© ISO 2016 Information and documentation — Records management — Part 1 Concepts and principles Information et documentation — Gestion des documents d’activité — Partie 1 Concepts et principes INTERNAT[.]
INTERNATIONAL STANDARD ISO 489-1 Second edition 01 6-04-1 Information and documentation — Records management — Part : Concepts and principles Information et documentation — Gestion des documents d’activité — Partie : Concepts et principes Reference number ISO 489-1 : 01 6(E) © ISO 01 ISO 15489-1:2 016(E) COPYRIGHT PROTECTED DOCUMENT © ISO 2016, Published in Switzerland All rights reserved Unless otherwise speci fied, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester ISO copyright office Ch de Blandonnet • CP 401 CH-1214 Vernier, Geneva, Switzerland Tel +41 22 749 01 11 Fax +41 22 749 09 47 copyright@iso.org www.iso.org ii © ISO 2016 – All rights reserved ISO 15489-1:2 016(E) Contents Foreword Page Introduction Scope Normative references Terms and definitions Principles for managing records Records and records systems 1 Re co rd s G e n e ral 2 C h aracte ri s ti cs o f au th o ri tative re co rd s M e tad ata fo r re co rd s 5 G e n e ral Records systems Characteristics of records systems Policies and responsibilities 6 6.1 G e n e ral 6.2 Po l i ci e s 6.3 Re s p o n s i b i l i ti e s 6.4 M o n i to ri n g an d e val u ati o n 6.5 C o m p e te n ce an d trai n i n g Appraisal 10 7.1 G e n e ral 7.2 S co p e o f ap p rai s al 1 7.3 U n d e rs tan d i n g th e b u s i n e s s 1 7.4 D e te rm i n i n g re co rd s re qu i re m e n ts 7.5 I m p l e m e n ti n g re co rd s re q u i re m e n ts Records controls 13 8.1 G e n e ral 8.2 M e tad ata s ch e m as fo r re co rd s 8.4 Acce s s an d p e rm i s s i o n s ru l e s 8.5 D i s p o s i ti o n au th o ri ti e s 8.3 G e n e ral 5.3.2 v 5.3 iv Business classi fication schemes Processes for creating, capturing and managing records 14 16 9.1 G e n e ral 9.2 C re ati n g re co rd s 9.3 C ap tu ri n g re co rd s 9.5 Acce s s co n tro l 9.6 S to ri n g re co rd s 9.7 U s e an d re u s e 9.8 M i grati n g an d co nve rti n g re co rd s 9.9 D i s p o s i ti o n 9.4 Bibliography Records classi fication and indexing © I S O – Al l ri gh ts re s e rve d 17 20 iii ISO 15489-1:2 016(E) Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies) The work of preparing International Standards is normally carried out through ISO technical committees Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part In particular the different approval criteria needed for the different types of ISO documents should be noted This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part (see www.iso.org/directives) Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights ISO shall not be held responsible for identifying any or all such patent rights Details of any patent rights identi fied during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement For an explanation on the meaning of ISO speci fic terms and expressions related to conformity assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers to Trade (TB T) see the following URL: The committee responsible Subcommittee SC 11, for this Foreword - Supplementary information document is Archives/records management ISO/TC 46, Information and documentation , This second edition cancels and replaces the first edition (ISO 15489-1:2001), which has been technically revised ISO 15 489 consists of the following parts, under the general title Records management: — Part 1: Concepts and principles — Part 2: Guidelines [Technical Report] iv Information and documentation — © ISO 01 – All rights reserved ISO 15489-1:2 016(E) Introduction This part of I SO 48 es tablishes the core concepts and principles for the creation, capture and management of records It sits at the heart of a number of I nternational Standards and Technical Reports that provide further guidance and ins truction on the concepts , techniques and practices for creating, capturing and managing records About records and managing records Records are both evidence of business activity and information assets They can be distinguished from other information assets by their role as evidence in the transaction of business and by their reliance on metadata Metadata for records is used to indicate and preserve context and apply appropriate rules for managing records Managing records encompasses the following: a) creating and capturing records to meet requirements for evidence of business activity; b) taking appropriate action to protect their authenticity, reliability, integrity and useability as their business context and requirements for their management change over time NOTE Reference to “business activity” or “business activities” in this part of ISO 15489 is interpreted broadly to mean those activities that support the purposes of the organization’s existence Functions, activities, transactions and work processes are representations of particular forms of “business activity” and are de fined in C laus e Increasingly, records are made and kept in digital environments, offering a range of opportunities for new kinds of use and reuse Digital environments also allow greater flexibility in the implementation of records controls, within and between systems that manage records Changing models of business are extending responsibilities for records beyond traditional organizational and jurisdictional boundaries This requires records professionals to understand and meet a diverse range of internal and external s takeholder needs These can include increased expectations of transparency of decision-making from business and government, the general public, customers, users of services, records’ subjects, and others with an interest in how records are created, captured and managed NOTE In this International Standard (all parts), the phrase “creation, capture and management” is used to s ummari ze the management of records as a whole It is inclus ive of the ac t of receipt of a record and of the range of records pro ces ses des cribed in this p art of I SO 48 With these environmental factors in mind, this part of I SO 48 has been developed with an acknowledgement of the following: a) the roles of records as enablers of business activity and information assets; b) increased opportunities for records use and reuse in the digital environment; c) systems and rules for the creation, capture and management of records that need to extend beyond traditional organizational boundaries, such as in collaborative and multi-jurisdictional work environments; d) records controls that can be independent of other components of records systems; e) the importance of recurrent analysis of business activity and context to identify what records need to be created and captured, and how they should be managed over time; f) the importance of risk management in devising s trategies management of records as a risk management strategy in itself for managing records and the While the concepts and principles of this part of ISO 15489 apply across varied business and technological environments , © ISO – All rights reserved these environments can require different approaches to the v ISO 15489-1:2 016(E) implementation of records controls, processes and systems This part of ISO 15489 is not intended to provide detailed implementation advice for speci fic environments in which records are created, captured and managed Rather, it de fines key concepts and establishes high-level principles from which records controls, processes and systems for managing records in any environment may be developed Advice on the design and implementation of controls, processes and systems for managing records in these different environments is addressed in subsequent part(s) and in other International Standards and Technical Reports Benefits Approaches to the creation, capture and management of records based on the concepts and principles in this part of ISO 15 489 ensure that authoritative evidence of business is created, captured, managed and made accessible to those who need it, for as long as it is required This enables the following: a) improved transparency and accountability; b) effective policy formation; c) informed decision-making; d) management of business risks; e) continuity in the event of disaster; f) the protection of rights and obligations of organizations and individuals; g) protection and support in litigation; h) compliance with legislation and regulations; i) improved ability to demonstrate corporate responsibility, including meeting sustainability goals; j) reduction of costs through greater business efficiency; k) protection of intellectual property; l) evidence-based research and development activities; m) the formation of business, personal and cultural identity; n) the protection of corporate, personal and collective memory Policies, assigned responsibilities and procedures for the creation, capture and management of records support organizational information governance programs Relationship to other standards This part of ISO 15489 is designed as a self-contained resource However, it is also part of a family of International Standards and Technical Reports on a range of aspects of the creation, capture and management of records These are listed in the Bibliography and may be consulted for more detailed advice on particular aspects of managing records The management of records in line with this International Standard (all parts) is fundamental to a successful Management System for Records (MSR), the management system de fined by the ISO 30300 series of International Standards An MSR links the management of records to organizational success and accountability by establishing a framework comprising policy, objectives and directives for records It establishes requirements for the following: a) de fined roles and responsibilities; b) systematic processes; c) monitoring and evaluation; vi © ISO 01 – All rights reserved ISO 15489-1:2 016(E) d) review and improvement Managers and others seeking to implement, operate and improve an M SR are advised to use this part of I SO 48 in conj unc tion with the I SO 03 0 series of I nternational Standards © ISO – All rights reserved vii INTERNATIONAL STANDARD ISO 15489-1:2 016(E) Information and documentation — Records management — Part : Concepts and principles Scope This part of ISO 15489 de fines the concepts and principles from which approaches to the creation, capture and management of records are developed This part of ISO 15 489 describes concepts and principles relating to the following: a) records, metadata for records and records systems; b) policies, assigned responsibilities, monitoring and training supporting the effective management of c) recurrent analysis of business context and the identi fication of records requirements; records; d) records controls; e) processes for creating, capturing and managing records This part of ISO 15 489 applies to the creation, capture and management of records regardless of structure or form, in all types of business and technological environments, over time Normative references There are no normative references NO TE This part of ISO 15 489 is designed as a self-contained resource, meaning there are no documents which are indispensable for its application 3 Terms and definitions For the purposes of this document, the following terms and de finitions apply access right, opportunity, means of finding, using or retrieving information activity major task performed by a business entity as part of a function (3 11) 3.3 agent individual, workgroup or organization responsible for, or involved in, record creation, capture and/or records management processes [SOURCE: ISO 23081-1: 20 06, 1] Note to entry: Technological tools such as software applications can be considered agents if they routinely perform records processes © ISO 01 – All rights reserved ISO 15489-1:2 016(E) business classification scheme tool for linking records to the context of their creation classification s ys tematic identi fication and/or arrangement of bus ines s ac tivities and/or records into categories according to logical ly s truc tured conventions , metho ds , and procedural ru les conversion process of changing records from one format to another destruction pro ces s of eliminating or deleting a record, b eyond any p os s ible recons truc tion disposition range of processes associated with implementing records retention, decisions which are documented in disposition authority ins trument that de fines the 10 evidence documentation of a disposition authorities (3 9) disposition (3 ) destruction (3 ) or transfer or other instruments ac tions that are authori zed for s p eci fied records transaction (3 18) [SOURCE: ISO 30300: 2011, ] No te to entr y: T h i s i s pro of of a bu s i nes s trans ac tion wh ich c an b e shown to have b een created i n the norma l cou rs e of bus i nes s ac tivity and wh ich i s inviolate and complete I t i s no t li m ite d to the lega l s ens e of the term 11 function gro up o f ac ti vitie s th at fu l f i l s the m aj o r re s p o n s ib i l itie s fo r ach ie vi n g the s trate g ic go a l s of a b u s i ne s s entit y 12 metadata for records structured or semi-structured information, which enables the creation, management, and use of records through time and within and across domains [SOURCE: ISO 23081-2:20 07, ] 13 migration proces s of moving records from one hardware or software figuration to another without changing the format [SOURCE: ISO 30300: 2011, 8] 14 record(s) evidence (3 10 ) and as an as set by an transaction (3 18) of business information created, received and maintained as person, in pursuit of legal obligations or in the organi z ation or © ISO 01 – All rights reserved ISO 15489-1:2 016(E) 6.1 Policies and responsibilities General Pol icies and res p ons ibil ities shou ld s upp or t the fu l fi lment of requirements for the creation, cap ture and management of records and the des ign, use and management of records s ys tems I n order to ens ure that records s ys tems meet identi fied records requirements (see 7.4) , policies and res p ons ibi lities shou ld s p eci fy res p ons ibil ities and authori zations for the fol lowing: a) records creators; b) those involved in the management of the records; c) other users of records s ys tems Pol icies shou ld b e s upp or ted by pro cedures that provide more s p eci fic ins truc tions on the creation, capture and management of records Monitoring and evaluation meas ures should b e put in place to determine whether or not identi fied records requirements are being met, and, if not, where corrective action is required (see 6.4) Pol icies , pro cedures and the op eration of records s ys tem s should b e s upp or ted by training (see 6.2 ) Policies Policies on the management of records should be developed, documented and implemented Policies shou ld b e derived from bus ines s obj ec tives and s upp or ted by bus ines s rules or pro cedures for managing records T he development of p olicies shou ld b e informed by an unders tanding of bus ines s context (see wel l as requirements for records relevant to the scop e of the p ol ic y (see 3) , as 7.4) T he obj ec tive in is s uing and implementing p olicies on managing records shou ld b e the creation, cap ture and management of authentic, rel iable and us eable records that p os ses s integrity and s upp or t and enable bus ines s ac tivity for as long as they are required Pol icies shou ld include a s tatement ab out scop e, s uch as which as p ec t(s) of managing records they cover, applicable standards and auditing requirements, and should also indicate the business activities to which the p olic y p er tains Policies should address required actions in the event of the termination of business processes These may include decommis s ioning of records s ys tems and al lo cation of resources to enable migration (see 9.8) and disposition of records (see 9.9) as appropriate Pol icies shou ld de fine where legislation, regu lations , s tandards , other mandates and b es t prac tices affect the creation, capture or management of records Policies should be authorized and endorsed at an appropriate decision-making level and should be promu lgated internal ly and external ly as appropriate Res p ons ibi l ity for p olicies and for ens uring compliance with policies should be assigned (see 3) Pol icies shou ld b e regularly reviewed to ens ure they re f lec t current bus ines s needs Pol icies shou ld s tate the inter val at which they should b e reviewed, and who is res p ons ible for the review Sup ers eded policies are records and should be retained and managed as such 6.3 Responsibilities Responsibilities and authorizations for the creation, capture and management of records should be de fined, as s igned and promulgated © ISO 01 – All rights reserved ISO 15489-1:2 016(E) Decisions about creating, capturing and managing records are business decisions informed by identi fied Decisions should be authorized by the records requirements and an assessment of risk (see Clause ) relevant business manager and documented Responsibilities should be designated to all personnel who create and use records as part of their work, and be re flected in job descriptions and similar statements, where appropriate Designation of the responsible individuals may be assigned by law Speci fic leadership responsibility for the management of records should be assigned to a person with appropriate authority, such as a senior manager Designations of responsibilities may include the following: a) records professionals are wholly or partly responsible for aspects of managing records including the design, implementation and maintenance of records systems and their operations, and for training users on their responsibilities and records systems operations as they affect individual practices; b) records professionals or others responsible for managing records are responsible for developing, implementing and maintaining metadata schemas and other controls, in association with other personnel, such as information technology professionals, business managers and legal professionals; c) senior managers are responsible for ensuring support for the development and implementation of d) managers are responsible for ensuring that requirements for records of work processes conducted e) systems administrators are responsible for ensuring continuous and reliable operation of records systems under their control and for ensuring that all systems documentation is complete and up to date; f) policies on the management of records; in their business areas are met; all personnel are responsible and accountable for creating and keeping accurate and complete records of their business activities 6.4 Monitoring and evaluation Criteria should be established to monitor and evaluate records policies, systems, procedures and processes The creation, capture and management of records should be regularly monitored and evaluated with the involvement and support of records professionals, information technology professionals, legal professionals, auditors, business managers and senior managers as appropriate Monitoring and evaluation should be designed to ensure that: a) records systems and processes are implemented according to authorized policies and business requirements; b) records systems and processes operate as de fined and designed; c) changes to records requirements are met; and d) there is continuous improvement in the management of records Systems and processes provided by third party providers should also be monitored and evaluated, using contractual requirements relating to the management of records as evaluation criteria The design of a monitoring and evaluation program should: a) assign responsibility for monitoring and evaluation activities; © ISO 01 – All rights reserved ISO 15489-1:2 016(E) b) determine what needs to be monitored and evaluated; c) de fine methods for measuring, monitoring, analysis and evaluation to ensure valid results; d) determine when monitoring and evaluation should be performed; e) determine when monitoring results should be analysed and evaluated; and f) assign res pons ibilities for devising appropriate corrective actions Monitoring and evaluation of the creation, capture and management of records may be integrated into existing monitoring cycles or carried out separately Monitoring and evaluation may be undertaken, wholly or in part, by external bodies Modi fications to records policies, systems and processes should be made if these are found to be uns uitable or ineffective Records of monitoring and evaluation activities should be created, captured and managed 6.5 Competence and training People with assigned res ponsibilities relating to the creation, capture and management of records should be competent to perform these tasks Competence should be regularly evaluated and training programs to develop and improve s uch competencies and skills should be designed and implemented where required The training program should be ongoing and include training on requirements , policies, practices , roles and res ponsibilities for managing records , and should be addressed to all members of management and personnel, as well as any other individuals responsible for any part of business activity involving the creation, capture and management of records To maintain necessary competence of records professionals and others responsible for managing records , there should be training and other profes sional development on the core competencies for managing records Training on the creation, capture and management of records should be built into exis ting training programs where pos sible The training program should include contractors , volunteers and personnel of other organizations where relevant The training program should be supported and promoted by senior managers 7.1 Appraisal General Apprais al is the process of evaluating business activities to determine which records need to be created and captured and how long the records need to be kept NOTE This International Standard (all parts) expands traditional usages for the term “appraisal” to include analysis of business context, business activities and risk to enable decision making on what records to create and cap ture, and how to ens ure the appropriate management of records over time Appraisal combines an understanding of business context with the identi fication of requirements for evidence of business that should be met through records T his involves the following: a) 10 developing an unders tanding of the nature of the bu siness and its legal, resourcing and technological setting; © ISO – All rights reserved ISO 15489-1:2 016(E) b) using risk assessment to determine what records should be created and how they should be managed to meet the range of applicable requirements This involves assessing 1) the risks affecting the business generally, and 2) risks that can be managed through the creation, capture and management of records Appraisal should be carried out in cooperation with internal stakeholders and, where required, external stakeholders Appraisal should be documented This includes keeping records of the following: a) any sources consulted in conducting the analysis, including documentary sources and interviews with stakeholders; b) the results of risk assessments; c) the appraisal decisions Where required, appraisal decisions should be authorized by a senior manager The results of appraisal may be used for a range of purposes, including the design and implementation of records systems (see ), the development of policy and procedures (see C lause ), the de finition of metadata requirements (see 3) and/or the development of records controls such as disposition authorities (see ) or access and permissions rules (see 8.4) Appraisal should be repeated as the circumstances of the business activity and risk factors change 7.2 Scope of appraisal The scope of appraisal should be determined by considering the reason(s) for conducting it Reasons for conducting appraisal may include the following: a) establishment of a new organization; b) losing or gaining functions or activities; c) changing business practices or needs; d) changes to the regulatory environment; e) the introduction of new systems or system upgrades; f) changing perceptions of risk or priorities The scope of appraisal should also be determined by identifying the functions, activities or work processes affected by the reason for conducting appraisal 7.3 Understanding the business Appraisal requires an understanding of the organization and its business activities, including but not limited to the following: a) internal and external factors affecting the organization’s operations, behavior and strategic direction; b) operational, legal and other requirements; c) resourcing and use of technologies; d) internal and external stakeholder requirements; e) risks to be managed; © ISO 01 – All rights reserved 11 ISO 15489-1:2 016(E) f) an understanding of the business activity’s internal and external contexts; g) an analysis of functions undertaken and work processes carried out, using the techniques of functional and/or sequential analysis; h) identi fication of the internal and external agents involved in the business activity Understanding the organization responsible for the business should include identifying whether it comprises a number of organizations working collaboratively or independently in more than one industry, sector, jurisdiction and/or geographical region 7.4 Determining records requirements Records requirements are requirements for evidence of business activity Records requirements are based on an analysis of business activity and its context (see 3) , and are derived from the following: a) business needs; b) legal and regulatory requirements; c) community or societal expectations Records requirements can pertain to any records process (see Clause ) They can include requirements concerning content and metadata, linkages with other records, and/or form or structure Records requirements may apply to whole functions, industries or jurisdictions, or they may apply only to speci fic functions, activities, work processes or transactions Records requirements are context-dependent, meaning that similar or identical work processes may have different records requirements depending on the nature of the business they document Identi fied requirements should be linked to particular functions, activities or work processes, appropriate to the scope of the appraisal (see 2) 7.5 Implementing records requirements Records requirements may be implemented through records systems, records controls, policies on managing records and procedures, or a combination of these Implementation should be supported by assigning roles and responsibilities, training, monitoring of the operation of systems and monitoring compliance with policies and procedures (see C lause 6) Methods for implementing records requirements should be determined with reference to the business setting, and by taking into particular account organizational capacity in terms of resources and skills, and the nature of the information and records systems in use Decisions about implementing identi fied records requirements should be based on an assessment of risks balanced against resource implications Requirements with more signi ficant risks should be addressed with a greater investment of resources and additional monitoring and evaluation measures Monitoring and evaluation (see 6.4) should test whether records requirements are being met, and if they are not, the evaluation should state the appropriate corrective action(s) to ensure that they are met in the future Records requirements and decisions on how to ful fil them should be documented Decisions not to comply with identi fied requirements should be authorized by a senior manager of the organization Records requirements should be regularly reviewed as part of the recurrent process of appraisal 12 © ISO 01 – All rights reserved