M5.2.3 - PROTECTION OF ORGANIZATIONAL RECORDS Implementation Guidance
The entity shall protect important records from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements.
Back to M5.2.3 - P2 - PROTECTION OF ORGANIZATIONAL RECORDS
Records should be categorized into record types, e.g. accounting records, database records, transaction logs, audit logs, and operational procedures, each with details of retention periods and type of storage media. Any related cryptographic keying material and programs associated with encrypted archives or digital signatures, should also be stored to enable decryption of the records for the length of time the records are retained.
Consideration should be given to the possibility of deterioration of media used for storage of records. Storage and handling procedures should be implemented in accordance with manufacturer’s recommendations. For long term storage, the use of paper and microfiche should be considered. Where electronic storage media are chosen, procedures to ensure the ability to access data (both media and format readability) throughout the retention period should be included, to safeguard against loss due to future technology change.
Data storage systems should be chosen such that required data can be retrieved in an acceptable timeframe and format, depending on the requirements to be fulfilled.
The system of storage and handling should ensure clear identification of records and of their retention period as defined by national or regional legislation or regulations, if applicable. This system should permit appropriate destruction of records after that period if they are not needed by the entity.
To meet these record safeguarding objectives, the following steps should be taken within an entity:
- A. Guidelines should be issued on the retention, storage, handling, and disposal of records and information
- B. A retention schedule should be drawn up identifying records and the period of time for which they should be retained
- C. An inventory of sources of key information should be maintained
- D. Appropriate controls should be implemented to protect records and information from loss, destruction, and falsification
