NEW! Information Management Standards for Records
Information Management Standards for Records
Management System for Records ISO 30300:2011
King III states that:
The board should ensure that there are systems in place for the management of information which should include information security, information management and information privacy.
The new ISO standards will help organizations to apply this principle and disclose corporate information quickly and effectively.
Here is the official ISO press release: Official ISO30300 Press Release
The standards are titled ‘management system for records’ (MSR) standards.
- ISO 30300 Management system for records – Fundamentals and vocabulary
- ISO 30301 Management system for records – Requirements.
These standards:
> Include experience gained in the implementation of the 10 year old, ISO15489, Information and documentation – Records management standard; and
> Are compatible with and complementary to other standards, such as ISO 9001 (quality management), ISO 14001 (environmental management), and ISO/IEC 27001 (information security management).
What is the difference between a ‘management system for records’ and a ‘records system’?
A ‘management system for records’ is the management system to direct and control an organization with regard to records.
It focuses on controlling the organization.
A ‘records system’ is an information system which captures, manages and provides access to records over time.
It is usually a combination of people, processes, tools and technology specifically to control records.
What is the relationship between ISO30300 and ISO 15489?
ISO 30300
Is high level, aimed at the controls and processes for managing the organization and establishing the strategic framework for good records management, e.g. policy, leadership, planning, monitoring etc.
ISO 15489
Is aimed at the operational aspects of records management – focussed on the controls and processes for managing records. ISO 15489 stands as the foundation standard for use by records management practitioners as the statement of principles and operational processes and controls for records.
Why a Management System for Records?
Information Management – Managing records using a standard
supports cost-effective operational processes, such as storage, information retrieval, information re-use, litigation and due diligence, say Ellis and Bustelo, leaders of the working groups that developed the standards
Records are integral to any organization’s activities, processes and systems.
Solid records management:
- Enables management efficiency, accountability, risk management and business continuity;
- Empowers organizations to capitalize on the value of their information resources as business, commercial and knowledge assets; and
- Contributes to the preservation of organizational memory, in response to the challenges of the global and digital environment.
Why an ISO standard?
The standards are an organization-wide, strategic approach to providing the right framework, based on international best practice.
A ‘management system’ is ‘framework of policies, procedures, guidelines and associated resources to achieve the objectives of the organization’ [ISO/IEC 27000:2009(E), definition 2.26]
A ‘management system for records’ is the management system to direct and control an organization with regard to records. [ISO/DIS 30300, 3.4.2]
Who will use the standards?
The standards are intended for organizations of all types and sizes, or group of organizations with shared business processes.
These standards are primarily aimed at management – at all levels.
The standards are also useful for auditors, risk managers and others who have an interest in evidence-based decision-making and collaboration, accountability and transparency of business, and sound business management.
What are the benefits of using standards?
> Legal compliance and protection, including support for litigation or due diligence.
> Ability to meet regulatory requirements, including
- accountability, ethical and corporate governance requirements;
- regulatory compliance;
- financial and practice audits
> More sustainable and greater consistency of service provision based on authentic, reliable and usable information
> Facilitates a common language across an organisation, for articulating common principles, minimum benchmark criteria and best practice. (King III: “The board should ensure promotion of an ethical IT governance culture and awareness and of a common IT language.”)
> Enables a coordinated and consistent approach to establishing policy, objectives, targets and implementation techniques across an organisation; thereby minimizing duplication, redundancy, and incompatible processes
> Support of risk management, including:
- Privacy (King III: “The board should ensure that all personal information is treated by the company as an important business asset and is identified“);
- Security (King III: “The board should ensure that there are systems in place for the management of information which should include information security“)
- Reputation Management (King III: “The board should appreciate that stakeholders’ perceptions affect the company’s reputation“);
- Business Continuity planning and implementation (King III: “Management should regularly demonstrate to the board that the company has adequate business resilience arrangements in place for disaster recovery.”)
> Ability to set and assess performance measures for the use of commercial service providers, and for inclusion in commercial contracts
> Integrated use of standards has the benefit of eliminating redundancy, establishing consistency, optimizing processes and resources, consolidating assessments, reducing maintenance and improving decision making
What terminology is introduced?
The main change is the definition for ‘records’.
In ISO 15489 it is:
Information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business
In ISO 30300 it is:
Information created, received, and maintained as evidence and /or as an asset by an organization or person, in pursuance of legal obligations or in the transaction of business or for its purposes, regardless of medium, form or format.
The task of defining terms in international standards is difficult and requires compromise to reach across jurisdictional and language barriers.
The definition used in ISO 30300 has been expanded to address specific issues:
One issue is that in several member countries the word ‘evidence’ refers only to information presented to a court.
- This is too narrow for the definition of records.
- In the new text (ISO 30300) ‘evidence’ refers to ‘documentation of a transaction, proof of a business transaction which can be shown to have been created in the normal course of business activity and which is inviolate and complete.
- Not limited to the legal sense of the term’.
Another issue is the idea of managing records as asset. ‘Asset’ refers to anything that has value to the organization, e.g. information, software, physical, services, people, and intangibles [ISO/IEC 27000: 2009, definition 2.3].
Also, it was agreed to refer to the organization’s purposes without limiting them but making it clear that ‘records’ are kept for a reason, not merely accumulated by default.
Finally it was agreed that it was needed to state that the medium, format or form of a record was not limited, so everyone understood it included paper-based and electronic formats, or other media.
Why are records managed as assets?
There is a strong need to identify ‘records’ as ‘valuable’ to organizations without falling into the difficulty of quantifying or defining value.
It was agreed to use the word ‘asset’ to reflect that requirement.
The inclusion of ‘asset’ is considered important for top management – who should be concerned about evidence-based governance, capacity building, sustainable development and value added business process.
Records are agreed as assets and valuable to business for the following reasons:
• Strategy, including effective conduct of business through:
o informed decision-making;
o performance management;
o productivity improvement;
o consistency, continuity and quality assurance in management and operations
• Operations, including responsive and accurate service delivery, resource management and cost control
• Regulatory compliance, and legal protection and support
• Accountability, corporate governance, financial and practice audits
• Risk management, including security, reputation management, business continuity planning and implementation
• Ethics, including openness, trust and meeting expectations of external stakeholders
• Corporate memory, including innovation through capture and reuse of organizational knowledge, and use of strategic knowledge to support business.
Where can one get the standards?
You can buy them from ISO
What else is in development?
Two new products are under development:
> Management System for Records – Guidelines for Implementation
These are guidelines for implementing an MSR.
> Management system for records – Requirements for bodies providing audit and certification
This contains the requirements for independent bodies providing audit and certification of an organization’s MSR.
The above was sourced from the ISO release: ISO TC46 SC11 FREQUENTLY ASKED QUESTIONS
Leave a comment