Introduction:
The protection of organizational records is an essential aspect of information security.
A.18.1.3 of the ISO 27001 standard outlines the requirements for the protection of records.
The standard calls for a policy on records management that covers control requirements such as classification, categorization, record types, retention periods, allowable storage media on which they are stored, cryptographic keys, and digital signatures of such records.
It is important to ensure that important organizational records are protected from loss, destruction, falsification, unauthorized access, and release in accordance with statutory, regulatory, contractual, and business requirements.
Sample Checklist:
- Is there a policy on records management that covers control requirements such as classification, categorization, record types, retention periods, allowable storage media on which they are stored, cryptographic keys, and digital signatures of such records?
- Are important organizational records protected from loss, destruction, falsification, unauthorized access, and release in accordance with statutory, regulatory, contractual, and business requirements?
- Are storage/archival arrangements in place to take account of the possibility of media deterioration (e.g., controlled storage conditions, periodic integrity checks, and/or transfer to fresh media)?
- Is appropriate long-life storage media used for long-term storage?
- Are the storage locations secure and protected from unauthorized access?
- Is access to records restricted to authorized personnel only?
- Is there a process for disposing of records that are no longer required, and is it compliant with statutory and regulatory requirements?
- Are records that contain sensitive information (e.g., personally identifiable information, financial information) encrypted or protected by other suitable means?
Conclusion:
In conclusion, protecting organizational records is essential for maintaining information security.
A.18.1.3 of the ISO 27001 standard provides guidelines for the protection of records.
To ensure compliance with A.18.1.3, it is necessary to have a policy on records management that covers control requirements such as classification, categorization, record types, retention periods, allowable storage media on which they are stored, cryptographic keys, and digital signatures of such records.
It is important to ensure that important organizational records are protected from loss, destruction, falsification, unauthorized access, and release in accordance with statutory, regulatory, contractual, and business requirements.
The checklist provided can be used as a guide to assess compliance with the standard.