ISO/TR 15801:2004

TECHNICAL ISO/TR
REPORT 15801
First edition
2004-02-01

Electronic imaging — Information stored
electronically — Recommendations for
trustworthiness and reliability
Images électroniques — Stockage électronique d'informations —
Recommandations pour les informations de valeur et leur fiabilité




Reference number
ISO/TR 15801:2004(E)
©
ISO 2004

---------------------- Page: 1 ----------------------
ISO/TR 15801:2004(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2004 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TR 15801:2004(E)
Contents Page
Foreword. vi
Introduction . vii
1 Scope. 1
2 Normative references. 1
3 Terms and definitions. 2
4 Information management policy. 2
4.1 General. 2
4.2 Information Management Policy Document. 2
4.2.1 Contents. 2
4.2.2 Information covered. 3
4.2.3 Storage media. 3
4.2.4 Image file formats . 3
4.2.5 Standards related to information management . 4
4.2.6 Retention schedule. 4
4.2.7 Information management responsibilities. 4
4.2.8 Compliance with policy . 4
5 Duty of care. 4
5.1 General. 4
5.1.1 Controls. 4
5.1.2 Separation of roles. 5
5.2 Information security management . 5
5.2.1 Information Security Policy. 5
5.2.2 Risk assessment. 6
5.2.3 Information security infrastructure . 6
5.3 Business continuity planning. 7
5.4 Consultations. 7
6 Procedures and processes . 8
6.1 General. 8
6.2 Procedures Manual. 8
6.2.1 Documentation. 8
6.2.2 Content. 8
6.2.3 Compliance with procedures. 9
6.2.4 Updating and reviews. 9
6.3 Document image capture . 9
6.4 Document scanning procedures . 10
6.4.1 General. 10
6.4.2 Preparation of paper documents. 10
6.4.3 Document batching. 11
6.4.4 Photocopying. 11
6.4.5 Scanning processes. 12
6.4.6 Quality control. 13
6.4.7 Rescanning. 15
6.4.8 Image processing. 15
6.5 Data capture. 15
6.5.1 New data. 15
6.5.2 Migration. 16
6.6 Indexing. 16
6.6.1 General. 16
6.6.2 Manual indexing. 16
© ISO 2004 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/TR 15801:2004(E)
6.6.3 Automatic indexing.16
6.6.4 Index storage.16
6.6.5 Index amendments.17
6.6.6 Index accuracy.17
6.7 Authenticated output procedures.17
6.8 File transmission.18
6.8.1 Intra-system data file transfer .18
6.8.2 External transmission of files .18
6.9 Document retention.19
6.10 Information destruction.20
6.11 Backup and system recovery.20
6.12 System maintenance.21
6.12.1 General.21
6.12.2 Scanning systems.21
6.13 Security and protection .21
6.13.1 Security procedures.21
6.13.2 Encryption keys and digital signatures .22
6.14 Use of contracted services.22
6.14.1 General.22
6.14.2 Procedural considerations.23
6.14.3 Transportation of documents .24
6.14.4 Use of trusted remote archives.24
6.15 Workflow.24
6.16 Date and time stamps .25
6.17 Version control.25
6.17.1 Information.25
6.17.2 Documentation.25
6.17.3 Procedures and processes .26
6.18 Maintenance of documentation .26
7 Enabling technologies.26
7.1 General.26
7.2 System Description Manual .27
7.3 Storage media and sub-system considerations .27
7.4 Access levels.28
7.5 System integrity checks .28
7.5.1 General.28
7.5.2 Digital and electronic signatures (including biometric signatures).29
7.6 Image processing.29
7.7 Compression techniques.30
7.8 Form overlays and form removal.31
7.9 Environmental considerations.31
7.10 Migration.32
7.11 Information deletion and/or expungement .32
8 Audit trails.32
8.1 General.32
8.1.1 Audit trail data .32
8.1.2 Creation.33
8.1.3 Date and time .33
8.1.4 Storage.34
8.1.5 Access.34
8.1.6 Security and protection .34
8.2 System.35
8.2.1 General.35
8.2.2 Audit trail information.35
8.2.3 Migration and conversion.35
8.3 Stored information.35
8.3.1 General.35
8.3.2 Information capture.36
8.3.3 Batch information.37
iv © ISO 2004 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/TR 15801:2004(E)
8.3.4 Indexing. 37
8.3.5 Change control. 38
8.3.6 Digital signatures. 38
8.3.7 Destruction of information. 38
8.3.8 Workflow. 38
Bibliography . 39

© ISO 2004 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/TR 15801:2004(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
In exceptional circumstances, when a technical committee has collected data of a different kind from that
which is normally published as an International Standard (“state of the art”, for example), it may decide by a
simple majority vote of its participating members to publish a Technical Report. A Technical Report is entirely
informative in nature and does not have to be reviewed until the data it provides are considered to be no
longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TR 15801 was prepared by Technical Committee ISO/TC 171, Document management applications,
Subcommittee SC 3, General issues.
vi © ISO 2004 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/TR 15801:2004(E)
Introduction
Increasingly, information that has been created, captured and stored electronically is used as evidence of
business activities. Such evidence might be required in contract discussions, or in courts of law. This
Technical Report defines recommended practices for electronic storage of business or other information in
image form. As such, complying with its recommendations is of value to organizations even when the
trustworthiness of the stored information is not being challenged.
Users of this Technical Report should be aware that the implementation of these recommendations does not
automatically ensure acceptability of the evidence encapsulated by the information. Where stored electronic
information may be required in court, implementers of this Technical Report are advised to seek legal advice
to ascertain the precise situation within their relevant legal environment.
This Technical Report describes means by which it may be demonstrated, at any time, that the contents of a
specific electronic image file created or existing within a computer system have not changed since it was
created within the system or imported into it. Where such a data file contains a digitized image of a physical
source document, it will be possible to demonstrate that the digitized image is a true facsimile of that source
document. The issue being addressed is essentially one of authentication.
Other versions of the information may legitimately develop; e.g. revision of a contract. In these cases the new
versions are treated as new image files.
The same principle can be applied when a significant change is made to a document in a workflow
environment.
This Technical Report describes procedures whereby an electronic copy may be demonstrated to be a true
copy of the original, whether that original was itself an electronic data file or a physical source document.
The recommendations in this Technical Report are a mixture of items that are broad and general and items
that are specific and detailed. Readers are advised to use this Technical Report in conjunction with other local
sources, particularly with relevance to governmental and legal requirements in their respective jurisdictions.
Organizations that implement most of the recommendations described in this Technical Report will be in a
good position to be able to demonstrate authenticity. However, there may be good economic reasons where a
particular recommendation is not implemented. In such situations, the risk taken by such non-implementation
decisions should be assessed.

© ISO 2004 – All rights reserved vii

---------------------- Page: 7 ----------------------
TECHNICAL REPORT ISO/TR 15801:2004(E)

Electronic imaging — Information stored electronically —
Recommendations for trustworthiness and reliability
1 Scope
This Technical Report describes the implementation and operation of information management systems which
store information electronically and where the issues of trustworthiness, reliability, authenticity and integrity
are important. The whole life cycle of a stored electronic document is covered, from initial capture to eventual
destruction.
This Technical Report is for use with any information management system, including traditional document
imaging, workflow and COLD/ERM technologies, and using any type of electronic storage medium including
WORM and rewritable technologies.
Image files may potentially contain any type of data: for example, correspondence, forms, drawings. This
Technical Report covers all such image files, whether created and/or imported directly or through a network,
from the time at which the system assumes control of the image file.
This Technical Report does not cover processes used to evaluate the authenticity of information prior to it
being stored or imported into the system. However, it can be used to demonstrate that output from the system
is a true reproduction of the original document.
Where in this document the term system is used, it should be taken as meaning the information management
system that is being reviewed, unless otherwise stated.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 9000 (all parts), Quality management and quality assurance standards
ISO/TR 12037:1998, Electronic imaging — Recommendations for the expungement of information recorded
on write-once optical media
ISO 12651:1999, Electronic imaging — Vocabulary
ISO 12653-2:2000, Electronic imaging — Test target for the black-and-white scanning of office documents —
Part 2: Method of use
© ISO 2004 – All rights reserved 1

---------------------- Page: 8 ----------------------
ISO/TR 15801:2004(E)
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 12651 and the following apply.
3.1
information type
groups of related documents
NOTE In specific applications, “groups” may be identified as “sets”, “files”, “collections” or other similar terms.
EXAMPLES Invoices, financial document, data sheets, correspondence.
4 Information management policy
4.1 General
Information is one of the most important assets that any organization has at its disposal. Everything an
organization does involves using information in some way. The quantity of information can be vast, and there
are many different ways of representing and storing it. The value of information used and the manner in which
it is applied and moved within and between organizations may determine the success or failure of those
organizations.
Information, like any other asset, needs to be classified, structured, validated, valued, secured, monitored,
measured and managed efficiently and effectively.
This clause describes documentation that states the organization’s information management policy.
Availability of this documentation will demonstrate that information management is part of normal business
procedures.
Where a system stores records, compliance with ISO 15489 should be considered. Such compliance will
ensure that many of the elements of this Technical Report will be implemented. Where a system stores
information that may be used as evidence in court, your legal advisors should be consulted (see 5.4) to
ensure that you comply with relevant legal or regulatory requirements. As legal and regulatory requirements
vary from country to country (and sometimes within a country), the legal advice you obtain should cover all
relevant jurisdictions.
4.2 Information Management Policy Document
4.2.1 Contents
An Information Management Policy Document (the Policy Document) should be produced, documenting the
organization’s policy on information management and storage, as applicable to the information management
system.
The Policy Document should contain sections which:
 specify what information is covered (see 4.2.2);
 state policy regarding storage media (see 4.2.3);
 state policy regarding image file formats and version control (see 4.2.4);
 state policy regarding relevant information management standards (see 4.2.5);
 define retention and destruction policies (see 4.2.6);
 define responsibilities for information management functions (see 4.2.7);
 define responsibilities for monitoring compliance with this policy (see 4.2.8).
2 © ISO 2004 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/TR 15801:2004(E)
The Policy Document should be approved by senior management of the organization, and should be reviewed
at regular intervals.
Essential to this Technical Report is the agreement and implementation of a Retention Schedule for stored
information. Where reference is made to the Policy Document in the rest of this Technical Report, the
Retention Schedule is included in such a reference.
4.2.2 Information covered
In order to define the organization’s information management policy, information should be grouped into types,
the p
...