ISO/TR 15489-2 Information and management -- records management -- part 2: guidelines
I reviewed the first
part a few days ago. Let's take a look at the second part:
So this TR is an
implementation guide.
- We start out with policies and responsibilities. We have to develop policy statements and articulate responsibilities.
- We need to involve senrior management, RM professionals, business unit managers, designated staff, and -- ultimately -- all staff.
- Preliminary investigation
- Analysis of business activities:
- documentation describing org's business and bus processes
- Business classifications scheme (functions, activities, transactions)
- Map of org's processes that show where records are produced
- Possible tools include: thesaurus of terms, disposition authority that defines periods and disposition actions
- Identification of reqs for records:
- A list of all sources containing records reqs relevant to the org
- A list of regulatory, business, general community reqs to keep records
- Risk assessment report endorsed by mgmt
- Formal document that sets out requirements to keep records
- Assessment of existing systems
- Inventory of existing bus systems
- Report on the extent to which they address org's reqs for records
- Identification of strategies for satisfying records reqs
- Nature of org, including goals and history
- Types of business activities
- Way it conducts bus activities
- Supporting tech enviro
- Prevailing corporate culture
- External constraints
Strategies
may include:
- Adopting policies and procedures
- Developing standards
- Designing new system components
- Implementing systems
Products
may include:
- List of strategies
- Model that maps strategies to reqs
- Report for senior mgmt recommending overall design strat
- Design of a records system:
- Designing changes to current systems, processes, and practices
- Adapting or integrating tech solutions
- Determining how to incorporate these changes
Products
might include:
- Design project plans, tasks, responsibilities, etc.
- Reports detailing the outcomes of periodic design reviews
- Documentation of reqs changes, signed off
- Design descriptions
- System business rules
- System specs
- Diagrams of architectures and components
- Models representing views: processes, data flows, data entities
- Specs to build or acquire tech components
- Integration plans
- Training and testing plans
- System implementation plans
- Implementation of a records system
- Detailed project plan
- Documented policies, procedures, and standards
- Training materials
- Documentation of the conversion process and ongoing migration procedures
- Documentation for quality systems accreditation
- Performance reports
- Reports to management
- Post-implementation review:
- Analysis to determine if records have been created and organized
- Interviews with stakeholders
- Surveys
- Examining documentation developed during earlier phases
- Observing/checking operations
Deliverables:
- Assessment methodology
- Audit of the performance of system and process
- Report to management with findings and recommendations
- Necessary instruments:
- Classification scheme based on business activities
- Records disposition authority
- Security and access classification scheme
- Other tools:
- Thesaurus
- Glossary
- Regulatory framework analysis
- Business risk analysis
- Organizational delegation authority
- Register of employees and system user permissions
Section 4.2.2 looks
interesting: Business activity classification.
As I've noted at length before, this is actually very hard to do.
- The first level reflects the business function
- Second level is the activities
- Third level is really activity refinements or groups of transactions
- The first two levels are typically prefaced with a verb; the third, maybe not.
- Development has to be consistent with thesaurus principles:
- Terminology from business functions, not org units
- Specific to the org
- Consistent and standard
- Hierarchical
- Unambiguous
- Discrete groupings
- Developed in conjunction with records creators
- Maintained to reflect business changes
- We get into authorized headings, thesaurus construction as per ISO 2788
- There are some guidelines on how to determine the disposition authority
- Security. Typical restrictions pertain to:
- Personal information/privacy
- Intellectual property rights/commercial confidentiality
- Security of property (physical, financial)
- State security
- Legal and professional privileges
- To develop access classification:
- Identify legally-enforceable rights and restrictions
- Identify areas of risk of breach of privacy
- Identify security issues
- Ranks the areas of risk of breach to security according to value and likelihood
- Map identified areas of risk and security to business activities
- Identify appropriate levels of restriction for areas of highest risk to the lowest
- Link restrictions to thesaurus or activity classification system
- Section 4.3 is records management processes:
- Capture
- Registration
- Classification
- Access and security classification
- Identification of disposition status
- Storage
- Use and tracking
- Implementation of disposition
- Description depends on scope. For example, individual docs only have to be described by the individual; a business unit only needs details relevant for that business unit; public domain requires good references as per ISO 690… who knew there was an ISO standard for bibliographic reference?
- Registration must include:
- Unique ID
- Date and time of registration
- Title or abbreviated description
- Author, sender, or recipient
- Registration could include:
- Document name or title
- Text description/abstract
- Date of creation
- Date and time of communication and receipt
- Incoming, outgoing, or internal
- Author (with affiliation)
- Sender (with affiliation)
- Recipient (with affiliation)
- Physical form
- Classification
- Links to related records
- Business system from which the record was captured
- Application SW and version on capture
- Standard of records structure (SGML, XML, etc.)
- Templates required for interpretation
- Access
- Retention period
- Structural/contextual info for management
- Classification:
- Identify the transaction/business activity
- Ensure that it is appropriate given business unit, etc.
- Indexing terms:
- Format/nature of the record
- Title or main heading
- Subject content of the record (business activity)
- Abstract of record
- Data associated with transactions
- Names of clients or organizations
- Handling or processing reqs
- Attached docs not otherwise identified
- Uses of records
- Access/security:
- Identify business process
- Identify owning business unit
- Security classification
- Storage and handling considerations:
- Volume and growth rate of records
- Use of records
- Records security and sensitivity
- Physical characteristics
- Retrieval requirements
- Cost of storage options
- Access needs
- Continuing retention: copying, conversion, migration
- Transfer considerations.
- Evidential weight: "if the integrity of a record is called into doubt in court by suggestions of tampering, incompetence, improper system functionality or malfunction, the evidential weight or value put on the document by the court may be lost or, at least, reduced, to the detriment of the case."
- Training methods:
- Employee orientation and documentation;
- Classroom training
- On-the-job training and coaching
- Briefing sessions
- Leaflets and booklets providing how-tos
- Computer-based presentations
- Help text in computer system
- Training courses provided by education institutions