A.5.33 Protection of Records
What is this control?
ISO 27001 control A.5.33 Protection of Records ensures organisational records are protected from loss, destruction, falsification, and unauthorised access through a hybrid retention schedule technically enforced by Microsoft Purview. Records are protected via access controls, immutability settings with Preservation Lock, and periodic backups. Retention periods comply with legal requirements including 7 years for financial, legal, and HR records.
How to implement in Microsoft 365
Implement A.5.33 by configuring Purview Retention Policies for M365 locations including SharePoint, Exchange, and Teams enforcing retention periods. Implement Purview Retention Labels with Preservation Lock for records requiring immutability such as financial, legal, and HR records. Configure Microsoft Sentinel Log Analytics Workspace with minimum 365-day retention for security logs.
Deploy AvePoint Cloud Backup for M365 and Acronis Cloud Backup for on-premises records as final protection. Protect records from unauthorised access via A.5.15 Conditional Access and A.5.12 Sensitivity Labels. Discourage paper records and digitise essential documents.
What an auditor looks for
Auditors will verify Purview Retention Policies are configured and applied to all M365 locations. They will check Retention Labels with Preservation Lock are enabled for financial, legal, and HR records. Auditors will verify Microsoft Sentinel Log Analytics Workspace retention setting is 365 days or more.
They will check AvePoint and Acronis backup job configuration with backup schedules and coverage. Auditors will verify evidence of immutability enforcement showing records are locked and non-deletable for the retention period.