RELATIONSHIP BETWEEN THE ISO SERIES OF STANDARDS AND OTHER PRODUCTS OF ISO/TC 46/SC 11: 1. Records processes and controls 2012

Transcription

1 RELATIONSHIP BETWEEN THE ISO SERIES OF STANDARDS AND OTHER PRODUCTS OF ISO/TC 46/SC 11: Records processes and controls White paper written by ISO TC46/SC11- Archives/records management Date: March PURPOSE This paper explains the relationship between the first two management systems for records (MSR) standards and the related standards and technical reports produced by ISO TC46/SC11 Archives/Records Management. The first two products are: ISO 30300:2011. Information and documentation Management systems for records - Fundamentals and vocabulary ISO 30301:2011. Information and documentation Management systems for records Requirements This paper clarifies how the related technical products can be used to support/implement the MSR standard/s, and attempts to show the interrelationship between the two with regard to records processes and controls. 2 BACKGROUND On November 2011 the two first products of the ISO Standards series Management systems for records were published. The ISO series offers the methodology to implement an MSR based on a systematic approach to the creation and management of records, aligned with organizational objectives and strategies. ISO 30300:2011 MSR - Fundamentals and vocabulary explains the rationale behind the creation of an MSR, the guiding principles for its successful implementation, and provides the terminology which ensures that it is compatible with other management systems standards. ISO 30301:2011 MSR - Requirements specifies the requirements necessary to develop a records policy. It also sets objectives and targets for an organization to implement systemic improvements. This is achieved through designing records processes and systems, estimating the appropriate allocation of resources, and establishing benchmarks to monitor, measure and evaluate outcomes. These steps help to ensure that corrective action can be taken and

2 continuous improvements are built into the system in order to support an organization in achieving its mandate, mission, strategy and goals. Many questions were raised about the relationship, similarities and differences between ISO and other Standards and Technical Reports developed by ISO TC46/SC11 during the development process and since its publication. The previously published products are aimed at the records professional community, whereas the ISO series has been developed primarily for a management audience. 3 MAIN CONCEPTS 3.1 MANAGEMENT SYSTEMS FOR RECORDS In general, the word system is used to describe different concepts and ideas and requires interpretation to be placed in the context in which it is being used. In the records domain, system is also used for a set of three related, but different concepts. The first clarification needed is what is a Management system for records? The following table provides the meaning of system within the MSR framework, shows the three different levels in which the word system could be used, and indicates how the concept is identified at the three levels in ISO and ISO System levels in records domain System level in a MSR Named in ISO series as: Named in ISO as: Set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives related to records MSR Not named. Out of scope System/programme that regulates the creation, reception, maintenance, use and disposition of records Records processes controls and Records programme Information system which captures, manages and provides access to records over time Records system Records system Illustration 1

3 3.2 STRATEGIC AND OPERATIONAL LEVEL Management systems for records (MSR) are based on a continuous improvement approach which is common to other management systems such as ISO 9000, ISO MSR is intended to build a framework to manage records at the strategic level. Strategic level Management system for records ( (ISO & ISO 30301) Records management ( ISO & 2) Records processes (ISO Work process analysis ISO Digitization ISO Metadata) Records system (ISO ) Operational level Relationships of ISO MSR series products and ISO series products ( Source: Xiaomi An, November 12, 2011 The Second National Forum on Electronic Records Management, Beijing, China ) Illustration 2 The operational elements of a MSR are described as Records Processes and Controls in the normative Annex A of ISO This Annex is strongly linked to ISO (the foundation standard of ISO TC46/SC11) and the best practices described in ISO have been converted into requirements for the Operation section (section 8 + Annex A). In a MSR framework, the design of records processes and controls is based on the records policy and objectives, after the assessment of risks. The Operation section of ISO establishes requirements for the implementation of records processes and controls in records systems.

4 TC46/SC11. Archives/records management Implementation of records processes in records systems Best practices of converted to requirements: Annex A Records systems mainly IT systems for both paper/electronic records Design of record processes in an MSR environment Policy Objectives Risks Processes Controls Carlota Bustelo. Convenor of WG9- Management systems for records. Requirements carlota@carlotabustelo.com Source: Carlota Bustelo and Judith Ellis. What is ISO 30300? Who, when, where, why and how Judith Ellis. Convenor of WG08. Management systems for records. Fundamentals and vocabulary judithellis@enterpriseknowledge.com.au to implement. Innova.doc. Barcelona (Spain), October Terms and Definitions Illustration 3 ISO defines terms and definitions applicable to the MSR standards. It contains some terms that are identical to or adapted from ISO plus other terms. A separate white paper will be available on the terminology used specifically in the MSR series of standards.

5 4 RELATIONSHIPS ISO ANNEX A / OTHER STANDARDS AND TECHNICAL REPORTS Controls in Annex A of are directly related to the technical information provided in the related standards. For a complete understanding a full reading of these technical standards is recommended. The following table is a guidance tool that links the MSR Control requirements from ISO to the most relevant clauses where technical information can be found in each related standards and technical reports. Other information related to a particular requirement can be found within other clauses that are not specifically highlighted here, as records processes and controls are often interrelated. The technical information can be used to implement the operational elements necessary to meet the MSR requirements. ISO TC46/SC11 standards and technical reports referred in the following table ISO : Information and documentation Records management General ISO/TR : Information and documentation Records management Guidelines ISO/TR 26122: Information and documentation -- Work process analysis for records ISO : Information and documentation Records management processes Metadata for records ISO : Information and documentation Records management processes Metadata for records Conceptual and implementation issues ISO/TR 13028: Information and documentation Implementation guidelines for digitization of records ISO :2010. Information and documentation Principles and functional requirements for records in electronic office environments -- Part 1: Overview and statement of principles ISO : Information and documentation Principles and functional requirements for records in electronic office environments -- Part 2: Guidelines and functional requirements for digital records management systems ISO :2010. Information and documentation Principles and functional requirements for records in electronic office environments -- Part 3: Guidelines and functional requirements for records in business systems

6 A All operational, reporting, audit and other stakeholders' needs for information (captured as records with appropriate metadata) about the organization's processes shall be identified and documented systematically.. Cl. 9.1 Determining documents to be captured into a records system - ISO Cl Determining documents to be captured into a records system - ISO/TR Cl. 4.2 Records dimension of work process analysis - ISO Cl. 5.1 Records management metadata that should be applied in the organization - ISO Cl. 3.1 Records related principles Cl Create -ISO Cl. 2.3 Determining needs for evidence of events, transactions and decisions in business systems A A Requirements for creating, capturing and managing records, and decisions not to capture records for specific processes, shall be determined based on business, legal and other requirements, documented and authorized. Records shall be created at the time of (or soon after) the transaction or incident to which they relate by individuals who have direct knowledge of the facts or by instruments routinely used by the organization to conduct the transaction.. Cl. 9.1 Determining documents to be captured into a records system Cl. 5 Regulatory environment,. Cl Determining documents to be captured into a records system Cl. 3.2 Design and implementation of a records system - ISO Cl. 5.1 Records management metadata that should be applied in the organization - ISO/TR Cl. 6.3 Digitization process management. Cl. 9.1 Determining documents to be captured into a records system. Cl Determining documents to be captured into a records system -ISO

7 Cl Metadata at the point of record capture -ISO Cl Metadata capture A A A A A A procedure shall be established to determine retention periods for records according to the requirements of each work process. Decisions about retention and disposition of records based on business, legal and other identified requirements shall be documented in a disposition schedule. Methods of integrating the capture of records with business processes shall be decided upon and documented. The information needed to identify the records of each work process, including identifying the section of the organization responsible for those records and the work process, shall be determined and documented as part of the records requirements. The points at which the information is captured in or added to the records and from what sources shall be identified in the procedures for each work process.. Cl. 9.2 Determining how long to retain records Cl Determining how long to retain records. Cl. 9.2 Determining how long to retain records Cl Records disposition authority Cl Determining how long to retain records. Cl. 7.1 Principles of records management programmes Cl Create -ISO Cl. 3.1 Creating records in context CI. 8.4 Design and implementation methodology CI Documenting records management processes. Cl. 3.2 Design and implementation of a records system - ISO/TR Cl. All Cl. 9.3 Records capture Capture -ISO

8 Cl Metadata at the point of record capture Cl Metadata after record capture -ISO Cl Metadata capture A A A The information, and the form and structure of the information, required as records for each work process, shall be identified and documented. Technologies for creating and capturing records shall be selected for each work process (whether automated or manual). The selection and any change of technologies shall be documented. For work processes which require evidence of capture, a procedure for registering records by attaching a unique identifier at the time of capture shall be implemented. The procedure shall ensure that no transactions involving the record can take place before registration is completed. A The records shall be grouped (classified) according to the Cl. 7.2 Characteristics of a record Cl Identification of requirements for records - ISO Cl. 8 Metadata model for managing records -ISO Cl Storage in specified formats Cl. 8.3 Designing and implementing records systems 8.5 Discontinuing records systems Cl Design of a records system Cl Create - ISO Cl. 3.1 Creating records in context CI. 9.4 Registration Cl Register - ISO Cl Registration ISO Cl Identification - unique identifiers

9 work processes to which they are related. Cl. 9.5 Classification Cl Business activity classification Cl Classification - ISO Cl. 8.4 Metadata structures - ISO Cl. 7.1 Aggregations -ISO Cl Records aggregations Cl Classification -ISO Cl Records classification A The scheme for grouping (classifying) the records reflecting the nature, number and complexity of the work processes of the organization shall be documented (including changes over time) and implemented as part of the procedures of those work processes. Cl. 9.5 Classification Cl Business activity classification -ISO Cl Business classification scheme A The descriptive and control information (metadata elements) required to create and control the records for each work process shall be identified and documented. Cl. 9.3 Records capture Cl. 9.4 Registration Cl. 9.5 Classification Cl. 9.8Tracking -ISO /TR Cl Capture Cl Registration Cl Access and security classification Cl Use and tracking -ISO/TR 26122

10 Cl. 4.2 Records dimension of work process analysis Cl General Cl Outcomes of the analysis of the sequence of transactions in a process Cl. 7.9 Outcomes of the analysis of the links to other processes -ISO Cl. All -ISO Cl. All -ISO/TR Cl Metadata A A Records processes which need to be recorded in metadata linked to the record event history shall be defined. Procedures shall be established to link the event history to the records and to maintain it for as long as the records themselves. Decisions about what metadata are required to identify, manage and control records throughout the organization, and externally, shall be documented and implemented. Cl. 9.8 Tracking Cl Use and tracking -ISO Cl Metadata after record capture Cl. 8.3 Points throughout the existence of records when metadata should be created and applied - ISO Cl. 9.4 Event plan metadata Cl. 9.5 Event history metadata -ISO Cl Records management process metadata Cl. 9.3 Records capture Cl. 9.4 Registration Cl. 9.5 Classification Cl. 9.8 Tracking Cl Vocabulary Cl Development of security and access classification

11 Cl Capture Cl Registration Cl Access and security classification Cl Use and tracking -ISO Cl. All -ISO Cl. All -ISO/TR Cl All digitised images should be assigned metadata to document digitising processes and to support ongoing business processes A A Rules shall be established for regulating access to records based on work process requirements, relevant legislation and, if appropriate, commercial considerations. These shall be documented and maintained for as long as the records are required. The access rules shall be implemented in the records systems by assigning access status to both records and individuals. Cl Integrity Cl Access, retrieval and use Cl Principal instruments Cl Security and access classification scheme Cl Access and security classification -ISO/TR Cl. 4.2 Records dimension of work process analysis Cl Access, retrieval and use Cl Principal instruments Cl Security and access classification scheme Cl Access and security classification - ISO Cl Metadata supporting the security of records -ISO Cl Maintain

12 A Procedures shall be implemented to ensure the integrity/security of the records and to prevent unauthorized use, modification, removal, concealment and/or destruction. Cl Authenticity Cl Integrity Cl Access, retrieval and use Cl Continuing retention Cl Security and access classification scheme Cl Access and security classification Cl Records storage decisions Cl Use and tracking -ISO Cl. 5 Purpose of records management metadata Cl Authenticity and fixity of metadata - ISO Cl Purposes of metadata for managing records -ISO TR Cl All digitised images should be assigned metadata to document digitising processes and to support ongoing business processes -ISO Cl Maintain -ISO Cl Online security processes A The means of maintaining/storing the records shall meet the relevant standards for the medium and technology used in order to ensure they remain useable for as long as required. Cl Distributed management Cl. 9.6 Storage and handling -ISO Cl Records storage decisions Cl Digital storage Cl Continuing retention Cl Transfer of custody or ownership of records -ISO TR 13028

13 CI Storage media and procedures should be defined, documented and implemented A A A Procedures shall be established and implemented to ensure that digital records remain accessible and meaningful over time, also outside the context of their creation. Restrictions, including use of encryption, shall be removed after a stated period Procedures shall be established for reviewing, authorizing and implementing decisions on retention and disposition of the records of each work process.. Cl Usability Cl Conversion and migration Cl Continuing retention -ISO Cl. 11 Implementing metadata for managing records -ISO TR Cl Digitised records should be managed in a way that allows their continued existence for as long as they are required -ISO Cl Migration, export and destruction ISO Cl. 3.3 Supporting import, export and interoperability. Cl. 9.7 Access Cl Security and access classification scheme - ISO Cl Metadata supporting the security of records -ISO Cl Maintain Cl Retention and disposition Cl. 9.2 Determining how long to retain records Cl. 9.9 Implementing disposition - ISO Cl Records disposition authority - ISO/TR 26122

14 Cl. All - ISO Cl. 9.6 Metadata about records management processes - ISO Cl. 9.4 Event plan metadata Cl Creating metadata for managing records Cl Metadata as control tools for managing records Cl Appraisal - ISO/TR Cl. 6.5 Records disposition - ISO Cl. 3 Guiding principles Cl. 5.6 Retention and disposition - ISO Cl. 3.4 Retaining and disposing of records as required A A Decisions about the transfer, removal or destruction of records shall be authorized and documented. Procedures for authorized and controlled transfer of records to another organization or system shall be Cl. 9.9 Implementing disposition Cl Implementation of disposition - ISO/TR Cl. 6.5 Records disposition - ISO Cl. 3 Guiding principles Cl. 5.6 Retention and disposition - ISO Cl. 3.3 Supporting import, export and interoperability Cl. 3.4 Retaining and disposing of records as required

15 established and implemented. Cl. 9.9 Implementing disposition Cl Implementation of disposition -ISO Cl Metadata after record capture - ISO Cl Appraisal Cl Transferring records - ISO/TR Cl. 6.5 Records disposition - ISO Cl. 3 Guiding principles Cl. 5.6 Retention and disposition - ISO Cl. 3.4 Retaining and disposing of records as required - ISO (to be published) Cl. all A Procedures for authorized, regular removal of records which are no longer required, including removal to off-site or off-line storage, shall be established and implemented. Cl. 8.5 Discontinuing records Systems Cl. 9.6 Storage and handling Cl. 9.9 Implementing disposition Cl Implementation of disposition - ISO/TR Cl. 6.5 Records disposition - ISO Cl. 3 Guiding principles Cl. 5.6 Retention and disposition

16 - ISO Cl. 3.4 Retaining and disposing of records as required A A A Records authorized for destruction shall be destroyed under appropriate supervision. The destruction shall be documented. Where the nature and complexity of the business and formal accountabilities require it, control information (registration, identification and history metadata) about records which have been destroyed shall be retained. All records systems (including business systems which keep records) shall be clearly identified, assigned to a responsible owner and documented in an inventory which is regularly updated. Cl. 9.9 Implementing disposition Cl Implementation of disposition - ISO Cl. 3 Guiding principles Cl. 5.6 Retention and disposition - ISO Cl. 3.4 Retaining and disposing of records as required Cl. 9.9 Implementing disposition - ISO Cl Implementation of disposition - ISO Cl Metadata after record capture - ISO Cl Appraisal ISO Cl. 3 Guiding principles Cl. 5.6 Retention and disposition - ISO Cl. 3.4 Retaining and disposing of records as required Cl Record metadata -ISO Cl Step D: Assessment of existing systems -ISO

17 Cl. 2 Good practice: digital records and the role of software A A Implementation decisions on records systems shall be documented, maintained and made available to all users who need them. Rules shall be established, documented and maintained for regulating access to records systems in order to undertake system administration tasks. -ISO Cl Step G: Implementation of a records system -ISO/TR Cl. 6.4 Management systems -ISO Cl. 4 Implementation issues -ISO Cl Access controls Cl Establishing security control Cl Assigning security levels -ISO Cl Online security processes A Procedures for operational maintenance shall be established to ensure records systems' availability. -ISO Appendices B. Integrating records considerations into the systems development life cycle A A A Regular monitoring of the performance of records systems against business requirements and records objectives shall be implemented and documented. Procedures shall be provided to ensure and demonstrate that any system malfunction, upgrade or regular maintenance does not affect records integrity. Changes in records systems, particularly exceptional operations (such as migration, integration of new requirements, computer technology change or discontinuation), shall be analysed, planned and implemented. Decisions made shall be documented. -ISO Cl Step H: Post-implementation review Cl. 8.2 Records systems characteristics ISO Cl Back-up and recovery - ISO Implementation Cl. 8.5 Discontinuing records systems -ISO (to be published). Cl. all