Bsi bip 0025 4 2007

1.5 Risk management and goernance issues Authoritativ e and c red ible re ords are now se n as an es ential c mponent in demonstrating go d c orporate gov ernanc , transp rency of operat

Par 4: How to comply w ith BS ISO 15489-1

P art 4: How to comply w ith

– P art 4: How to comply w ith

Phi ip Jones and Robert McLean

3 9 Chisw ic k High Road

Lond n W4 4AL

© British Standard s Institution 2 0

Al r ights r s rv ed Ex cept as pe mit ed u d er the Copyr ight , De ig ns an Pat ent s

Act 19 8, no part of this publcation may be r eprod uc ed, stor d in a r triev al sy stem

or transmited in any form or b any means – ele tr onic, photoco y ing, r cord ing

or othe w is – w ith out prior pe mis ion in writing fom the publshe

Whist ev er y care has be n taken in d ev elo ing and compi ng this publcation, BSI ac cepts

no labi ty for any los or d mage c aus d, arising d ir ctly or ind ir ctly in con e tion w ith

r elanc e on its c ontents ex c ept to the ex tent that such labi ty may not be ex c lud ed in law

The right ofPhi p J ne and Ro e t Mclean to be identifed as the author

ofthis Work has be n ass rted b them in accordanc w ith s c tions

7 and 7 ofthe Copyr ight , De ig ns an Pat ent s Act 19 8

Ty pe et in Helv etic a and Centur y Sc ho lb ok b Monolth

Printed in Gr at Britain b MPG Bo k s Ltd, Bo min, Cornw all

Br it ish Libr ar y Cat alog ing in Publcat ion Dat a

A catalo ue r ecord for this b ok is av ailable fom the British Library

ISBN 9 8-0-5 0-4 6 2-2

Al busines es, whether pr iv ate o publc sec tor, r ely on infor mation and rec ords to

c ond uc t their afair in a sy stematic and legally c omplant wa The strategic management

of re ords and information is es ential to this pro es and nev er more so in an a e of

e-c mmerc and e-gov ernment With a rapidly changing and dev eloping busines c ntext

there ar e c onsid era le organizational benefts to ad opting a c nsistent and stand rdized

a proac h to the management of re ord s and information

In Oc tober 20 1 the fr t international stand ard for the management of re ord s, w as

launched in Montr eal, Cana a The two-p rt publcation of Stand ard and Tech ical

Report, implemented in the United King om as BS ISO 1 4 9-1:20 1 and PD ISO/TR

1 4 9-2:20 1, w ere the c ulmination of thre y ears’ work b a group of inter national

ex erts to sy nthesize best pr actic e f om arou d the w orld in the strategic management of

re ord s This Standar d and Tech ic al Report ar e a plc able to multinational c mpanies

and small enterprises alike and prov ide an es ential to l fo the management of r ec r ds

and information

The standar d prov ides a f amework within w hich the nec es ary management of r ec r ds

and information c an take plac This publc ation is the fourth in a series of publcations

on r ec r ds management and is intended to c omplement the Stand rd and Tec hnic al

Report and help plac them in c ntext fo the user The publcations ex pand on the

f amew ork that the stand rd creates and prov id e both inter pretation and i ustration of

go d practic e Each v olume has be n w rit en predominately f om the United King om

per pec tiv e b leading United King om pr actitioner , who hav e fr st hand, prac tical

ex erienc of, and insight into, the is ues facing United Kingd om org nizations tod y

The other bo ks in this series are:

BIP 0 2 -1:20 2, Efe t ive r ecor ds ma ag ement — Par t 1: A ma ag ement g uide t o t he

1 Introduction 1

1.2 Wh is c mplian e with BS ISO 1548 -1 important? 2

3 Self As e sme t a d Compl anc (SAC) Proce s s 13

3.1.2 SAC criteria: rec rd manag me t str ate ic is ue 14

3.2.2 Step 2 (b) – Determinin r eq ir ements for r ec r ds 18

3.3 Step 3 – Re or ds s stems c ar acteristic an fu ctio ality 21

3.4.1 Determinin d c me ts to be ca tur ed into a r ec r ds s stem 24

3.4.2 SAC criteria: d termine d c me ts to be cr eate an ca tur ed

3.4.21 Tr ackin 3

3.4.2 SAC criteria: r ec r ds manag me t pr oc s es do ume te 37

3.5 Step 5 – Tr ainin in re uirements for re ord manag ment 37

1.1 Bac kgr ound

BS ISO 1 4 9-1, a stand rd for the management of re ords, w as originally launched b

ISO in Oc tober 20 1 and a opted so n after b the British Stand ards Institute (BSI)

The standar d is a best-practic standard and as suc h c an be used to benc hmark an

organization’s proc es es and pro edures c nc rned with the management of re ord s

and information

The standar d is not a c mplanc e stand rd in that it req uir es c ertain ac tions or

prescriptions to be folowed in a spe ifc w ay Re or ds management prac tic is heav ily

inter twined w ith the busines pr oc s es of an org nization and wi difer f om one

organization to the nex t ev en if they operate w ithin simiar domains This do s not

how ev er mean that it is not pos ible to be c mplant w ith the stand rd; this publcation

se ks to lay out an a proac h that an organization c an a opt to buid a portfolo of

ev idenc e whic h demonstr ates c mplanc w ith the pr inc iples described in this stand rd in

w ay s and to the degre whic h are appropriate for a p rticular org nization

The a proac h taken b the author s is to dec onstruct the stand rd in terms of its

req uir ements, giv e ex amples of the most a propriate lev el of c mplanc e and then indicate

to the reader potential w ay s of measur ing c mplanc This publc ation uses tables to

highlght the relev ant clause n mbe and criteria f om the standar d, giv es an ex ample

of how c omplanc c ould be v er ifed , i ustrates the sourc e of the v er ifcation (inc luding,

w her e a propriate, whic h steps f om the DIR S methodolog ma prov ide a useful sour ce

of information) and f aly an indication of who w ould lkely be r esponsible for prov iding

and /or mana ing the req uirements

For some organizations there may be an imperativ e f om w ithin their ow n busines

domain to demonstrate a v ery high lev el of c omplanc e w ith a p rticular prer eq uisite of

the standar d w hist other prereq uisites w ould req uire a les e lev el of c omplanc This

publc ation c annot make the de ision fo the user on the lev el of c omplanc e ne ded for

their p rticular org nization but rather ofe a range of options w hich can be selec ted

b sed on a busines and r egulator y analy sis of the org nization

This a proac h is i ustrated in the folowing table.

In or ganizations subje t to c ertain statutor y and regulatory r egimes, the c ontents of this

polc y may ne d to c ov er spe ifc is ues whereas in other industries there are no p rticular

spec ifcations affe ting the c ntents of suc h polcies

The author s hav e also taken the op ortu ity w here a plc able to include prac tical

information on some of the req uirements outlned, based on their c ombined 50 y ear of

profes ional knowled ge These are refer ed to as ‘Top Tips’ and a pear in sha ed box es as

per the ex ample below

TOP TIP

G ood r etention schedules should c ontain information d escr ibing the re ords series,

how long it is to be kept, w hat ha pens at the end of retention and the legal, regulatory

o oper ational r eason for retaining the re ord Av oid terms lke ‘best pr actic e’ o

‘c ommon practic ’ as they ar e meaningles and make it diffcult for subseq uent user to

r ev iew schedules

The ultimate aim is to hav e r ec r ds management sy stems and proc es es that are ft for

pur pose and sup ort the org nization’s mis ion, aims, obje tiv es, rights and oblgations

I s rec ords wi then be credible and tr ustw orthy, a le to prov ide a d efenc when req uir ed

and an ac urate sourc e of infor mation on w hich to b se d ecisions for future ac tiv ities

1.2 Why is compl ance with BS ISO 15489-1 important?

There are no statutory r eq uirements for an organization, either publc o priv ate sec tor,

to be c omplant with the stand ard,

1

although ther e are many reasons w hy an organization

ma se k to be c omplant:

Qu ality pr ogrammes – many r ec gnized q uality fameworks suc h as ISO 9 0 and

the EFQM req uire org nizations to mana e their re ord s in a best-prac tic wa

Pu bl c acc s legislation – such as the Fre dom of Infor mation Act 20 0,

Data Prote tion Act 19 8 and Env ironmental Information Regulations 20 4 are

1 The ‘Pr ior ity Outc omes’ isued b the Offc e of the De uty Pr ime Minister in the UK in r elation to publc

sec tor e-gov er nment tar gets su gest that BS ISO 1 4 9-1 w ould b the req uir ed methodology to implement

•

•

u derpinned b go d rec ords mana ement practic , and or ganizations failng to me t

v arious c des of practic u der these r egimes can fac e penalties

Regu lator y r eq u ir emen ts – many industries are subjec t to stringent regulatory

regimes, e.g pharmac eutical org nizations, w her e the authentic ity and ac curac y of

rec ords is paramou t to me t busines objec tiv es and faiure to do so has serious

busines c nseq uenc es suc h as a product fai ng to at ain the ne es ary lc enc to be

tra ed

Per for man ce measu r ement – many organizations monitor per ormanc e c losely

to ensure that busines risk s, operating c sts, prod uc tiv ity, legal c omplanc and

stakeholder req uirements ar e al managed a ainst agre d c riteria Rec ords and

information management play s a cr uc ial par t in al of this and c mplanc with

BS ISO 1 4 9-1 is a means to ensure this aspe t of per or manc e can be monitored

Mov in g from an an alo u e to d igital wor k en v iron men t – many or ganizations

are dev eloping ECM (enterprise c ntent management) and ER P (enterprise resourc

planning) strategies, eac h of w hich inv olv es a mov e fr om an analogue (p per) w ork

env ir onment or a hy br id (partialy paper and par tially digital env ir onment to a

pred ominantly d igital env ironment I ma inv olv e busines trans ormation and

pro es re ngine ring and it ma inv olv e r edesigning the c orporate IT archite ture

I wi c ertainly inv olv e learning new te hniq ues to manage rec ords to me t c r porate

gov ernanc e and statutory req uirements Org nizations wi f d a high v alue in hav ing

a f amework in whic h to manage this critic al dev elopment

1.3 Benefts of compl ance

Complanc w ith BS ISO 1 4 9-1 can bring a n mbe of operational benefts to an

organization, for ex ample, it c an alow an organization to do the folowing

Conduct busines in an ord erly, effc ient and ac cou table man er The pr eser v ation

of acc ur ate and authentic busines re ord s is not only a r eq uirement of many statutes

and regulations but also a ds v alue to operational effc iency of the or ganization

Delv er serv ic es in a c onsistent and eq uita le manne thr ough u der tanding w hat

org nizational tr ansac tions hav e be n c mpleted and how they w er e c ompleted

S p ort and d ocument polcy formation and managerial dec ision-making, through

preserv ation of a relable knowled ge base

Prov ide c nsistency, c ntin ity and productiv ity in management and a ministration,

b ensuring busines ev id enc of all organizational activ ities has be n captured

Prov ide c ntin ity in the ev ent of a disaster, b ensuring that ‘v ital rec ords’ hav e be n

identifed b analy sing the v alue and risk as o iated w ith rec ords

Me t legislativ e and regulatory req uirements through ensuring r ec r ds are retained

and acc es ible for the appropr iate period of time

Prov ide protec tion and sup or t in ltig tion inc luding the management of risks

assoc iated w ith the ex istenc of, or lac k of, ev id enc of org nizational activ ity

Prote t the interests of the or ganization and the rights of employ ees, clents and

present and future stakeholder

S p ort and d ocument cur ent and future researc h and dev elopment ac tiv ities,

dev elopments and achiev ements, as w el as historic al research

Maintain c orporate memory through ca turing ev idenc e of busines activ ity in

do uments and including the d ocumenting of pro es es

TOP TIP

Includ e those benefts w hich ad dres key or ganizational is ues w hen pr oduc ing a

busines c ase fo impr ov ed re ord s management

1.4 Responsibi ities for at aining compl ance

There is clearly a ne d for input fr om the information/re ord s spec ialist in ensuring

c mplanc with BS ISO 1 4 9-1, but this can only be one aspe t in dev eloping

a c mpl ant programme Input w il be ne ded fr om leg l spec ialsts in terms of

u der tand ing statutory and regulatory req uirements and the lev els of nec es ar y

c mplanc Busines analy sts are es ential to help to u d er tand the natur e of the

org nization and how it w orks Ev ery projec t ne ds a sponsor, usually a senior mana er,

to ensure that a strategic per pe tiv e is maintained Finally, ev ery pr oje t also ne ds a

projec t mana e w ho is giv en the time and resour ces to d elv er the pr oje t

1.5 Risk management and goernance issues

Authoritativ e and c red ible re ords are now se n as an es ential c mponent in

demonstrating go d c orporate gov ernanc , transp rency of operations and in me ting

regulatory r eq uirements Failur e to me t these oblgations c an be f ancially pu itiv e and

seriously d ma e the organization’s reputation These matter are also c losely related to

management of risk

1.6 Meeting goernance and compl ance r equir ements

1.6.1 O riew

The matrix below demonstrates that the degre of c omplanc w ith the stand rd c an be

l nked to the regulatory env ironment

L w ris (e.g minimal statutory/

Abi ty to pr o compla ce sh uld b p rt

of risk strateg

Abi ty to pr o compla ce w ith B ISO

15 8 -1 sh uld b b uit into risk strategies

a d mark te to sta e old r s as a p siti

asp ct of corp rate go ern nce

The natur e of the r isk and the org nization’s attitude tow ard spec ifc risks c an be used to

as es the ne d for c mplanc with BS ISO 1 4 9-1 and the actions an organization may

w ant to take

1.6.2 Quadrant 1 – Relaxed go rnanc

If an organization exists in a busines domain with lt le or no statutory or regulatory

busines req uir ements and do s not c mplete a high number of busines transac tions

w ith its customer base, then prov ing c omplanc e w ith the stand rd ma not hav e any

busines v alue How ev er, v ery few organizations do ex ist in such an env ironment and if

they d id , for the busines to progres they w ould so n be situated in another q ua rant

This would not neg te the statutory req uir ements as o iated with keeping rec ords

1.6.3 Quadrant 2 – Foc sed go rnanc

If an organization exists within a r egulated env ironment, but has a relativ ely smal

n mber of customer transactions, it should uti ze best pr actic e f om BS ISO 1 4 9-1 and

ensure robust r etention schedules ar e d ev eloped

1.6.4 Quadrant 3 – Reduc d go ernanc

If an organization exists in a busines env ironment that is not heav ily regulated, but

c arries out a large n mber of transac tions, it wi beneft fr om folowing BS ISO 1 4 9-1

and ensuring the best prac tic is absor bed into the organization, but ma not ne d to

establsh formal c omplanc

1.6.5 Quadrant 4 – Vigor ous go rnanc

Where an organization ex ists in a highly regulated busines env ironment and p rticip tes

in a high lev el of busines tr ansac tions, there is a v alue in demonstr ating a c omplanc e

w ith BS ISO 1 4 9-1 to c ommu ic ate to its regulator , customer and othe stak eholder s

a c mmitment to go d c rporate gov ernanc e

1.7 Risk assessment

Busines es fac a wide v ariety of rec ords-r elated r isks in addition to those resulting

f om their statutory and regulatory env ironment Los of information, dis uption to

sy stems and c nseq uent los of ac ces to r ec r ds, perha s as a result of a disaster,

d ma e to reputation and other situations ar e v er y real risks in today ’s w orld A means

of analy sing and asses ing the imp ct of potential or actual r isks is es ential to ensur e

that the org nization can c ntin e to oper ate in an e onomically sustaina le w ay Many

organizations hav e a risk r egister to demonstrate aw arenes and management of the

u iq ue set of risks affe ting their busines Identifcation of r isks related to re ord s may

be drawn f om such a register or dev eloped as p rt of the methodolog proposed here

for c omplanc

A c mmon wa to asses risk is b means of a ‘lkelho d v er us impact’ matrix For

each rec ords mana ement risk identifed, multiply the lkelho d b the impac t to arr iv e

Scor e 2–6 (low r isk) = monitor risk, mitigate w here pos ible

Scor e 8–12 (medium risk ) = r emedial action ne ded at a propriate time to mitig te or

red uc e r isk

Scor e 1 –24 (high r isk) = urgent action req uir ed to reduc or elminate risk to prev ent

signifc ant a v er e c nseq uenc s

When taken forw ard to the summary (Form B) this helps to identify priorities for

ac tion based on the asso iated risk The actions ne ded to me t w ith BS ISO 1 4 9-1

req uirements – to the extent a plc able to the org nization’s u iq ue c ircumstanc s and

its at itude to risk – can then be id entifed, prioritized and c sted Resulting projec ts or

changes in pro es es ma be then be asses ed and sc ored after implementation to enable

the impr ov ements to be c lear ly se n

TOP TIP

Who owns the risk? I is the busines u it that is responsible for the pro es that

pr oduc es the rec ords that ow ns the risks as o iated w ith those rec ords Their

u der standing of the risk s and their potential c nseq uenc es ma help them to w ork

w ith y ou to reduc the risks and resolv e is ues

2.1 Introduction

This publcation aims to prov id e help in u der tanding how to a ply BS ISO 1 4 9:

20 1, Infr mat ion a d document at ion – Re or ds Ma ag ement , Par t 1: G ener al in

a propriate w ay s for a w ide v ariety of org nizations The methodolog takes into ac cou t

the legal and r egulator y env ironment, the busines req uirements and the org nization’s

at itude towards risk , thereb ena lng the busines to achiev e w hat the author c all

‘c ntex tual c mplanc ’

G uid nc e is prov id ed in asses ing the degre to w hich ex isting re ord s management

programmes, sy stems and proc es es ar e ft for purpose From this acc urate u der tand ing

of matter , improv ements can be plan ed, prioritized and subseq uently measured

2.2 Self-assessment and compl ance (SAC) pr ocesses

BS ISO 1 4 9-1 prov ides guid nc e for improv ing an org nization’s rec ords and

information mana ement practic s, inc luding the design of new sy stems and rev iew of

existing sy stems, in order to satis y the req uir ements of the standar d These include:

set ing polcies and standar ds;

assigning responsibi ties and authorities;

esta lshing and promulg ting pr oc d ures and guidelnes;

prov id ing a range of serv ic es r elating to the mana ement and use of re ords;

rev iew ing, designing or redesigning, implementing and ad ministering spec ialzed

sy stems for mana ing r ec r ds; and

integr ating rec ords mana ement into busines sy stems and pr oc s es

BS ISO 1 4 9-1 includes the eight-step DIR S methodolog (Design and Implementation

of a Rec ords Sy stem) in c lause 8.4 An ex lanation of DIR S is included in An ex A of this

publcation A fuler ex lanation, w ith worked ex mples, is fou d in PD ISO/TR 1 4 9:

20 1, Infr mat ion a d document at ion — Re or ds ma a ement — Par t 2: G uidel ne

2

I is highly appropr iate to use this methodolog in c nju c tion with this self-as es ment

and c mplanc e pro es The DIR S steps may be taken in ord er, out of or der or c ombined

if a propriate The steps may be a pled at the or ganizational lev el (i.e strategic), the

fu ctional, ac tiv ity, sy stem, pro es or ev en transac tion lev el I is lk ely that this w il be

an interac tiv e proc es c ov ering the same o simiar gr ou d but f om d iferent per pe tiv es

or d eeper lev els of gran larity Each step or rev iew w il infor m the nex t and a rich

and acc ur ate picture of the organization’s re ords management req uir ements and its

per ormanc w il be buit up

3

The SAC ma be c nducted after all DIR S steps hav e be n c ompleted and in some w ay s

this makes the SAC proc es easier, as ther e w ould be a rea y sourc of cur ent, relev ant

and acc ur ate information av aia le for eac h sta e in the as es ment How ev er, DIR S may

also be used in c nju c tion w ith each SAC step as indic ated in the table in the folowing

sec tion (se p 9)

2.3 How to use this pub lication

The folow ing ta le summar izes the logic al set of steps that wi lea to an ev aluation of

c mplanc with the standard They are based on clauses 6–11 in BS ISO 1 4 9-1, but are

presented in an order whic h plac s design or redesign of rec ords sy stems after the analy sis

of rec ords mana ement ac tiv ities but before training and monitoring, sinc e org nizations

ma f d it easier to approach mat er in that seq uenc How ev er, alternativ e routes ma

be folowed as circ umstanc es and ne ds determine

Folow ing the steps wi ena le the busines to cr eate a prioritized and risk-asses ed

repor t of impr ov ements or changes to me t the r eal ne ds of the org nization and rec ord

sy stems c an be implemented or improv ed as r eq uired

These steps are also lnked to the DIR S pro es es desc ribed in PD ISO/TR 1 4 9-2, w hich

is summarized in An ex A

2 ClausesClauses inin thethe TTR ar ear e mama pp dd toto thethe standar dstandar d inin TTR AnAn ee 1.1

3 SeSe BIP 0 25-2:2 0 , Efet iv rec rds manag ement — Par t 2: Pract ical implement at ion ofB ISO 154 9-1,

for ur ther pr ac tic al infor mation on folow in the DIR S methodology

A Estab lish b sin s n e s

P art or al, of th or ga izatio is e gage in

id ntifying a d su p rting a pr ogramme of

w ork to achie e certain b n fts as d s rib d

Recor ds s stems id ntife , a aly e ,

e alu te a d prioritize for impr o me t o

a risk b sis

4 Pr oces es a d co tr ols

(cla se 9)

B & C Fitn s for p rp se of r ecor ds pr oces es

a d co tr ols esta lsh d, ga a d risk

a aly is complete

List of r eme ial actio s n e e to fuly me t

r eq ir eme ts

& H

Training n e s id ntife , r eiew ed,

e alu te a d su se u ntly met at al le els

inclu ing r ecor ds ma ageme t pr ofes io als

Post SA pr oces E–H Design or r ed sign of s stems a d

pr oces es folowing completio of SA

pr oces

The most important remedial actions ne ded to c mply w ith the standar d w il hav e be n

identifed as hav ing:

real busines relev anc and ne d;

a wide organizational v iew point rathe than a narrow d epar tmental per pec tiv e;

some indications of c sts prioritized;

a risk asses ment c mpleted to demonstrate the c nseq uenc s of non-c omplanc e and

whether this is ac eptable to senior management; and

projec ts identifed and sc ped and prioritized

TOP TIP

BS ISO 1 4 9-1, when appled intel gently, w il lead to an org nization keeping fewer

rec ords – but those r ec r ds w il be of a higher q ualty, and th s be more useful as

ev idenc and as sour ces of information upon whic h to base de isions

2.4 How to use the forms – Forms A/1 to A/7

2.4.1 Form numbering

The for ms used to rec ord asses ments are numbered ac cording to the abov e steps

for c nsistenc y :

A/1/ Polc y and responsibi ty

A/2/ Rec ords mana ement req uirements – r ec r ds c haracteristics

A/3/ Rec ords sy stem characteristics

A/4/ Rec ords sy stem fu ctionality

A/5/ Rec ords mana ement pro es es and c ontrols

A/6/ Tr aining

A/7/ Monitoring and aud iting

Forms A/1 to A/6 c an be used for c lation of surv ey infor mation relating to ind iv idual

sy stems, pro es es, ac tiv ities and fu ctions

4

As an ex ample, if the rec ords mana ement

pro es es and c ontrols of an acc ou ts pay able fu ction in a f anc department w ere

being analy sed , there may be sev eral pro es es in ne d of d escr iption, to esta l sh the

ov erall lev el of c mplanc e for that fu ction

In that case the forms c ould be n mbered as folows:

A/2/a Author ization of pay ments

A/2/b Bank ing transactions

A/2/c Re onci ation of ac cou ts

A/2/d Management of bud ets

2.4.2 Number of forms p r department or function

The lev el to w hich fu c tions, activ ities and busines proc es es ar e d ec nstr uc ted and

desc ribed is entirely at the disc retion of the or ganization, but al relev ant is ues should

be captured Fu c tions whic h are large and c omplex – espe ially those in a high-risk

env ir onment – w il req uire greater lev els of gran larity to be useful than for simpler, low

risk ac tiv ities (se matrix on p 4 for further information)

The lev el of detail entered into eac h feld on the form should be suffc ient to giv e ev id enc

of how the sc r e w as determined

4 ‘Fu‘Fu ction’c tion’ aa commonc ommon pur posepur pose thatthat uu itesites aa setset ofof ac tiv itiesac tiv ities w hic hw hic h helphelp thethe or ganization r ganizationtoto fulflfulfl its tsmismis ion;ion;

‘activ ity ’: a gr oup of r elated pr oces es that sup or t a fu ction; ‘pr oces ’ a set of r ep ated actions w hich

transor m input into output; ‘tr ansac tion’ the smalest u it of busines ac tiv ity

2.4.3 ISO r efer enc

This refer to the spe ifc clause in BS ISO 1 4 9-1 most relev ant to the topic u d er

rev iew Othe clauses may also be relev ant depending on circumstanc s and may be

a ded as req uired

2.4.4 Requir ement detai and ftnes for purpose

If the DIR S method olog is folow ed , the products or outc mes wi form the principal

sourc of information for d ef ing the req uirements and v erify ing ftnes for purpose

Othe method ologies may also be used if d esired

2.4.5 Sour ce

The sourc e of ev idenc e used to determine ftnes for purpose This may inc lude c mpany

polcies, proc edures, plans, and so on

2.4.6 Responsibi ty

For ac tions to happen ther e ne ds to be both authority and acc ou ta i ty Where a shared

responsibi ty is fou d , it should be ma e clear how dec isions w il be ma e, doc umented

and implemented

2.4.7 Sc ring ex lained

A simple n meric sy stem alow ing some ro m for jud gement is sug ested :

0 = failure to adeq uately me t req uirements giv ing rise to ex posur e to risk

1–2 = req uir ements p rtially met but remedial actions es ential

3–4 = most r eq uirements met giv ing ov er all ad eq uac y but some ro m for

improv ement

5 = al req uirements fuly met at pr esent

At the fo t of the form, ente the total sc ore, then enter the n mber of c riter ia multipled

b 5 to giv e the max imum total sc r e Calc ulate the sc re as a perc entage of the ma imum

pos ible sc re Sc res are taken forw ard fr om forms A to B and summarized in Form C

Org nizations ma w ish to dev elop their own sc ring methods, if that w ould be more

a propriate for their ne ds These ma then be substituted on the forms

2.4.8 Remedial action needed

Br iefy note the ac tions ne d ed to improv e the sc ore In most cases, a risk analy sis

as es ment w il hav e be n done to prioritize w ork ne ded and esta l sh time-fr ames for

•

•

•

•

c mpletion (se matr ix on p 6, for further information) This w il be show n in summar y B

prefx forms

If large-sc ale, far-r eac hing c hanges are env isa ed, additional projec t management

methodologies (such as Princ e 2) ma be employ ed The proje t referenc (s) should be

add ed as they be ome av ailable

Desc riptions of the ty pe of information that might be ex pec ted in each feld on forms

prefx ed ‘A’ is giv en in An ex B

2.5 How to use the forms – Forms B/1 to B/6

Forms B/1 to B/6 prov ide an op or tu ity to summar ize information in the A range of

forms and a d pr ior ities, target dates for r emedial actions and pr ov ide an aggregated

sc re for eac h step ac ros the org nization The information presented wi lkely be useful

for projec t plan ing and monitoring purposes

2.6 How to use the forms – Form C

The purpose of For m C is to calculate a total sc re representing the degre of c ontex tual

c mplanc with BS ISO 1 4 9-1 and to present a high- ev el summar y of ac tions req uired,

who w il be responsible fo doing them and w hen they would be ex e ted to be c mpleted

The for m c uld be used for pr oje t management and general management r eporting

pur poses

Al forms may be a apted for loc al use The emerging picture during the SAC w il prov ide

v alua le information to fe d into busines c ases, prov ide a response to aud its of sy stems

and sup ort risk register and risk mitigation or reduction

I is the intention of this publc ation that the use w il be a le, b w or king thr ough the

outlned req uirements, to buid a por tfolo of ev id enc e w hic h c an be used to d emonstr ate

c omplanc e to a regulato o ombudsman and also to help highlght w her e the org nization

ne ds to improv e prac tic es w ithin its r ec rd s mana ement pr ogr amme The thir te n

benefts noted in c lause 4 of BS ISO 1 4 9-1 w il th s be both ac hiev able and measura le

5

5 SeSe BIP 0 0 5-3:2 0 , Efe t iv Re or ds Manag ement — Part 3: Perfor manc Manag ement fo B ISO

154 9-1, for ur ther infor mation on this to ic

(SAC) Processes

3.1 Step 1 – Records management strategic issues

Clau se 6.1 An or ganization se king to c onform to this International Standard

should esta lsh, doc ument, maintain and promulgate polcies, proc edures and

pr actic es for rec ords mana ement to ensure that its busines ne d for ev idenc e,

acc ou ta i ty and infor mation about its ac tiv ities is met

3.1.1 Rec r ds and information polcies

I is es ential that the information and r ec r ds management polc ies prov ide sup or t

for the strategic objec tiv es of the organization In ord er to as es the adeq uacy and

algnment of the polc ies, an analy sis of the busines env ironment should be car ied out

in c onju ction w ith senior management The aim is to deter mine and d ocument the

mis ion or purpose, aims and obje tiv es of the or ganization as a w hole Each part of the

organization is lkely to hav e its own nar ow er set of operational aims and objec tiv es

w hich wi sup ort the org nization’s mis ion

For any polcy to be efe tiv e, it should be endor ed b senio management, with an

indiv idual mana er taking responsibi ty for ‘ow ning’ the polc y and ensuring its

a plc ation and use

Polc y relating spe ifcally to re ords management should state that the org nization’s

re ord s w il be c omplant with BS ISO 1 4 9-1, spe ifcaly that re ords wi be authentic,

rela le, usa le and hav e integrity I should also state that the sy stems that are routinely

used for managing rec ords wi sup ort these characteristics and be c mprehensiv e,

sy stematic and c omplant with all r eq uirements arising f om the c urr ent busines

Sev eral approaches may c ntribute to this u der tand ing, including SWOT and PEST

analy sis, an appre iation of the org nization’s culture and v alues, tec hnic al env ironment,

e onomic lmitations and attitude to and an u d er tanding of the ne ds and legitimate

ex pec tations of stakeholder Know led e of relev ant legislation, regulation, other

stand rds and best pr actic es is also ne ded

Responsibi ties and authorities should be def ed and as igned to indiv id uals inc luding

those fo lea er hip and acc ou ta i ty, ongoing management of the re ord s management

progr amme, spe ifc pr oje ts and for normal re ord keeping ac tiv ities and pro es es (both

rec ords spe ifc and those arising f om a per on’s r outine job)

The polcy should also describe cur ent and /or proposed way s of translating its aims into

prac tical real ties, although not describing these in detail I /they w il also identify w ho

wi be responsible for implementation, how implementation wi be resourc ed and how

the polcy w il be c mmu ic ated to all p rts of the org nization

The polcy o set of related polc ies should be w rit en or rev iew ed against the f dings of

the busines env ironment analy sis so that the polc y statements are dire tly r elev ant to

and sup ortiv e of the wider or ganizational aims

At thi s sta e, r ec or d s m ana emen t pr oc ed ur es and pr ac ti c es ma o m ay n ot alr ead y exist,

d epen d i ng on the d egr ee of r ec or d s mana emen t matur ity within the or gan izati on These

ar e ex ami ned mor e fu lly in Step 3 – Rec or d s sy stems c har ac ter istic s and fu c tional ity, p 2

3.1.2 SAC criteria: r ec r ds management strategic is ues

Oth r p lcies such

as informatio

security, w eb use,

DPA, FOI etc

Polc own r /auth r,

r ecor ds ma ager

TOP TIP

Use op ortu ities to adv er tise, c mmu icate and raise awarenes of polc ies in

c nju c tion w ith other c rporate ac tiv ities, such as an ann al housek eeping day for

rec ord disposal/arc hiv ing ac tions Talk to busines u its at their dep rtmental me tings

and demonstrate how they wi beneft b a ply ing go d re ords management polcies

and prac tic to their work (se clause 4 of BS ISO 1 4 9-1)

3.2 Step 2 (a) – Records management pr ogr amme

Clau se 7.1 Rec ords are cr eated, re eiv ed, and used in the c nduct of busines

activ ities To sup or t the c ontin ing c onduc t of busines , c mply with the

r egulator y env ironment, and prov ide ne es ary ac cou tabi ty, or ganizations

should create and maintain authentic, relable and useable rec ords, and prote t the

integrity of those rec ords for as long as r eq uired To do this, org nizations should

institute and car ry out a c omprehensiv e r ec r ds management programme…

3.2.1 General

A c ompr ehensiv e rec ords mana ement progr amme should embrac the management

of re ords arising f om al of the activ ities of the org nization To be c mplant w ith

BS ISO 1 4 9-1, each of the folowing criteria should be met for each proc es and

activ ity, to the ex tent that the ne d s of the organization and any legitimate stak eholder s

are satisfed

Con rmation that the criteria for a c ompr ehensiv e and c omplant rec ords mana ement

programme hav e be n met can only be done after se tions 3.2, 3.3 and 3.4 fr om the DIR S

methodolog (as described in the te h ical report) hav e be n w orked through fo each

busines proc es and their related rec ords

-7.1 Determin for e ch b usin s pr oces :

A Wh t r ecor ds sh uld b cr eate Pr oces ma sh ws p ints at which

r ecor ds sh uld b cr eate

Outp t fr om DIRS ste s

A, B & C

Recor ds ma ager /

b sin s a aly t

B Wh t informatio sh uld b ca tur ed in e ch r ecor d Informatio co te t co frme as

me ting b usin s , legal, r egulatory a d

C Wh t tech olog sh uld b use Ap r opriate tech olog use to satisfy

r ecor d a d r ecor d-k e ing s stem

D In wh t form a d structur e sh uld r ecor ds b cr eate F orm a d structur e a pr opriate for

o going b usin s use o er e tir e lfe

Meta ata id ntife , s h ma d sign d

a d use , lnks d mo strate to b

H How lo g to k e r ecor ds Rete tio a d disp sal p rio s

d termin d by a aly is of b sin s

a d impleme te A, B & C b sin s a aly t

L How to comply with legal a d r egulatory, a plca le

sta d r ds a d or ga izatio al p lc

Al r ele a t legal, r egulatory, sta d r ds

N How to e sur e r ete tio lmits ar e a ple Pr oces es a d co tr ols d termin d a d

a ple to e sur e r ecor ds ar e d str o y ed

at pr op r time in a pr opriate way

Outp t fr om DIRS ste s

Pr oces es a d actiities r eiew ed for

p te tial impr o me ts, o p rtu ities

P Vital r ecor ds id ntife , risk a aly is complete a d

a pr opriate safegu r ds impleme te for b usin s

co tin ity p rp ses

Vital r ecor ds id ntife for critical

actiities, a pr opriate pr otectio a d

r eco ery mech nisms in place

Outp t fr om DIRS ste s

A, B & C

Recor ds ma ager /

b sin s a aly t

3.2.2 Step 2 (b) – Determining r equir ements for r ec r ds

Clau se 7 2.1 A re ord should c r rec tly refe t what w as c mmu icated or de ided

or w hat action w as taken I should be able to sup ort the ne ds of the busines to

whic h it relates and be used for ac cou tabi ty purposes As w el as the c ontent, the

rec ord should c ntain, or be per istently lnked to, or as o iated with, the metadata

ne es ary to d ocument a transaction, as folows:

a) the structure of a r ec r d, that is, its for mat and the relationships betw een the

elements c ompr ising the re ord, should r emain intac t;

b) the busines c ntex t in whic h the rec ord w as created, rec eiv ed and used

should be a parent in the r ec r d (includ ing the busines proc es of w hich the

transac tion is p rt, the d te and time of the transaction and the p rticip nts in

the transaction); and

c) the lnks betwe n d ocuments, held separately but c mbining to make up a

r ec r d, should be present

Al org nizations rely on rec ords for ev id enc of their ac tiv ities to analy se their past

ac tiv ities and for information to dev elop plans and strategies fo the future

The appr oach described in BS ISO 1 4 9-1 c lause 9.1 and in steps B and C of the DIR S

methodolog w il help to c nfrm that the r ight rec ords are created at a propriate points

in each busines pro es Eac h series o gr oup of r ec r ds c an then be tested to c onfrm

that they hav e the charac teristic s req uired in c lause 7.2 to ensure that they are c redible

and trustwor thy

Cer tain elements of the c haracteristics ma be met b means of meta ata For ex ample,

information a out the re ord creator, sender or the busines proc es may hav e already

be n c aptur ed in metadata fou d in the c omputer operating sy stem, the busines

applcation or the rec ord-keeping sy stem (if separate) at the point of the user log-on

S ch metad ata must be per istently lnked to the rec ords that it sup orts for its entir e

retention lfe

For a r ec rd to be usable, it must be ey e rea able This imples that it must be ca able

of being pr esented and inter preted Rendering of the rec ord to a c mputer scre n o fo

printing req uir es that the structure of the doc ument remains intact Degrad ation of the

rec ord , espe ially w here this is a tex tual doc ument, w il oc cur ov er time as c hanges are

ma e to sy stems (e.g softw ar e up r ades) that manage structural metadata A measur e of

degrad ation is inev itable, but should be mana ed b means of a migration o c nv er ion

strateg that takes into ac cou t the risk inv olv ed in los of integrity Some or ganizations

adopt proprietary -softw are solutions that ofe v ery long-ter m prospec ts for retriev al,

whereas other prefer mor e gener ic a proac hes, includ ing use of extensible mark-up

langua e o simiar The risks must be weighed a ainst the c sts in relation to the

busines ne d

Ov eral, this sec tion of the SAC pro es w il help to identify the strengths and any

weaknes es of ex isting r ec r d-keeping sy stems that produc , mana e and store re ords If

the rec ords are defc ient in any of the req uired c har acteristics, it is lkely that the pr oc s

of creation and stora e of the re ord and/or the sy stem on w hich they ar e kept w il ne d to

be changed in some w ay to satis y the req uirement

3.2.3 SAC criteria: authenticity

Def ition: authentic ity refer to a rec ord w hich can be prov en to be what it pur ports to

be, c reated b the per on (or sy stem) purported to hav e cr eated or tr ansmit ed it at the

time purpor ted

p rform actio s which

r esult in th cr eatio ,

transmis io , r eceipt

mainte a ce, pr otectio ,

co ce lme t dis losur e or

disp sal of r ecor ds

e sur e th t r ecor ds ar e

cr eate at or close to

th time of th actio s or

* A memb r of staff or an automated pr oc es , sometimes r efer r ed to as ‘actor s’

3.2.4 SAC criteria: r elabi ty

Def ition: relabi ty r efer to a dependable, tr usted r ec r d c ontaining a ful and acc ur ate

representation of a transaction or activ ity (and any subseq uent ac tions), cr eated at the

time b indiv iduals w ith a d ir ect knowled ge of the facts b routinely used instruments

Polcies a d pr oce ur es

in place to e sur e th t

in iid als with dir ect

knowle ge of th facts

r outin ly use a th rize

instrume ts or s stems to

cr eate ful a d ac urate a d

complete r ecor ds at th time

3.2.5 SAC criteria: integrity

Def ition: integrity refer to a re ord whic h is c mplete and u altered

3.2.6 SAC criteria: usabi ty

Def ition: usabi ty r efer to a rec ord whic h c an be lo ated, retriev ed , pr esented and

interpreted , w ith lnks preserv ed betwe n other do uments in the r elev ant busines

r ecor ds ca b dir ectly

co n cte to th b usin s

3.2.7 SAC criteria: metadata

Def ition: information a out the re ord whic h sup orts its disc ov ery, acc es , use and

Rules exist a d ar e folow ed

Meta ata exists a d is ft for

Establsh what metadata can be r epurposed f om operating and sec urity sy stems

mana ed b ICT staff to sup ort r ec r d-keeping ne ds Do ument how this wi

happen

Create a v ital rec ords sc hed ule whic h c an be used to ensure that in the ev ent of an

emergency, busines sy stems w hich ne d to be r ec v er ed q uic k ly can also restore or

r ec v er their re ord s

•

•

3.3 Step 3 – Records systems characteristics and functional ty

3.3.1 System r equir ements

I is important to note that in this c ontex t the ter m sy stem do s not hav e to mean an

ele tr onic re ords management c ompute program Sy stem is used in a generic w ay w hich

w ould inc lude such sy stems but also may inc lude any set of r ules, proc edures and methods

(includ ing manual sy stems) for mana ing r ec r ds A wel designed, ft-for-purpose re ords

sy stem wi sup ort the creation, ca tur e and ongoing management of re ords whic h hav e

the c har acteristics req uired b the stand rd, described in the prev ious se tion

3.3.2 SAC criteria: r elabi ty

Def ition: any sy stem deploy ed to mana e re ords should be ca able of c ontin ous and

regular operation in acc ordanc e w ith responsible pr oc d ures

8.2.2 Pr o n

r ela i ty of

s stem

Detaie d cume tatio of

s stem sh uld e xist

3.3.3 SAC criteria: integrity

Def ition: c ontrol measures such as acc es monitoring, user v erifc ation, authorized

destruc tion and sec urity should be implemented to prev ent u authorized ac ces ,

destruc tion, alteration or remov al of rec ords These c ntrols may reside w ithin a rec ords

sy stem o be ex ternal to the spec ifc sy stem For elec tronic r ec r ds, the org nization may

ne d to prov e that any sy stem malfu c tion, up r ade or regular maintenanc e d oes not

affec t the rec ords’ integrity

8.2.3 Pr o

integrity of

s stem

Sy tem h s fe xibi ty to alow

complex security to b a ple

3.3.4 SAC criteria: compl ance

Def ition: r ec r ds sy stems should be managed in c omplanc e w ith all req uirements

arising f om c urr ent busines , the regulatory env ironment and c ommu ity ex pec tations

in whic h the org nization operates Per on el w ho create re ords should u d er tand how

these r eq uirements affec t the busines actions they per orm Rec ords-sy stem c mplanc

with such req uirements should be regularly asses ed and the rec ords of these asses ments

retained for ev id ential purposes

ISO Criteria Verif ation Sour ce Re p n ibi ty

8.2.4 Pr o n

compla ce of

s stem

Ma s stem fu ctio alty to

legal, r egulatory a d b usin s

r eq ir eme ts

Docume t compla ce a d

b uid in a pr opriate r e iew

3.3.5 SAC criteria: c mpr ehensi nes

Def ition: rec ords sy stems should mana e rec ords resulting f om the c mplete range

of busines ac tiv ities fo the organization, or se tion of the or ganization, in w hich they

3.3.6 SAC criteria: systematic

Def ition: rec ords should be created, maintained and managed sy stematic ally Re ords

c reation and maintenanc practic s should be sy stematized through the design and

operation of both re ords sy stems and busines sy stems

Re ord s sy stems are identifed, analy sed, ev aluated and prioritized for improv ement on a

risk basis

TOP TIP

Many elec tronic sy stems w il hav e al the fu ctionality that an org nization ma

req uire – espec ially if they me t the cr iteria of an authority such as The National

Archiv es in the UK or eq uiv alent bod y elsewhere

S cc es in cho sing and implementing an ele tronic sy stem w il depend on how the

cultural and c hange management is ues are managed sinc e ex perienc e has shown

that these is ues are at least as important as the te h ical c nsiderations

The sele tion of v endor , sy stem integr ator and c nsultants is also cr itic al to

suc es – it is imperativ e that c areful thought is giv en to how they wi w ork w ith

and sup or t y our pr oje t

•

•

•

3.4 Step 4 – Recor ds management pr ocesses and controls

Clau se 9.1 Determining whic h doc uments should be ca tur ed into a rec ords

sy stem is based on an analy sis of the r egulator y env ironment, busines and

ac cou tabi ty req uirements and the risk of not capturing the re ords The

req uirement is lkely to difer acc ording to the ty pe of organization and the legal

and so ial c ontex t in whic h it operates

3.4.1 Determining doc ments to be captur ed into a r ec r ds system

An analy sis of the r egulator y env ironment can be car ied out in c nju ction w ith

per on el f om the busines u it c onc erned and also with internal leg l staff The

objec tiv e is to u der tand the ev idential and information req uir ements of sustaining

busines c upled with the legal or regulatory acc ou ta i ity req uired b internal or

ex ternal authorities These d ecisions c an be further q ualfed b the risk management

cultur e that ma exist in org nizations The result is that simiar org nizations may

reach diferent c nc lusions fo the re ord s they c apture into re ord sy stems b sed on the

parameter s already outlned

3.4.2 SAC criteria: determine doc ments to be cr eated and captur ed

List or ta le of wh owns e ch

b usin s risk/ac o nta i ty

r eq ir eme t

Re ort as es ing th risk

of n n-compla ce ma p d

Rec ords c an be c reated and captured b a v ariety of te h olog , and organizations should

ensure that the most appropr iate means to ac hiev e a sy stematic approach is ad opted and

buit into busines practic es This may also inv olv e identify ing ind iv iduals and assigning

spe ifc responsibi ties to achiev e this outc ome

3.4.3 Determining how long to r etain r ec r ds

De isions about how long re ords should be maintained within a re ord s sy stem are

b sed on an as es ment of the regulatory env ironment, busines and acc ou ta i ity

req uir ements and the r isk

Rec ords r etention ma v ary f om v ery short ter m (one to two y ear ) to longer term (20 to

50 y ears) d epending on a number of criteria to:

to me t legal or regulatory req uirements;

to establsh a c orporate memory or know led e b n to inform both c urr ent and future

dec isions and initiativ es; and

to me t spe ifc operational req uirements

3.4.4 SAC criteria: r ec r d r etention

Rec ord r etention polc ies ne d to tak e ac ou t of a w id e r ange of inf uenc s The leg l

req uir ement infor ms the minimum retention w hist operational and other stakeholder

req uir ements may inform longe retention

•

•

•

ISO Criteria Verif ation Source Re p n ibi ty

List of sta e old r legitimate

inter est in d cume ts

Complete r ete tio

BS ISO 1 4 9-1, when appled intel gently, w il lead to an org nization keeping fewer

rec ords – but those r ec r ds w il be of a higher q ualty, and th s be more useful as ev idenc e

and as sourc es of information upon w hich to base dec isions

TOP TIP

G ood r etention schedules should c ontain information d escr ibing the re ords series,

how long it is to be kept, w hat ha pens at the end of retention and the legal, regulatory

o oper ational r eason for retaining the re ord Av oid terms lke ‘best pr actic e’ o

‘c ommon practic ’ – they are meaningles and mak e it diffcult fo subseq uent user to

r ev iew schedules

3.4.5 Rec r ds captur e

The purpose of c apturing rec ords into rec ords sy stems is to:

establsh a r elationship betw een the rec ord, the c reator and the busines c ontex t that

or iginated it;

plac the re ord and its relationship w ithin a rec ords sy stem; and

ln it to other r ec r ds

3.4.6 SAC criteria: r ec r ds captur e and clas ifcation

This inv olv es assigning appropriate classifcation to re ord s and allo ating meta ata

whic h c an be permanently as o iated w ith the rec ord The meta ata are v ital fo

under tand ing the c ontex t in w hich a rec ord was cr eated and also fo demonstrating

its integrity

•

•

•

ISO Criteria Verif ation Sour ce Re p n ibi ty

Or ga izatio al meta ata

r egister may incorp rate

e xisting s h ma, e.g e-gms3

& or ga izatio al-sp cif

Dec id ing w hich rec ords to ca ture is an or ganizational risk-based de ision informed

b legal, regulatory and operational ne ds This ne d s to be periodicaly rev iew ed and

when new busines u its/busines fu ctions are cr eated

3.4.7 Registr ation

Clau se 9.4 In a re ord s sy stem whic h employ s r egistr ation proc es es:

– a re ord is registered when it is ca tur ed into the re ords sy stem;

– no further proc es es affe ting the rec ord can take place u ti its registration

is c omplete

Registration is the proc es of as igning a u iq ue identifer to a re ord whic h has be n

captur ed into a r ec r ds sy stem In an ele tronic sy stem, this happens as a transp rent

pro es and the user do s not usualy ne d to take any a ditional action This is an

optional proc es u de the standard

3.4.8 SAC criteria: r egistr ation

Electr onic s stems

a tomaticaly as ign u iq e

id ntifer s to n w r ecor ds; his

Classifcation of busines activ ities acts as a pow er ful to l to assist the c nduct of busines

and in many of the pro es es inv olv ed in the mana ement of rec ords, inc luding:

pr ov iding lnkages betw een diferent rec ords whic h relate to the same activ ity o

fu c tion;

ensuring rec ords are named in a c nsistent man er ov er time;

alow ing the retr iev al of all re ord s relating to a partic ular fu ction or activ ity ( his is

a p rticularly useful tec hniq ue w hen a broa inter og tion of a partic ular ac tiv ity is