relationship between the iso 30300 series of...

RELATIONSHIP BETWEEN THE ISO 30300 SERIES OF STANDARDS AND OTHER PRODUCTS OF ISO/TC 46/SC 11: 1. Records processes and controls 2012

RELATIONSHIP BETWEEN THE ISO 30300 SERIES OF STANDARDS AND OTHER PRODUCTS

OF ISO/TC 46/SC 11: Records processes and controls

White paper written by ISO TC46/SC11- Archives/records management

Date: March 2012

1 PURPOSE

This paper explains the relationship between the first two management systems for records

(MSR) standards and the related standards and technical reports produced by ISO TC46/SC11 –

Archives/Records Management.

The first two products are:

ISO 30300:2011. Information and documentation – Management systems for records -

Fundamentals and vocabulary

ISO 30301:2011. Information and documentation – Management systems for records –

Requirements

This paper clarifies how the related technical products can be used to support/implement the

MSR standard/s, and attempts to show the interrelationship between the two with regard to

records processes and controls.

2 BACKGROUND

On November 2011 the two first products of the ISO Standards series 30300 - Management

systems for records were published.

The ISO 30300 series offers the methodology to implement an MSR based on a systematic

approach to the creation and management of records, aligned with organizational objectives

and strategies.

ISO 30300:2011 MSR - Fundamentals and vocabulary explains the rationale behind the

creation of an MSR, the guiding principles for its successful implementation, and provides the

terminology which ensures that it is compatible with other management systems standards.

ISO 30301:2011 MSR - Requirements specifies the requirements necessary to develop a

records policy. It also sets objectives and targets for an organization to implement systemic

improvements. This is achieved through designing records processes and systems, estimating

the appropriate allocation of resources, and establishing benchmarks to monitor, measure and

evaluate outcomes. These steps help to ensure that corrective action can be taken and


continuous improvements are built into the system in order to support an organization in

achieving its mandate, mission, strategy and goals.

Many questions were raised about the relationship, similarities and differences between ISO

15489-2001 and other Standards and Technical Reports developed by ISO TC46/SC11 during

the development process and since its publication. The previously published products are

aimed at the records professional community, whereas the ISO 30300 series has been

developed primarily for a management audience.

3 MAIN CONCEPTS

3.1 MANAGEMENT SYSTEMS FOR RECORDS

In general, the word “system” is used to describe different concepts and ideas and requires

interpretation to be placed in the context in which it is being used. In the records domain,

“system” is also used for a set of three related, but different concepts. The first clarification

needed is what is a “Management system for records”? The following table provides the

meaning of “system” within the MSR framework, shows the three different levels in which the

word “system” could be used, and indicates how the concept is identified at the three levels in

ISO 30300 and ISO 15489.

System levels in records domain System level in a MSR

Named in ISO

30300 series as:

Named in ISO

15489 as:

Set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives related to records

MSR Not named. Out of scope

System/programme that regulates the creation, reception, maintenance, use and disposition of records

Records processes and controls

Records programme

Information system which captures, manages and provides access to records over time

Records system Records system

Illustration 1


3.2 STRATEGIC AND OPERATIONAL LEVEL

Management systems for records (MSR) are based on a continuous improvement approach

which is common to other management systems such as ISO 9000, ISO 14000. MSR is intended

to build a framework to manage records at the strategic level.

Management system for records（ (ISO 30300 & ISO 30301)

Records management ( ISO 15489 1 & 2)Records system

(ISO 16175 1-3)

Strategic level

Operational level

Relationships of ISO MSR series products and ISO 15489 series products( Source: Xiaomi An, November 12, 2011 The Second National Forum on Electronic Records Management, Beijing, China )

Records processes(ISO 26122 Work process analysisISO 13028 DigitizationISO 23081 1-3 Metadata)

Illustration 2

The “operational” elements of a MSR are described as Records Processes and Controls in the

normative Annex A of ISO 30301. This Annex is strongly linked to ISO 15489 (the foundation

standard of ISO TC46/SC11) and the best practices described in ISO 15489 have been

converted into requirements for the Operation section (section 8 + Annex A). In a MSR

framework, the design of records processes and controls is based on the records policy and

objectives, after the assessment of risks. The Operation section of ISO 30301 establishes

requirements for the implementation of records processes and controls in records systems.


TC46/SC11. Archives/records management

Carlota Bustelo. Convenor of WG9- Management systems for records. Requirements e-mail:[email protected]

Judith Ellis . Convenor of WG08. Management systems for records. Fundamentals and vocabulary e-mail: [email protected]

Implementation of records processes in records systems

Policy Objectives Risks Processes Controls

Design of record processes in an MSR environment

Best practices of 15489 converted to

requirements: Annex A 30301

Records systems mainly IT systems for both paper/electronic

records

Source: Carlota Bustelo and Judith Ellis. What is ISO 30300? Who, when, where, why and how to implement. Innova.doc. Barcelona (Spain), October 2011

Illustration 3

3.3 Terms and Definitions

ISO 30300 defines terms and definitions applicable to the MSR standards. It contains some

terms that are identical to or adapted from ISO 15489-1 plus other terms.

A separate white paper will be available on the terminology used specifically in the MSR series

of standards.


4 RELATIONSHIPS ISO 30301 ANNEX A / OTHER STANDARDS AND TECHNICAL REPORTS

Controls in Annex A of 30301 are directly related to the technical information provided in the related standards. For a complete understanding a full reading of these technical standards is recommended. The following table is a guidance tool that links the MSR ‘Control’ requirements from ISO 30301 to the most relevant clauses where technical information can be found in each related standards and technical reports. Other information related to a particular requirement can be found within other clauses that are not specifically highlighted here, as records processes and controls are often interrelated. The technical information can be used to implement the operational elements necessary to meet the MSR requirements.

ISO TC46/SC11 standards and technical reports referred in the following table

ISO 15489-1: 2001. Information and documentation — Records management —General

ISO/TR 15489-2: 2001. Information and documentation — Records management — Guidelines

ISO/TR 26122: 2008. Information and documentation -- Work process analysis for records

ISO 23081-1: 2006. Information and documentation – Records management processes – Metadata for records

ISO 23081-2: 2009. Information and documentation – Records management processes – Metadata for records—Conceptual and implementation issues

ISO/TR 13028: 2010. Information and documentation – Implementation guidelines for digitization of records

ISO 16175-1:2010. Information and documentation – Principles and functional requirements for records in electronic office environments -- Part 1: Overview and statement of principles

ISO 16175-2: 2011. Information and documentation – Principles and functional requirements for records in electronic office environments -- Part 2: Guidelines and functional requirements for digital records management systems

ISO 16175-3:2010. Information and documentation – Principles and functional requirements for records in electronic office environments -- Part 3: Guidelines and functional requirements for records in business systems


Code Control Technical information in…

A.1.1.1 All operational, reporting, audit and other stakeholders' needs for information (captured as records with appropriate

metadata) about the organization's processes shall be identified and documented systematically.

- ISO 15489-1.

Cl. 9.1 Determining documents to be captured into a records system

- ISO 15489-2.

Cl. 4.2.4.2 Determining documents to be captured into a records system

- ISO/TR 26122

Cl. 4.2 Records dimension of work process analysis

- ISO 23081-1

Cl. 5.1 Records management metadata that should be applied in the organization

- ISO 16175-1

Cl. 3.1 Records related principles

- ISO 16175-2

Cl. 4.3.1 Create

-ISO 16175-3

Cl. 2.3 Determining needs for evidence of events, transactions and decisions in business

systems

A.1.1.2 Requirements for creating, capturing and managing records, and decisions not to capture records for specific

processes, shall be determined based on business, legal and other requirements, documented and authorized.

- ISO 15489-1.


Cl. 5 Regulatory environment,

- ISO/TR 15489-2.


Cl. 3.2 Design and implementation of a records system

- ISO 23081-1

Cl. 5.1 Records management metadata that should be applied in the organization

- ISO/TR 13028

Cl. 6.3 Digitization process management

A.1.1.3 Records shall be created at the time of (or soon after) the

transaction or incident to which they relate by individuals who have direct knowledge of the facts or by instruments

routinely used by the organization to conduct the transaction.

- ISO 15489-1.


- ISO/TR 15489-2.


-ISO 23081-1


Code Control Technical information in… Cl. 5.3.1 Metadata at the point of record capture

-ISO 23081-2

Cl. 11.3 Metadata capture

A.1.1.4 A procedure shall be established to determine retention periods for records according to the requirements of each

work process.

- ISO 15489-1.

Cl. 9.2 Determining how long to retain records

-ISO/TR 15489-2

Cl. 4.2.4.3 Determining how long to retain records

A.1.1.5 Decisions about retention and disposition of records based

on business, legal and other identified requirements shall be documented in a disposition schedule.

- ISO 15489-1.


-ISO/TR 15489-2

Cl. 4.2.4Records disposition authority

Cl. 4.2.4.3 Determining how long to retain records

A.1.1.6 Methods of integrating the capture of records with business processes shall be decided upon and documented.

- ISO 15489-1.

Cl. 7.1 Principles of records management programmes

- ISO 16175-2

Cl. 4.3.1 Create

-ISO 16175-3

Cl. 3.1 Creating records in context

A 1.2.1 The information needed to identify the records of each work process, including identifying the section of the

organization responsible for those records and the work process, shall be determined and documented as part of

the records requirements.

- ISO 15489-1

CI. 8.4 Design and implementation methodology

CI. 9.10 Documenting records management processes

- ISO/TR 15489-2.

Cl. 3.2 Design and implementation of a records system

- ISO/TR 26122

Cl. All

A 1.2.2 The points at which the information is captured in or added

to the records and from what sources shall be identified in the procedures for each work process.

- ISO 15489-1

Cl. 9.3 Records capture

- ISO/TR 15489-2

4.3.2 Capture

-ISO 23081-1


Code Control Technical information in… Cl. 5.3.1 Metadata at the point of record capture

Cl. 5.3.2 Metadata after record capture

-ISO 23081-2

Cl. 11.3 Metadata capture

A 1.3.1 The information, and the form and structure of the

information, required as records for each work process, shall be identified and documented.

- ISO 15489-1

Cl. 7.2 Characteristics of a record

- ISO/TR 15489-2

Cl. 3.2.4 Identification of requirements for records

- ISO 23081-1

Cl. 8 Metadata model for managing records

-ISO 23081-2

Cl. 11.10.2 Storage in specified formats

A 1.4.1 Technologies for creating and capturing records shall be selected for each work process (whether automated or

manual). The selection and any change of technologies shall be documented.

- ISO 15489-1

Cl. 8.3 Designing and implementing records systems

8.5 Discontinuing records systems

- ISO/TR 15489-2

Cl. 3.2.7 Design of a records system

- ISO 16175-2

Cl. 4.3.1 Create

- ISO 16175-3

Cl. 3.1 Creating records in context

A 2.1.1 For work processes which require evidence of capture, a procedure for registering records by attaching a unique

identifier at the time of capture shall be implemented. The procedure shall ensure that no transactions involving the

record can take place before registration is completed.

- ISO 15489-1

CI. 9.4 Registration

- ISO/TR 15489-2

Cl. 4.3.3 Register

- ISO 23081-2

Cl. 11.5 Registration

ISO 16175-2

Cl. 4.3.1.5 Identification - unique identifiers

A 2.1.2 The records shall be grouped (classified) according to the - ISO 15489-1


Code Control Technical information in… work processes to which they are related.

Cl. 9.5 Classification

- ISO/TR 15489-2

Cl. 4.2.2 Business activity classification

Cl. 4.3.4 Classification

- ISO 23081-1

Cl. 8.4 Metadata structures

- ISO 23081-2

Cl. 7.1 Aggregations

-ISO 16175-2

Cl. 4.3.1.3 Records aggregations

Cl. 4.3.1.6 Classification

-ISO 16175-3

Cl. 3.1.4 Records classification

A 2.1.3 The scheme for grouping (classifying) the records reflecting

the nature, number and complexity of the work processes of the organization shall be documented (including changes

over time) and implemented as part of the procedures of those work processes.

- ISO 15489-1


- ISO/TR 15489-2

Cl. 4.2.2 Business activity classification

-ISO 16175-2

Cl. 4.3.1.7 Business classification scheme

A.2.1.4 The descriptive and control information (metadata

elements) required to create and control the records for each work process shall be identified and documented.

- ISO 15489-1




Cl. 9.8Tracking

-ISO /TR 15489-2

Cl. 4.3.2 Capture

Cl. 4.3.3 Registration

Cl. 4.3.5 Access and security classification

Cl. 4.3.8 Use and tracking

-ISO/TR 26122


Code Control Technical information in… Cl. 4.2 Records dimension of work process analysis

Cl. 7.1.2 General

Cl. 7.3.2 Outcomes of the analysis of the sequence of transactions in a process

Cl. 7.9 Outcomes of the analysis of the links to other processes

-ISO 23081-1

Cl. All

-ISO 23081-2

Cl. All

-ISO/TR 13028

Cl. 6.3.4 Metadata

A.2.1.5 Records processes which need to be recorded in metadata

linked to the record event history shall be defined. Procedures shall be established to link the event history to

the records and to maintain it for as long as the records themselves.

- ISO 15489-1

Cl. 9.8 Tracking

-ISO/TR 15489-2


-ISO 23081-1


Cl. 8.3 Points throughout the existence of records when metadata should be created and

applied

- ISO 23081-2

Cl. 9.4 Event plan metadata

Cl. 9.5 Event history metadata

-ISO 16175-2

Cl. 5.4.7 Records management process metadata

A.2.1.6 Decisions about what metadata are required to identify, manage and control records throughout the organization,

and externally, shall be documented and implemented.

- ISO 15489-1




Cl. 9.8 Tracking

-ISO/TR 15489-2

Cl. 4.2.3 Vocabulary

Cl. 4.2.5.2 Development of security and access classification


Code Control Technical information in… Cl. 4.3.2 Capture

Cl. 4.3.3 Registration



-ISO 23081-1

Cl. All

-ISO 23081-2

Cl. All

-ISO/TR 13028

Cl. 6.2.2 All digitised images should be assigned metadata to document digitising processes and to support ongoing business processes

A.2.2.1 Rules shall be established for regulating access to records based on work process requirements, relevant legislation

and, if appropriate, commercial considerations. These shall be documented and maintained for as long as the records

are required.

- ISO 15489-1

Cl. 8.2.3 Integrity

Cl. 8.3.6 Access, retrieval and use

-ISO/TR 15489-2

Cl. 4.2.1 Principal instruments

Cl. 4.2.5 Security and access classification scheme


-ISO/TR 26122

Cl. 4.2 Records dimension of work process analysis

A.2.2.2 The access rules shall be implemented in the records systems by assigning access status to both records and

individuals.

- ISO 15489-1


-ISO/TR 15489-2

Cl. 4.2.1 Principal instruments



- ISO 23081-1

Cl. 9.2.4 Metadata supporting the security of records

-ISO 16175-2

Cl. 5.4.1 Maintain


Code Control Technical information in…

A.2.3.1 Procedures shall be implemented to ensure the integrity/security of the records and to prevent unauthorized

use, modification, removal, concealment and/or destruction.

- ISO 15489-1

Cl. 7.2.2 Authenticity

Cl. 7.2.4 Integrity


-ISO/TR 15489-2

Cl. 4.3.9.2 Continuing retention



Cl. 4.3.7.1 Records storage decisions


-ISO 23081-1

Cl. 5 Purpose of records management metadata

Cl. 8.3.9.2 Authenticity and fixity of metadata

- ISO 23081-2

Cl. 4.1. Purposes of metadata for managing records

-ISO TR 13028

Cl. 6.2.2 All digitised images should be assigned metadata to document digitising processes

and to support ongoing business processes

-ISO 16175-2

Cl. 5.4.1 Maintain

-ISO 16175-3

Cl. 3.2.4 Online security processes

A.2.3.2 The means of maintaining/storing the records shall meet

the relevant standards for the medium and technology used in order to ensure they remain useable for as long as

required.

- ISO 15489-1

Cl. 8.3.4 Distributed management

Cl. 9.6 Storage and handling

-ISO 15489-2

Cl. 4.3.7.1Records storage decisions

Cl. 4.3.7.3 Digital storage


Cl. 4.3.9.4 Transfer of custody or ownership of records

-ISO TR 13028


Code Control Technical information in… CI. 6.2.4 Storage media and procedures should be defined, documented and implemented

A.2.3.3 Procedures shall be established and implemented to

ensure that digital records remain accessible and meaningful over time, also outside the context of their

creation.

- ISO 15489-1.

Cl. 8.2.5 Usability

Cl. 8.3.5 Conversion and migration

-ISO/TR 15489-2


-ISO 23081-2

Cl. 11 Implementing metadata for managing records

-ISO TR 13028

Cl. 6.4.3 Digitised records should be managed in a way that allows their continued existence for as long as they are required

-ISO 16175-2

Cl. 5.6.2 Migration, export and destruction

ISO 16175-3

Cl. 3.3 Supporting import, export and interoperability

A.2.3.4 Restrictions, including use of encryption, shall be removed

after a stated period

- ISO 15489-1.

Cl. 9.7 Access

-ISO/TR 15489-2


- ISO 23081-1

Cl. 9.2.4 Metadata supporting the security of records

-ISO 16175-2

Cl. 4.3.2 Maintain

A.2.4.1 Procedures shall be established for reviewing, authorizing and implementing decisions on retention and disposition of

the records of each work process.

- ISO 15489-1

Cl. 8.3.7 Retention and disposition


Cl. 9.9 Implementing disposition

- ISO 15489-2

Cl. 4.2.4 Records disposition authority

- ISO/TR 26122


Code Control Technical information in… Cl. All

- ISO 23081-1

Cl. 9.6 Metadata about records management processes

- ISO 23081-2

Cl. 9.4 Event plan metadata

Cl. 11.3 Creating metadata for managing records

Cl. 11.5 Metadata as control tools for managing records

Cl. 11.7 Appraisal

- ISO/TR 13028

Cl. 6.5 Records disposition

- ISO 16175-1

Cl. 3 Guiding principles

- ISO 16175-2

Cl. 5.6 Retention and disposition

- ISO 16175-3

Cl. 3.4 Retaining and disposing of records as required

A.2.4.2 Decisions about the transfer, removal or destruction of records shall be authorized and documented.

- ISO 15489-1


- ISO/TR 15489-2

Cl. 4.3.9 Implementation of disposition

- ISO/TR 13028


- ISO 16175-1


- ISO 16175-2


- ISO 16175-3

Cl. 3.3 Supporting import, export and interoperability


A.2.4.3 Procedures for authorized and controlled transfer of records to another organization or system shall be

- ISO 15489-1


Code Control Technical information in… established and implemented. Cl. 9.9 Implementing disposition

- ISO/TR 15489-2


-ISO 23081-1


- ISO 23081-2

Cl. 11.7 Appraisal

Cl. 11.8 Transferring records

- ISO/TR 13028


- ISO 16175-1


- ISO 16175-2


- ISO 16175-3


- ISO 13008 (to be published)

Cl. all

A.2.4.4 Procedures for authorized, regular removal of records which are no longer required, including removal to off-site

or off-line storage, shall be established and implemented.

- ISO 15489-1

Cl. 8.5 Discontinuing records Systems

Cl. 9.6 Storage and handling


- ISO/TR 15489-2


- ISO/TR 13028


- ISO 16175-1


- ISO 16175-2



Code Control Technical information in… - ISO 16175-3


A.2.4.5 Records authorized for destruction shall be destroyed under appropriate supervision. The destruction shall be

documented.

- ISO 15489-1


- ISO/TR 15489-2


- ISO 16175-1


- ISO 16175-2


- ISO 16175-3


A.2.4.6 Where the nature and complexity of the business and

formal accountabilities require it, control information (registration, identification and history metadata) about

records which have been destroyed shall be retained.

- ISO 15489-1


- ISO 15489-2


- ISO 23081-1


- ISO 23081-2

Cl. 11.7 Appraisal

ISO 16175-1


- ISO 16175-2


- ISO 16175-3


Cl. 3.1.2 Record metadata

A.2.5.1 All records systems (including business systems which

keep records) shall be clearly identified, assigned to a responsible owner and documented in an inventory which

is regularly updated.

-ISO 15489-2

Cl. 3.2.5 Step D: Assessment of existing systems

-ISO 16175-1


Code Control Technical information in… Cl. 2 Good practice: digital records and the role of software

A.2.5.2 Implementation decisions on records systems shall be

documented, maintained and made available to all users who need them.

-ISO 15489-2

Cl. 3.2.8 Step G: Implementation of a records system

-ISO/TR 13028

Cl. 6.4 Management systems

-ISO 16175-1

Cl. 4 Implementation issues

A.2.5.3 Rules shall be established, documented and maintained for regulating access to records systems in order to undertake

system administration tasks.

-ISO 16175-2

Cl. 5.4.3 Access controls

Cl. 5.4.4 Establishing security control

Cl. 5.4.5 Assigning security levels

-ISO 16175-3

Cl. 3.2.4 Online security processes

A.2.5.4 Procedures for operational maintenance shall be

established to ensure records systems' availability.

-ISO 16175-3

- Appendices B. Integrating records considerations into the systems development life cycle

A.2.5.5 Regular monitoring of the performance of records systems

against business requirements and records objectives shall be implemented and documented.

-ISO 15489-2

Cl. 3.2.9 Step H: Post-implementation review

A.2.5.6 Procedures shall be provided to ensure and demonstrate

that any system malfunction, upgrade or regular maintenance does not affect records integrity.

- ISO 15489-1

Cl. 8.2 Records systems characteristics

ISO 16175-2

Cl. 5.8.5 Back-up and recovery

- ISO 16175-3 5 Implementation

A.2.5.7 Changes in records systems, particularly exceptional

operations (such as migration, integration of new requirements, computer technology change or

discontinuation), shall be analysed, planned and implemented. Decisions made shall be documented.

- ISO 15489-1

Cl. 8.5 Discontinuing records systems

-ISO 13008 (to be published).

Cl. all

relationship between the iso 30300 series of...

Documents