the auditor might ask:

How did the organization determine the retention periods for different types of sensitive business records?
In the event of a system failure, how do you ensure that archived records remain accessible and readable?
What process is in place to ensure that records are securely destroyed once their retention period has ended?
Can you provide evidence that your critical records are protected against unauthorized modification or deletion?