Information and documentation -- Risk assessment for records processes and systems

ISO/TR 18128:2014 intends to assist organizations in assessing risks to records processes and systems so they can ensure records continue to meet identified business needs as long as required. ISO/TR 18128:2014: a) establishes a method of analysis for identifying risks related to records processes and systems, b) provides a method of analysing the potential effects of adverse events on records processes and systems, c) provides guidelines for conducting an assessment of risks related to records processes and systems, and d) provides guidelines for documenting identified and assessed risks in preparation for mitigation. ISO/TR 18128:2014 can be used by all organizations regardless of size, nature of their activities, or complexity of their functions and structure. These factors, and the regulatory regime in which the organization operates which prescribes the creation and control of its records, are taken into account when identifying and assessing risk related to records and records systems. ISO/TR 18128:2014 can be used by records professionals or people who have responsibility for records in their organizations and by auditors or managers who have responsibility for risk management programs in their organizations.

Information et documentation -- Evaluation du risque pour les processus et systèmes d'enregistrement

L'ISO/TR 18128:2014 a pour objet d'aider les organismes ŕ apprécier les risques liés aux processus et aux systčmes documentaires de maničre qu'ils puissent s'assurer que les documents d'activité répondent aux besoins de gestion identifiés aussi longtemps que nécessaire. L'ISO/TR 18128:2014 a) établit une méthode d'analyse pour l'identification des risques liés aux processus et aux systčmes documentaires, b) fournit une méthode d'analyse des effets potentiels des événements indésirables sur les processus et les systčmes documentaires, c) fournit des lignes directrices pour mener une appréciation des risques liés aux processus et aux systčmes documentaires, et d) fournit des lignes directrices pour la documentation des risques identifiés et appréciés pour préparer des mesures d'atténuation. L'ISO/TR 18128:2014 peut ętre utilisé par tous les organismes, quelles que soient leur taille, la nature de leurs activités ou la complexité de leurs fonctions et de leur structure. Ces facteurs, ainsi que le régime réglementaire dans lequel l'organisme évolue et qui prescrit la création et le contrôle de ces documents d'activité, sont pris en compte au moment de l'identification et de l'appréciation des risques liés aux documents d'activité et aux systčmes documentaires. L'ISO/TR 18128:2014 peut ętre utilisé par des professionnels de la gestion documentaire ou par des personnes responsables des documents d'activité de leur organisme, ainsi que par des auditeurs ou des dirigeants responsables des programmes de management du risque de leur organisme.

Informatika in dokumentacija - Ocena tveganja za postopke procesov in sisteme vodenja zapisov

To tehnično poročilo je namenjeno podpori organizacijam pri ocenjevanju tveganj za postopke procesov in sisteme vodenja zapisov, da lahko zagotovijo ustreznost zapisov za identificirane poslovne potrebe.
Poročilo
a) določa metodo za analizo, s katero se identificira tveganja, povezana s postopki procesov in sistemi vodenja zapisov,
b) določa metodo za analiziranje potencialnih učinkov neželenih dogodkov na postopke procesov in sisteme vodenja zapisov,
c) podaja smernice za izvajanje ocene tveganj, povezanih s postopki procesov in sistemi vodenja zapisov, ter
d) podaja smernice za dokumentiranje identificiranih in ocenjenih tveganj pri pripravi za zmanjševanje.
To tehnično poročilo ne naslavlja splošnih tveganj pri poslovanju organizacije, ki jih je mogoče zmanjševati z ustvarjanjem zapisov.
To tehnično poročilo lahko uporabijo vse organizacije, ne glede na velikost, naravo svojih dejavnosti ali zapletenost njihovih funkcij in strukture. Ti dejavniki in ureditveni režim, v katerem organizacija deluje ter predpisuje ustvarjanje in nadzor zapisov, se upoštevajo pri identificiranju in ocenjevanju tveganj, povezanih s postopki procesov in sistemi vodenja zapisov.
Definiranje organizacije ali identificiranje njenih meja mora upoštevati zapletene strukture in partnerstva ter pogodbene ureditve za storitve zunanjega izvajanja in nabavne verige, ki so pogoste značilnosti sodobnih državnih organov in poslovnih subjektov. Identificiranje meja organizacije je prvi korak pri definiranju obsega projekta ocene tveganja, povezane z zapisi.
To tehnično poročilo ne naslavlja neposredno zmanjševanja tveganja, saj se metode za to razlikujejo od organizacije do organizacije.
Tehnično poročilo lahko uporabijo strokovnjaki za zapise ali osebe, ki so v svojih organizacijah odgovorne za zapise, ter revizorji ali vodje, ki so v svojih organizacijah odgovorni za programe upravljanja tveganja.

General Information

Status
Published
Publication Date
02-Mar-2014
Current Stage
6060 - International Standard published
Start Date
04-Feb-2014
Completion Date
03-Mar-2014

Buy Standard

Technical report
ISO/TR 18128:2014 - Information and documentation -- Risk assessment for records processes and systems
English language
37 pages
sale 15% off
Preview
sale 15% off
Preview
Technical report
-TP ISO/TR 18128:2018 - BARVE na PDF-str 12
English language
43 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day
Technical report
ISO/TR 18128:2014 - Information et documentation -- Evaluation du risque pour les processus et systemes d'enregistrement
French language
47 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

TECHNICAL ISO/TR
REPORT 18128
First edition
2014-03-15
Information and documentation —
Risk assessment for records processes
and systems
Information et documentation — Evaluation du risque pour les
processus et systèmes d’enregistrement
Reference number
ISO/TR 18128:2014(E)
ISO 2014
---------------------- Page: 1 ----------------------
ISO/TR 18128:2014(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2014

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/TR 18128:2014(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 2

3.1 Terms specific to risk ......................................................................................................................................................................... 2

3.2 Terms specific to records ............................................................................................................................................................... 2

4 Risk assessment criteria for the organization ....................................................................................................................... 2

4.1 Assessment of risk ............................................................................................................................................................................... 2

4.2 Risk criteria ................................................................................................................................................................................................ 3

4.3 Assignment of priority ..................................................................................................................................................................... 3

5 Risk identification ............................................................................................................................................................................................... 3

5.1 General ........................................................................................................................................................................................................... 3

5.2 Context: External factors ................................................................................................................................................................ 5

5.3 Context: Internal factors ................................................................................................................................................................. 6

5.4 Records systems .................................................................................................................................................................................... 8

5.5 Records processes .............................................................................................................................................................................11

6 Analysing identified risks ........................................................................................................................................................................12

6.1 General ........................................................................................................................................................................................................12

6.2 Likelihood analysis and probability estimation ......................................................................................................13

7 Evaluating risks ..................................................................................................................................................................................................15

7.1 General ........................................................................................................................................................................................................15

7.2 Evaluating impact of adverse events .................................................................................................................................16

7.3 Evaluating the risk ............................................................................................................................................................................16

8 Communicating the identified risks ..............................................................................................................................................17

Annex A (informative) Example of a documented risk entry in a risk register ....................................................19

Annex B (informative) Example: checklists for identifying areas of uncertainty ...............................................20

Annex C (informative) Guide to using controls from ISO/IEC 27001, Annex A ......................................................27

Bibliography .............................................................................................................................................................................................................................37

© ISO 2014 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/TR 18128:2014(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the meaning of ISO specific terms and expressions related to conformity

assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers

to Trade (TBT) see the following URL: Foreword - Supplementary information

The committee responsible for this document is ISO/TC 46, Information and documentation, Subcommittee

SC 11, Archives/records management.
iv © ISO 2014 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/TR 18128:2014(E)
Introduction

All organizations identify and manage the risks to their functioning successfully. Identifying and

managing the risks to records processes and systems is the responsibility of the organization’s records

professional.

This Technical Report is intended to help records professionals and people who have responsibility for

records in their organization to assess the risks related to records processes and systems.

NOTE System means any business application which creates and stores records.

This is distinct from the task of identifying and assessing the organization’s business risks to which

creating and keeping adequate records is one strategic response. The decisions to create or not create

records in response to general business risk are business decisions which should be informed by the

analysis of the organization’s records requirements undertaken by records professionals together with

business managers. The premise of this Technical Report is that the organization has created records

of its business activities to meet operational and other purposes and has established at least minimal

mechanisms for the systematic management and control of the records.

The consequence of risk events to records processes and systems is the loss of, or damage to, records

which are therefore no longer useable, reliable, authentic, complete, or unaltered, and therefore can fail

to meet the organization’s purposes.

The Technical Report provides guidance and examples based on the general risk management process

established in ISO 31000 (see Figure 1) to apply to risks related to records processes and systems. It

covers
a) risk identification,
b) risk analysis, and
c) risk evaluation.

The results of the analysis of risk to records processes and systems should be incorporated into the

organization’s general risk management framework. As a result, the organization will have better

control of its records and their quality for business purposes.

Clause 5 provides a comprehensive list of areas of uncertainty related to records processes and systems

as a guide for risk identification.

Clause 6 provides guidance to determining the consequences and probabilities of identified risk events,

taking into account the presence (or not) and the effectiveness of any existing controls.

Clause 7 provides guidance to determining the significance of the level and type of risks identified.

The report does not deal with risk treatment. Once the assessment of risks related to records processes

and systems has been completed, the assessed risks are documented and communicated to the

organization’s risk management section. Response to the assessed risks is undertaken as part of the

organization’s overall risk management program. The priority assigned by the records professional to

the assessed risks is provided to inform the organization’s decisions about managing those risks.

© ISO 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/TR 18128:2014(E)
Figure 1 — Risk Management process
NOTE Figure 1 from ISO 31000:2009. Numbering refers to text of ISO 31000.
vi © ISO 2014 – All rights reserved
---------------------- Page: 6 ----------------------
TECHNICAL REPORT ISO/TR 18128:2014(E)
Information and documentation — Risk assessment for
records processes and systems
1 Scope

This Technical Report intends to assist organizations in assessing risks to records processes and systems

so they can ensure records continue to meet identified business needs as long as required.

The report

a) establishes a method of analysis for identifying risks related to records processes and systems,

b) provides a method of analysing the potential effects of adverse events on records processes and

systems,

c) provides guidelines for conducting an assessment of risks related to records processes and systems,

and

d) provides guidelines for documenting identified and assessed risks in preparation for mitigation.

This Technical Report does not address the general risks to an organization’s operations which can be

mitigated by creating records.

This Technical Report can be used by all organizations regardless of size, nature of their activities,

or complexity of their functions and structure. These factors, and the regulatory regime in which the

organization operates which prescribes the creation and control of its records, are taken into account

when identifying and assessing risk related to records and records systems.

Defining an organization or identifying its boundaries should take into account the complex structures

and partnerships and contractual arrangements for outsourcing services and supply chains which are a

common feature of contemporary government and corporate entities. Identifying the boundaries of the

organization is the initial step in defining the scope of the project of risk assessment related to records.

This Technical Report does not address directly the mitigation of risks as methods for these will vary

from organization to organization.

The Technical Report can be used by records professionals or people who have responsibility for records

in their organizations and by auditors or managers who have responsibility for risk management

programs in their organizations.
2 Normative references

The following documents, in whole or in part, are normatively referenced in this document and are

indispensable for its application. For dated references, only the edition cited applies. For undated

references, the latest edition of the referenced document (including any amendments) applies.

ISO 30300:2011, Information and documentation — Management systems for records — Fundamentals

and vocabulary
ISO Guide 73:2009, Risk management — Vocabulary
© ISO 2014 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/TR 18128:2014(E)
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 30300, ISO Guide 73 and the

following apply.
3.1 Terms specific to risk
3.1.1
risk
effect of uncertainty

Note 1 to entry: An effect is a deviation from the expected — positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or

knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential events (ISO Guide 73:2009, 3.5.1.3) and

consequences (ISO Guide 73:2009, 3.6.1.3) or a combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including

changes in circumstances) and the associated likelihood (ISO Guide 73, 3.6.1.1) of occurrence.

[SOURCE: ISO Guide 73:2009, definition 1.1]
3.2 Terms specific to records
3.2.1
records system

information system which captures, manages, and provides access to records through time

Note 1 to entry: This can include business applications or systems which create and maintain records.

[SOURCE: ISO 30300:2011, definition 3.4.4]
3.2.2
records processes

sets of activities by which records are created, controlled, used, kept and disposed of by the organization

4 Risk assessment criteria for the organization
4.1 Assessment of risk

Assessing risks for records processes and systems should be included, where it exists, in the

organization’s general risk management process. In this case, records professionals should take into

account the organization’s external and internal context and the context of the risk management process

itself, including the following:

a) Roles and responsibilities: The role of records professionals in the assessment of risk related to

records processes and systems should be specified.

b) Extent and scope of the risk assessment activities: Relationships with other risk assessment areas,

such as information security, should be made explicit to avoid redundancy and conflicts and enable

an integrated approach to risk assessment which includes records.

c) Methodology: The standard risk assessment methodology should be applied using the available risk

assessment tools and reporting to the designated area or person.

d) Risk criteria: Where general risk criteria for the organization are established, risks related to

records processes and systems should be assessed using these criteria.
2 © ISO 2014 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/TR 18128:2014(E)

Where the organization has not established a general risk management process, records professionals

need to establish the risk criteria applying to records processes and systems prior to the assessment

process.
4.2 Risk criteria

Criteria should be based on the legal requirements for the organization’s jurisdiction and should include

the following:

a) the nature and types of consequences to be included and how they will be measured;

b) the way in which probabilities are to be expressed;
c) how a level of risk will be determined;
d) the criteria by which it will be decided when a risk needs treatment;
e) the criteria for deciding when a risk is acceptable and/or tolerable;
f) whether and how combinations of risks will be taken into account.

Regarding the nature and types of consequences to be included in the risk assessment of records

processes and systems, there is a general starting point which applies to all organizations. Records

which are authentic, reliable, have integrity, and are useable for as long as they are required will support

the needs of the organization. Risks are identified based on their potential to undermine those general

characteristics of records which would make them fail to meet the purposes for which they are created.

For discussion of probability and frequency of events in risk assessment, see 6.2.

Criteria for evaluating risks, including the criteria by which it will be decided when a risk is acceptable

or needs treatment, include the size and reach of the records systems in the organization, the number of

users, and the use made of the system in the operations of the organization.

Similarly, criteria for evaluating risks affecting records processes should include the frequency of the

process, how many systems it is used in, its relative importance in creating or managing records, the

tracking of processes, and the potential for reversing or remedying adverse effects.

4.3 Assignment of priority

Generally, the organization shall determine which records are the core records of its operations and the

level of significance attached to them. These are business decisions based on the advice of both records

professionals and the business managers.

The priority assigned to individual records, their aggregations, records processes, or specific records

systems can also be assessed in relation to responses to major disasters affecting all or many business

operations. For example, first, certain records are needed in the immediate aftermath of a natural

disaster, such as security contacts’ addresses and phone numbers, building/facility entry records,

contact details of disaster plan response teams, and insurance contacts and policy details. Second, the

organization’s business continuity planning should identify the functions which need to be restored

first and the records needed to do so.

Special attention should be paid to where a combination of risks applies to records identified as core

operational.
5 Risk identification
5.1 General

Identification of risks is structured under the following categories: context, systems, and processes

involved in creating and controlling the records of the organization.
© ISO 2014 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/TR 18128:2014(E)

The external context of the organization refers to the political and societal, the macro-economic and

technological, and the physical and environmental factors beyond its control, which have an impact

on its operations and are taken into account when determining its records requirements. The external

context includes the external stakeholders, who or which have a particular interest in the organization’s

operations.

The organization also has an internal context which is the internal factors not controlled by the records

professional(s) responsible for the records processes and systems. The internal context includes factors

such as the structure and finances of the organization, the technology it deploys, the resourcing of

activities (people and budgets), and the organization’s culture, all of which influence the policies and

practices for managing records.

Potential events with uncertain effects can be external or internal to the organization.

Uncertain effects caused by change in the external context can differ according to the perspective of

the different levels of the organization (see Figure 2). It is also recognized that all change presents

opportunities which can be positive in effect.

Figure 2 — The multiple layers of context of an organization’s records and records processes

The purpose of risk identification is to identify what can happen or what situations can exist that could

affect the capacity of records to support the needs of the organization.

The risk identification process includes identifying the causes and source of the risk, events, situations,

or circumstances which could have a material impact upon the organization’s objectives and the

nature of that impact. There are numerous methods for risk identification. See IEC 31010, Annex B for a

comparison of major methods.

Identified risks should be documented in a risk register, either in one specific to records or in the

organization’s risk register. See the example given in Annex A.

NOTE Annex B is an example of a checklist based on the structure of Clause 5 which can be used in an

organization to identify risks to records processes and systems systematically.
4 © ISO 2014 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/TR 18128:2014(E)
5.2 Context: External factors
5.2.1 Areas of uncertainty: Changes in political-societal context

Changes in the political and societal climate, nationally and internationally, can affect public attitudes to

governments’ and corporate behaviour. This can bring about legal and regulatory change, which impacts

the organization’s operations and, consequently, its records requirements.

Examples of areas of changing public attitudes which can affect records requirements are national

security, access to government and corporate information, privacy, intellectual property rights, and

corporate reporting responsibilities. More generally, examples of areas of uncertainty include the

following:

a) legal and regulatory changes affecting the organization’s records requirements;

a) changes in government policies affecting the organization’s records, records processes, and systems;

b) new standards or codes of practice that affect the organization’s records, records processes, and

systems;
c) changing demand for records services;
d) changing stakeholders’ expectations;

e) changes to reputation of, or trust in, the organization’s ability to deliver its services.

5.2.2 Areas of uncertainty: Macro-economic and technological environment

Changes in the macro-economic, business, and industrial environment and in information technology

have high impact on competition and customer demand. Change can be gradual and continuous, or

punctuated by crises, but also constitutes an area of uncertainty which can offer positive opportunities.

Examples of areas of uncertainty arising from such changes to the macro-economic and business

environment include the following:

a) changes in ownership and/or revenues of the organization which affect management priorities

including managing records;

b) changes in the objectives, functions, and operations of the organization, changing records

requirements;
c) increased activity from regulators, increasing external demands for records;
d) increased litigation, increasing demands for records;
e) introduction and adoption of new technologies across society;

EXAMPLES Spread of social media to business use; use of mobile computing devices for business.

f) changes in the market or client base of the organization.

These changes will be reflected in organizational changes which are discussed below (see 5.3.1).

5.2.3 Areas of uncertainty: Physical environment and infrastructure

The possibility of large-scale, natural or man-made disasters affecting the general operations of the

organization is a major area of uncertainty requiring identification and assessment. The potential

damage of such disasters include direct impact on the records and their storage and the less direct

© ISO 2014 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/TR 18128:2014(E)

impact of loss of services upon which the organization depends, for example, water and power supply

and other services. Areas of uncertainty include the following:

a) regional or local destructive or disruptive environmental phenomena such as earthquake,

hurricane/cyclone, tsunami, flood, fire, major storms, or prolonged drought;

b) the potential for acts of war or terrorism to cause major structural damage or disruption to service

supply to premises or vicinity of the organization;

c) other disruption to the organization’s power, water, waste management, information technology,

transport services, or other core utilities and services.
5.2.4 Areas of uncertainty: External security threats

Risk identification shall include hostile external security threats with the potential impacts ranging

from damage to premises or service supply to unauthorised access to systems including records systems.

Examples of external security threats include the following:

a) unauthorised external intrusion/access into records systems and unauthorised changes to records;

b) unidentified security compromise or exploitation of vulnerability that is not monitored and leads to

information degradation;

EXAMPLE Use of spyware or malware and vulnerability from unpatched software security breaches or

weaknesses.
c) physical intrusion into records storage or IT hardware space;
d) denial of services or other intentional attack on Internet services;
e) physical vandalism;
f) loss of third-party services on which the records systems are dependent.

NOTE Risk assessment is an integral element of the implementation of ISO/IEC 27000 series of International

Standards for information security. They provide extensive coverage of areas of uncertainty related to information

security.
5.3 Context: Internal factors
5.3.1 Areas of uncertainty: Organizational change

Management decisions affecting the organization such as amalgamations, take-overs, and other

acquisitions, restructuring, downsizing, outsourcing, or the reverse, off-shoring of services constitute a

significant area of uncertainty in the internal context of the organization. These decisions will affect the

records processes and systems, for example,

a) change of ownership of records and records systems and consequent transfer of records to and

from the organization,

b) change of ownership of records and records systems resulting in forced migration of records or

amalgamations of systems,

c) access arrangements to records systems for continuing right of access to records, following transfers

and migrations,

d) inheritance of responsibility for records and records systems without adequate documentation,

e) loss of personnel or corporate memory affecting knowledge, of current records and systems,

including knowledge of procedures to retrieve and use them, and of older records inherited through

organizational change,
6 © ISO 2014 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/TR 18128:2014(E)

f) abandonment of records and records systems, especially legacy systems, where no responsibility is

assigned,
g) change of terms within third-party service contracts,

h) new internal policies or modified existing ones within the organization that affect the records

systems and processes,

i) policies and procedures which have not been reviewed and updated, and are no longer applicable,

or are inconsistent or contradictory following organizational change,

j) changes in organization’s personnel that can affect responsibility for records,

k) changes in personnel policy, training budget, and opportunities that affect the capacity of people

who are responsible for records, and

l) disaster recovery plan is not updated which can affect records in the event of a disaster.

5.3.2 Areas of uncertainty: Technological change

Introduction of new technologies and systems are opportunities for improvement but also constitute

areas of uncertainty with potential for adverse effects. The areas of unc
...

SLOVENSKI STANDARD
SIST-TP ISO/TR 18128:2018
01-september-2018
Informatika in dokumentacija - Ocena tveganja za postopke procesov in sisteme
vodenja zapisov

Information and documentation -- Risk assessment for records processes and systems

Information et documentation -- Evaluation du risque pour les processus et systèmes

d'enregistrement
Ta slovenski standard je istoveten z: ISO/TR 18128:2014
ICS:
01.140.20 Informacijske vede Information sciences
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
SIST-TP ISO/TR 18128:2018 en

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST-TP ISO/TR 18128:2018
---------------------- Page: 2 ----------------------
SIST-TP ISO/TR 18128:2018
TECHNICAL ISO/TR
REPORT 18128
First edition
2014-03-15
Information and documentation —
Risk assessment for records processes
and systems
Information et documentation — Evaluation du risque pour les
processus et systèmes d’enregistrement
Reference number
ISO/TR 18128:2014(E)
ISO 2014
---------------------- Page: 3 ----------------------
SIST-TP ISO/TR 18128:2018
ISO/TR 18128:2014(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2014

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved
---------------------- Page: 4 ----------------------
SIST-TP ISO/TR 18128:2018
ISO/TR 18128:2014(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 2

3.1 Terms specific to risk ......................................................................................................................................................................... 2

3.2 Terms specific to records ............................................................................................................................................................... 2

4 Risk assessment criteria for the organization ....................................................................................................................... 2

4.1 Assessment of risk ............................................................................................................................................................................... 2

4.2 Risk criteria ................................................................................................................................................................................................ 3

4.3 Assignment of priority ..................................................................................................................................................................... 3

5 Risk identification ............................................................................................................................................................................................... 3

5.1 General ........................................................................................................................................................................................................... 3

5.2 Context: External factors ................................................................................................................................................................ 5

5.3 Context: Internal factors ................................................................................................................................................................. 6

5.4 Records systems .................................................................................................................................................................................... 8

5.5 Records processes .............................................................................................................................................................................11

6 Analysing identified risks ........................................................................................................................................................................12

6.1 General ........................................................................................................................................................................................................12

6.2 Likelihood analysis and probability estimation ......................................................................................................13

7 Evaluating risks ..................................................................................................................................................................................................15

7.1 General ........................................................................................................................................................................................................15

7.2 Evaluating impact of adverse events .................................................................................................................................16

7.3 Evaluating the risk ............................................................................................................................................................................16

8 Communicating the identified risks ..............................................................................................................................................17

Annex A (informative) Example of a documented risk entry in a risk register ....................................................19

Annex B (informative) Example: checklists for identifying areas of uncertainty ...............................................20

Annex C (informative) Guide to using controls from ISO/IEC 27001, Annex A ......................................................27

Bibliography .............................................................................................................................................................................................................................37

© ISO 2014 – All rights reserved iii
---------------------- Page: 5 ----------------------
SIST-TP ISO/TR 18128:2018
ISO/TR 18128:2014(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the meaning of ISO specific terms and expressions related to conformity

assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers

to Trade (TBT) see the following URL: Foreword - Supplementary information

The committee responsible for this document is ISO/TC 46, Information and documentation, Subcommittee

SC 11, Archives/records management.
iv © ISO 2014 – All rights reserved
---------------------- Page: 6 ----------------------
SIST-TP ISO/TR 18128:2018
ISO/TR 18128:2014(E)
Introduction

All organizations identify and manage the risks to their functioning successfully. Identifying and

managing the risks to records processes and systems is the responsibility of the organization’s records

professional.

This Technical Report is intended to help records professionals and people who have responsibility for

records in their organization to assess the risks related to records processes and systems.

NOTE System means any business application which creates and stores records.

This is distinct from the task of identifying and assessing the organization’s business risks to which

creating and keeping adequate records is one strategic response. The decisions to create or not create

records in response to general business risk are business decisions which should be informed by the

analysis of the organization’s records requirements undertaken by records professionals together with

business managers. The premise of this Technical Report is that the organization has created records

of its business activities to meet operational and other purposes and has established at least minimal

mechanisms for the systematic management and control of the records.

The consequence of risk events to records processes and systems is the loss of, or damage to, records

which are therefore no longer useable, reliable, authentic, complete, or unaltered, and therefore can fail

to meet the organization’s purposes.

The Technical Report provides guidance and examples based on the general risk management process

established in ISO 31000 (see Figure 1) to apply to risks related to records processes and systems. It

covers
a) risk identification,
b) risk analysis, and
c) risk evaluation.

The results of the analysis of risk to records processes and systems should be incorporated into the

organization’s general risk management framework. As a result, the organization will have better

control of its records and their quality for business purposes.

Clause 5 provides a comprehensive list of areas of uncertainty related to records processes and systems

as a guide for risk identification.

Clause 6 provides guidance to determining the consequences and probabilities of identified risk events,

taking into account the presence (or not) and the effectiveness of any existing controls.

Clause 7 provides guidance to determining the significance of the level and type of risks identified.

The report does not deal with risk treatment. Once the assessment of risks related to records processes

and systems has been completed, the assessed risks are documented and communicated to the

organization’s risk management section. Response to the assessed risks is undertaken as part of the

organization’s overall risk management program. The priority assigned by the records professional to

the assessed risks is provided to inform the organization’s decisions about managing those risks.

© ISO 2014 – All rights reserved v
---------------------- Page: 7 ----------------------
SIST-TP ISO/TR 18128:2018
ISO/TR 18128:2014(E)
Figure 1 — Risk Management process
NOTE Figure 1 from ISO 31000:2009. Numbering refers to text of ISO 31000.
vi © ISO 2014 – All rights reserved
---------------------- Page: 8 ----------------------
SIST-TP ISO/TR 18128:2018
TECHNICAL REPORT ISO/TR 18128:2014(E)
Information and documentation — Risk assessment for
records processes and systems
1 Scope

This Technical Report intends to assist organizations in assessing risks to records processes and systems

so they can ensure records continue to meet identified business needs as long as required.

The report

a) establishes a method of analysis for identifying risks related to records processes and systems,

b) provides a method of analysing the potential effects of adverse events on records processes and

systems,

c) provides guidelines for conducting an assessment of risks related to records processes and systems,

and

d) provides guidelines for documenting identified and assessed risks in preparation for mitigation.

This Technical Report does not address the general risks to an organization’s operations which can be

mitigated by creating records.

This Technical Report can be used by all organizations regardless of size, nature of their activities,

or complexity of their functions and structure. These factors, and the regulatory regime in which the

organization operates which prescribes the creation and control of its records, are taken into account

when identifying and assessing risk related to records and records systems.

Defining an organization or identifying its boundaries should take into account the complex structures

and partnerships and contractual arrangements for outsourcing services and supply chains which are a

common feature of contemporary government and corporate entities. Identifying the boundaries of the

organization is the initial step in defining the scope of the project of risk assessment related to records.

This Technical Report does not address directly the mitigation of risks as methods for these will vary

from organization to organization.

The Technical Report can be used by records professionals or people who have responsibility for records

in their organizations and by auditors or managers who have responsibility for risk management

programs in their organizations.
2 Normative references

The following documents, in whole or in part, are normatively referenced in this document and are

indispensable for its application. For dated references, only the edition cited applies. For undated

references, the latest edition of the referenced document (including any amendments) applies.

ISO 30300:2011, Information and documentation — Management systems for records — Fundamentals

and vocabulary
ISO Guide 73:2009, Risk management — Vocabulary
© ISO 2014 – All rights reserved 1
---------------------- Page: 9 ----------------------
SIST-TP ISO/TR 18128:2018
ISO/TR 18128:2014(E)
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 30300, ISO Guide 73 and the

following apply.
3.1 Terms specific to risk
3.1.1
risk
effect of uncertainty

Note 1 to entry: An effect is a deviation from the expected — positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or

knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential events (ISO Guide 73:2009, 3.5.1.3) and

consequences (ISO Guide 73:2009, 3.6.1.3) or a combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including

changes in circumstances) and the associated likelihood (ISO Guide 73, 3.6.1.1) of occurrence.

[SOURCE: ISO Guide 73:2009, definition 1.1]
3.2 Terms specific to records
3.2.1
records system

information system which captures, manages, and provides access to records through time

Note 1 to entry: This can include business applications or systems which create and maintain records.

[SOURCE: ISO 30300:2011, definition 3.4.4]
3.2.2
records processes

sets of activities by which records are created, controlled, used, kept and disposed of by the organization

4 Risk assessment criteria for the organization
4.1 Assessment of risk

Assessing risks for records processes and systems should be included, where it exists, in the

organization’s general risk management process. In this case, records professionals should take into

account the organization’s external and internal context and the context of the risk management process

itself, including the following:

a) Roles and responsibilities: The role of records professionals in the assessment of risk related to

records processes and systems should be specified.

b) Extent and scope of the risk assessment activities: Relationships with other risk assessment areas,

such as information security, should be made explicit to avoid redundancy and conflicts and enable

an integrated approach to risk assessment which includes records.

c) Methodology: The standard risk assessment methodology should be applied using the available risk

assessment tools and reporting to the designated area or person.

d) Risk criteria: Where general risk criteria for the organization are established, risks related to

records processes and systems should be assessed using these criteria.
2 © ISO 2014 – All rights reserved
---------------------- Page: 10 ----------------------
SIST-TP ISO/TR 18128:2018
ISO/TR 18128:2014(E)

Where the organization has not established a general risk management process, records professionals

need to establish the risk criteria applying to records processes and systems prior to the assessment

process.
4.2 Risk criteria

Criteria should be based on the legal requirements for the organization’s jurisdiction and should include

the following:

a) the nature and types of consequences to be included and how they will be measured;

b) the way in which probabilities are to be expressed;
c) how a level of risk will be determined;
d) the criteria by which it will be decided when a risk needs treatment;
e) the criteria for deciding when a risk is acceptable and/or tolerable;
f) whether and how combinations of risks will be taken into account.

Regarding the nature and types of consequences to be included in the risk assessment of records

processes and systems, there is a general starting point which applies to all organizations. Records

which are authentic, reliable, have integrity, and are useable for as long as they are required will support

the needs of the organization. Risks are identified based on their potential to undermine those general

characteristics of records which would make them fail to meet the purposes for which they are created.

For discussion of probability and frequency of events in risk assessment, see 6.2.

Criteria for evaluating risks, including the criteria by which it will be decided when a risk is acceptable

or needs treatment, include the size and reach of the records systems in the organization, the number of

users, and the use made of the system in the operations of the organization.

Similarly, criteria for evaluating risks affecting records processes should include the frequency of the

process, how many systems it is used in, its relative importance in creating or managing records, the

tracking of processes, and the potential for reversing or remedying adverse effects.

4.3 Assignment of priority

Generally, the organization shall determine which records are the core records of its operations and the

level of significance attached to them. These are business decisions based on the advice of both records

professionals and the business managers.

The priority assigned to individual records, their aggregations, records processes, or specific records

systems can also be assessed in relation to responses to major disasters affecting all or many business

operations. For example, first, certain records are needed in the immediate aftermath of a natural

disaster, such as security contacts’ addresses and phone numbers, building/facility entry records,

contact details of disaster plan response teams, and insurance contacts and policy details. Second, the

organization’s business continuity planning should identify the functions which need to be restored

first and the records needed to do so.

Special attention should be paid to where a combination of risks applies to records identified as core

operational.
5 Risk identification
5.1 General

Identification of risks is structured under the following categories: context, systems, and processes

involved in creating and controlling the records of the organization.
© ISO 2014 – All rights reserved 3
---------------------- Page: 11 ----------------------
SIST-TP ISO/TR 18128:2018
ISO/TR 18128:2014(E)

The external context of the organization refers to the political and societal, the macro-economic and

technological, and the physical and environmental factors beyond its control, which have an impact

on its operations and are taken into account when determining its records requirements. The external

context includes the external stakeholders, who or which have a particular interest in the organization’s

operations.

The organization also has an internal context which is the internal factors not controlled by the records

professional(s) responsible for the records processes and systems. The internal context includes factors

such as the structure and finances of the organization, the technology it deploys, the resourcing of

activities (people and budgets), and the organization’s culture, all of which influence the policies and

practices for managing records.

Potential events with uncertain effects can be external or internal to the organization.

Uncertain effects caused by change in the external context can differ according to the perspective of

the different levels of the organization (see Figure 2). It is also recognized that all change presents

opportunities which can be positive in effect.

Figure 2 — The multiple layers of context of an organization’s records and records processes

The purpose of risk identification is to identify what can happen or what situations can exist that could

affect the capacity of records to support the needs of the organization.

The risk identification process includes identifying the causes and source of the risk, events, situations,

or circumstances which could have a material impact upon the organization’s objectives and the

nature of that impact. There are numerous methods for risk identification. See IEC 31010, Annex B for a

comparison of major methods.

Identified risks should be documented in a risk register, either in one specific to records or in the

organization’s risk register. See the example given in Annex A.

NOTE Annex B is an example of a checklist based on the structure of Clause 5 which can be used in an

organization to identify risks to records processes and systems systematically.
4 © ISO 2014 – All rights reserved
---------------------- Page: 12 ----------------------
SIST-TP ISO/TR 18128:2018
ISO/TR 18128:2014(E)
5.2 Context: External factors
5.2.1 Areas of uncertainty: Changes in political-societal context

Changes in the political and societal climate, nationally and internationally, can affect public attitudes to

governments’ and corporate behaviour. This can bring about legal and regulatory change, which impacts

the organization’s operations and, consequently, its records requirements.

Examples of areas of changing public attitudes which can affect records requirements are national

security, access to government and corporate information, privacy, intellectual property rights, and

corporate reporting responsibilities. More generally, examples of areas of uncertainty include the

following:

a) legal and regulatory changes affecting the organization’s records requirements;

a) changes in government policies affecting the organization’s records, records processes, and systems;

b) new standards or codes of practice that affect the organization’s records, records processes, and

systems;
c) changing demand for records services;
d) changing stakeholders’ expectations;

e) changes to reputation of, or trust in, the organization’s ability to deliver its services.

5.2.2 Areas of uncertainty: Macro-economic and technological environment

Changes in the macro-economic, business, and industrial environment and in information technology

have high impact on competition and customer demand. Change can be gradual and continuous, or

punctuated by crises, but also constitutes an area of uncertainty which can offer positive opportunities.

Examples of areas of uncertainty arising from such changes to the macro-economic and business

environment include the following:

a) changes in ownership and/or revenues of the organization which affect management priorities

including managing records;

b) changes in the objectives, functions, and operations of the organization, changing records

requirements;
c) increased activity from regulators, increasing external demands for records;
d) increased litigation, increasing demands for records;
e) introduction and adoption of new technologies across society;

EXAMPLES Spread of social media to business use; use of mobile computing devices for business.

f) changes in the market or client base of the organization.

These changes will be reflected in organizational changes which are discussed below (see 5.3.1).

5.2.3 Areas of uncertainty: Physical environment and infrastructure

The possibility of large-scale, natural or man-made disasters affecting the general operations of the

organization is a major area of uncertainty requiring identification and assessment. The potential

damage of such disasters include direct impact on the records and their storage and the less direct

© ISO 2014 – All rights reserved 5
---------------------- Page: 13 ----------------------
SIST-TP ISO/TR 18128:2018
ISO/TR 18128:2014(E)

impact of loss of services upon which the organization depends, for example, water and power supply

and other services. Areas of uncertainty include the following:

a) regional or local destructive or disruptive environmental phenomena such as earthquake,

hurricane/cyclone, tsunami, flood, fire, major storms, or prolonged drought;

b) the potential for acts of war or terrorism to cause major structural damage or disruption to service

supply to premises or vicinity of the organization;

c) other disruption to the organization’s power, water, waste management, information technology,

transport services, or other core utilities and services.
5.2.4 Areas of uncertainty: External security threats

Risk identification shall include hostile external security threats with the potential impacts ranging

from damage to premises or service supply to unauthorised access to systems including records systems.

Examples of external security threats include the following:

a) unauthorised external intrusion/access into records systems and unauthorised changes to records;

b) unidentified security compromise or exploitation of vulnerability that is not monitored and leads to

information degradation;

EXAMPLE Use of spyware or malware and vulnerability from unpatched software security breaches or

weaknesses.
c) physical intrusion into records storage or IT hardware space;
d) denial of services or other intentional attack on Internet services;
e) physical vandalism;
f) loss of third-party services on which the records systems are dependent.

NOTE Risk assessment is an integral element of the implementation of ISO/IEC 27000 series of International

Standards for information security. They provide extensive coverage of areas of uncertainty related to information

security.
5.3 Context: Internal factors
5.3.1 Areas of uncertainty: Organizational change

Management decisions affecting the organization such as amalgamations, take-overs, and other

acquisitions, restructuring, downsizing, outsourcing, or the reverse, off-shoring of services constitute a

significant area of uncertainty in the internal context of the organization. These decisions will affect the

records processes and systems, for example,

a) change of ownership of records and records systems and consequent transfer of records to and

from the organization,

b) change of ownership of records and records systems resulting in forced migration of records or

amalgamations of systems,

c) access arrangements to records systems for continuing right of access to records, following transfers

and migrations,

d) inheritance of responsibility for records and records systems without adequate documentation,

e) loss of personnel or corporate memory affecting knowledge, of current records and systems,

including knowledge of procedures to retrieve and use them, and of
...

RAPPORT ISO/TR
TECHNIQUE 18128
Première édition
2014-03-15
Information et documentation —
Evaluation du risque pour
les processus et systèmes
d’enregistrement
Information and documentation — Risk assessment for records
processes and systems
Numéro de référence
ISO/TR 18128:2014(F)
ISO 2014
---------------------- Page: 1 ----------------------
ISO/TR 18128:2014(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2014

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni utilisée

sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie, l’affichage sur

l’internet ou sur un Intranet, sans autorisation écrite préalable. Les demandes d’autorisation peuvent être adressées à l’ISO à

l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Publié en Suisse
ii © ISO 2014 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO/TR 18128:2014(F)
Sommaire Page

Avant-propos ..............................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Domaine d’application ................................................................................................................................................................................... 1

2 Références normatives ................................................................................................................................................................................... 1

3 Termes et définitions ....................................................................................................................................................................................... 2

3.1 Termes spécifiques au risque ..................................................................................................................................................... 2

3.2 Termes spécifiques aux documents d’activité .............................................................................................................. 2

4 Critère d’appréciation du risque de l’organisme ................................................................................................................ 2

4.1 Appréciation du risque .................................................................................................................................................................... 2

4.2 Critères de risque.................................................................................................................................................................................. 3

4.3 Attribution des priorités ................................................................................................................................................................. 3

5 Identification du risque ................................................................................................................................................................................ 4

5.1 Généralités .................................................................................................................................................................................................. 4

5.2 Contexte: Facteurs externes......................................................................................................................................................... 5

5.3 Contexte: Facteurs internes ......................................................................................................................................................... 7

5.4 Systèmes documentaires ................................................................................................................................................................ 9

5.5 Processus documentaires ...........................................................................................................................................................12

6 Analyse des risques identifiés .............................................................................................................................................................14

6.1 Généralités ...............................................................................................................................................................................................14

6.2 Analyse de la vraisemblance et estimation des probabilités .......................................................................14

7 Évaluation du risque ......................................................................................................................................................................................17

7.1 Généralités ...............................................................................................................................................................................................17

7.2 Évaluation des conséquences des événements indésirables .......................................................................18

7.3 Évaluation du risque .......................................................................................................................................................................19

8 Communication des risques identifiés .......................................................................................................................................21

Annexe A (informative) Exemple d’une entrée de risque documentée dans un registre

des risques ...............................................................................................................................................................................................................22

Annexe B (informative) Exemple: listes de contrôle visant à identifier les zones d’incertitude ........23

Annexe C (informative) Guide d’utilisation des mesures de l’Annexe A de l’ISO/IEC 27001 ...................31

Bibliographie ...........................................................................................................................................................................................................................43

© ISO 2014 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO/TR 18128:2014(F)
Avant-propos

L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes

nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est

en général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude

a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,

gouvernementales et non gouvernementales, en liaison avec l’ISO participent également aux travaux.

L’ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui concerne

la normalisation électrotechnique.

Les procédures utilisées pour l’élaboration du présent document et celles destinées à sa mise à jour sont

décrites dans les Directives ISO/CEI, Partie 1. Il convient, en particulier, de prendre note des différents

critères d’approbation requis pour les différents types de documents ISO. Le présent document a été

rédigé conformément aux règles de rédaction données dans les Directives ISO/CEI, Partie 2 (voir www.

iso.org/directives).

L’attention est appelée sur le fait que certains des éléments du présent document peuvent faire l’objet de

droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable

de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant les

références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de l’élaboration

du document sont indiqués dans l’Introduction et/ou sur la liste ISO des déclarations de brevets reçues

(voir www.iso.org/patents).

Les éventuelles appellations commerciales utilisées dans le présent document sont données pour

information à l’attention des utilisateurs et ne constituent pas une approbation ou une recommandation.

Pour une explication de la signification des termes et expressions spécifiques de l’ISO liés à l’évaluation de

la conformité et pour toute information au sujet de l’adhésion de l’ISO aux principes de l’OMC concernant

les obstacles techniques au commerce (OTC), voir le lien suivant: Avant-propos — Informations

supplémentaires Foreword - Supplementary information

Le Comité responsable du présent document est le Comité technique ISO/TC 46, Information et

documentation, Sous-comité SC 11, Archives/Gestion des documents d’activité.
iv © ISO 2014 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO/TR 18128:2014(F)
Introduction

Tous les organismes identifient et gèrent les risques pouvant avoir une incidence sur leur bon

fonctionnement. L’identification et le management des risques liés aux processus et aux systèmes

documentaires relèvent de la responsabilité du professionnel de la gestion documentaire.

Le présent Rapport technique est destiné à aider les professionnels de la gestion documentaire et les

personnes responsables, au sein de leur organisme, des documents d’activité à apprécier les risques liés

aux processus et aux systèmes documentaires.

NOTE «Système» désigne toute application professionnelle qui crée et stocke des documents d’activité.

Il s’agit d’une activité distincte de la tâche consistant à identifier et apprécier les risques professionnels

de l’organisme, pour lequel la création et la tenue des documents d’activité appropriés constituent

une réponse stratégique. Les décisions relatives à la création ou non des documents d’activité pour

répondre au risque général de l’activité sont des décisions de gestion qu’il convient d’éclairer par

l’analyse des exigences de l’organisme en matière de documents d’activité; cette analyse est assurée par

des professionnels de la gestion documentaire conjointement avec les dirigeants. Le présent Rapport

technique repose sur le principe que l’organisme a créé des documents d’activité concernant ses activités

professionnelles pour répondre à des objectifs opérationnels ou autres, et qu’il a mis en place au moins

les mécanismes minimaux de gestion et de contrôle systématiques de ces documents d’activité.

Pour les processus et les systèmes documentaires, les conséquences des événements porteurs de

risques se traduisent par la perte ou l’altération des documents d’activité qui, par conséquent, ne sont

plus exploitables, fiables, authentiques, complets ou inaltérés et qui, donc, peuvent ne plus répondre aux

objectifs de l’organisme.

Le présent Rapport technique prodigue des conseils et fournit des exemples en se basant sur le processus

général de management du risque défini dans l’ISO 31000 (voir Figure 1) à appliquer aux risques liés aux

processus et aux systèmes documentaires. Il traite de
a) l’identification des risques,
b) l’analyse des risques et
c) l’évaluation des risques.

Il convient d’intégrer au cadre organisationnel général de management du risque de l’organisme les

résultats de l’analyse des risques liés aux processus et aux systèmes documentaires. En procédant ainsi,

l’organisme aura un meilleur contrôle de ses documents d’activité et de leur qualité pour répondre aux

besoins de son activité.

L’Article 5 présente une liste exhaustive des zones d’incertitude liées aux processus et aux systèmes

documentaires, servant de guide d’identification des risques.

L’Article 6 dispense des conseils permettant de déterminer les conséquences et les probabilités des

événements porteurs de risques qui ont été identifiés, en tenant compte de la présence (ou de l’absence)

et de l’efficacité des contrôles existants.

L’Article 7 dispense des conseils permettant de déterminer l’importance du niveau de risque et du type

de risque identifiés.

Le présent rapport n’aborde pas le traitement des risques. Une fois l’appréciation des risques liés aux

processus et aux systèmes documentaires achevée, les risques objets de l’appréciation sont documentés

et communiqués au service chargé du management du risque au sein de l’organisme. La réponse à

apporter aux risques objet de l’appréciation entre dans le cadre du programme global de management

du risque de l’organisme. Le professionnel de la gestion documentaire attribue une priorité aux risques

objet de l’appréciation pour étayer les décisions de l’organisme relatives au management de ces risques.

© ISO 2014 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO/TR 18128:2014(F)
Figure 1 — Processus de management du risque

NOTE Figure 1 tirée de l’ISO 31000:2009. La numérotation renvoie au texte de l’ISO 31000.

vi © ISO 2014 – Tous droits réservés
---------------------- Page: 6 ----------------------
RAPPORT TECHNIQUE ISO/TR 18128:2014(F)
Information et documentation — Evaluation du risque
pour les processus et systèmes d’enregistrement
1 Domaine d’application

Le présent Rapport technique a pour objet d’aider les organismes à apprécier les risques liés aux

processus et aux systèmes documentaires de manière qu’ils puissent s’assurer que les documents

d’activité répondent aux besoins de gestion identifiés aussi longtemps que nécessaire.

Ce rapport

a) établit une méthode d’analyse pour l’identification des risques liés aux processus et aux systèmes

documentaires,

b) fournit une méthode d’analyse des effets potentiels des événements indésirables sur les processus

et les systèmes documentaires,

c) fournit des lignes directrices pour mener une appréciation des risques liés aux processus et aux

systèmes documentaires, et

d) fournit des lignes directrices pour la documentation des risques identifiés et appréciés pour

préparer des mesures d’atténuation.

Le présent Rapport technique ne traite pas des risques généraux liés aux opérations d’un organisme

pouvant être atténués par la création de documents d’activité.

Le présent Rapport technique peut être utilisé par tous les organismes, quelles que soient leur taille, la

nature de leurs activités ou la complexité de leurs fonctions et de leur structure. Ces facteurs, ainsi que

le régime réglementaire dans lequel l’organisme évolue et qui prescrit la création et le contrôle de ces

documents d’activité, sont pris en compte au moment de l’identification et de l’appréciation des risques

liés aux documents d’activité et aux systèmes documentaires.

Il convient que la définition d’un organisme ou l’identification de son périmètre tiennent compte des

structures complexes, des partenariats et des dispositions contractuelles concernant les services

externalisés et les chaînes logistiques, qui constituent, de nos jours, une caractéristique commune

aux entités publiques et privées. L’identification du périmètre de l’organisme est la première étape de

la définition du domaine d’application du projet d’appréciation des risques en matière de documents

d’activité.

Le présent Rapport technique ne traite pas directement de l’atténuation des risques, les méthodes en la

matière différant d’un organisme à l’autre.

Le présent Rapport technique peut être utilisé par des professionnels de la gestion documentaire ou par

des personnes responsables des documents d’activité de leur organisme, ainsi que par des auditeurs ou

des dirigeants responsables des programmes de management du risque de leur organisme.

2 Références normatives

Les documents ci-après, dans leur intégralité ou non, sont des références normatives indispensables à

l’application du présent document. Pour les références datées, seule l’édition citée s’applique. Pour les

références non datées, la dernière édition du document de référence s’applique (y compris les éventuels

amendements).

ISO 30300:2011, Information and documentation — Management systems for records — Fundamentals

and vocabulary
© ISO 2014 – Tous droits réservés 1
---------------------- Page: 7 ----------------------
ISO/TR 18128:2014(F)
Guide ISO 73:2009, Management du risque — Vocabulaire
3 Termes et définitions

Pour les besoins du présent document, les termes et définitions donnés dans l’ISO 30300, le Guide ISO 73,

ainsi que les suivants s’appliquent.
3.1 Termes spécifiques au risque
3.1.1
risque
effet de l’incertitude

Note 1 à l’article: Un effet est un écart, positif et/ou négatif, par rapport à une attente.

Note 2 à l’article: L’incertitude est l’état, même partiel, de défaut d’information concernant la compréhension ou la

connaissance d’un événement, de ses conséquences ou de sa vraisemblance.

Note 3 à l’article: Un risque est souvent caractérisé en référence à des événements (Guide ISO 73, 3.5.1.3) et des

conséquences potentiels (Guide ISO 73, 3.6.1.3) ou à une combinaison des deux.

Note 4 à l’article: Un risque est souvent exprimé en termes de combinaison des conséquences d’un événement

(incluant des changements de circonstances) et de sa vraisemblance (Guide ISO 73, 3.6.1.1).

[SOURCE: Guide ISO 73:2009, définition 1.1]
3.2 Termes spécifiques aux documents d’activité
3.2.1
système documentaire

système d’information qui intègre, organise, gère et rend accessibles les documents d’activité dans le

temps

Note 1 à l’article: Ceci peut inclure les applications métiers ou les systèmes qui créent et préservent les documents

d’activité.
[SOURCE: ISO 30300:2011, définition 3.4.4]
3.2.2
processus documentaire

ensemble d’activités permettant à un organisme de créer, maîtriser, utiliser, conserver et éliminer des

documents d’activité
4 Critère d’appréciation du risque de l’organisme
4.1 Appréciation du risque

Il convient d’inclure l’appréciation du risque pour les processus et les systèmes documentaires dans

le processus général de management du risque de l’organisme, lorsqu’il en existe un. Dans ce cas, il

convient que les professionnels de la gestion documentaire tiennent compte du contexte externe et du

contexte interne de l’organisme, ainsi que du contexte propre au processus de management du risque,

y compris:

a) les rôles et responsabilités: il convient de spécifier le rôle des professionnels de la gestion

documentaire dans l’appréciation du risque lié aux processus et aux systèmes documentaires;

b) l’étendue et le domaine d’application des activités d’appréciation du risque: afin d’éviter redondance

et conflits et de permettre une approche intégrée de l’appréciation du risque incluant les documents

2 © ISO 2014 – Tous droits réservés
---------------------- Page: 8 ----------------------
ISO/TR 18128:2014(F)

d’activité, il convient de préciser les relations avec les autres domaines d’appréciation du risque,

comme la sécurité de l’information;

c) la méthodologie: il convient d’appliquer une méthodologie d’appréciation du risque normalisée en

utilisant les outils d’appréciation du risque existants et en communiquant les rapports au groupe de

personnes désignées;

d) les critères de risque: lorsque l’organisme dispose de critères de risques généraux, il convient que

les risques liés aux processus et aux systèmes documentaires soient évalués en utilisant ces critères.

Lorsque l’organisme ne dispose pas de processus général de management du risque, il est nécessaire

que les professionnels de la gestion documentaire déterminent des critères de risque s’appliquant aux

processus et aux systèmes documentaires préalablement au processus d’appréciation.

4.2 Critères de risque

Il convient que les critères s’appuient sur les exigences réglementaires en vigueur dans la juridiction de

l’organisme et qu’ils intègrent:

a) la nature et les types de conséquences à inclure, et la façon dont ils vont être mesurés;

b) le mode d’expression des probabilités;
c) la méthode de détermination du niveau de risque;

d) les critères permettant de déterminer le moment où un risque nécessite d’être traité;

e) les critères permettant de déterminer si un risque est acceptable et/ou tolérable;

f) les conditions et la méthode de prise en compte des combinaisons de risques.

En ce qui concerne la nature et les types de conséquences à inclure dans l’appréciation du risque

des processus et des systèmes documentaires, il existe un préalable général qui s’applique à tous les

organismes. Seuls les documents d’activité qui présentent les caractéristiques d’authenticité, de fiabilité,

d’intégrité et qui sont exploitables aussi longtemps que nécessaire répondront aux besoins de l’organisme.

L’identification des risques repose sur leur potentiel à compromettre ces caractéristiques générales des

documents d’activité, les rendant inaptes à remplir les objectifs ayant présidé à leur création.

En ce qui concerne l’analyse de la probabilité et de la fréquence des événements dans l’appréciation du

risque, voir 6.2.

Les critères d’évaluation du risque, y compris les critères permettant de déterminer si un risque est

acceptable ou nécessite un traitement, incluent la taille et l’ampleur des systèmes documentaires de

l’organisme, le nombre d’utilisateurs et l’utilisation qui est faite du système dans les opérations de

l’organisme.

De la même façon, il convient que les critères d’évaluation des risques ayant une incidence sur les

processus documentaires incluent la fréquence du processus, le nombre de systèmes dans lesquels il est

utilisé, son importance relative dans la création ou la gestion des documents d’activité, la traçabilité des

processus et son potentiel à inverser les effets indésirables ou à y remédier.
4.3 Attribution des priorités

De manière générale, l’organisme doit déterminer quels sont les documents d’activité qui constituent

des documents essentiels pour son exploitation et le niveau d’importance qui s’y rattache. Il s’agit de

décisions de gestion reposant sur les conseils des professionnels de la gestion documentaire et des

dirigeants de l’activité.

La priorité attribuée aux documents d’activité pris isolément, leurs agrégations, les processus liés aux

documents d’activité ou les systèmes documentaires spécifiques peuvent également faire l’objet d’une

appréciation en fonction des réponses à apporter aux catastrophes majeures affectant tout ou partie des

© ISO 2014 – Tous droits réservés 3
---------------------- Page: 9 ----------------------
ISO/TR 18128:2014(F)

opérations de l’organisme. Par exemple, dans un premier temps, il est nécessaire de disposer de certains

documents d’activité immédiatement après une catastrophe naturelle, par exemple les adresses et les

numéros de téléphone des contacts sécurité, les enregistrements des entrées dans l’usine/le bâtiment,

les coordonnées des équipes d’intervention du plan catastrophe, les contacts des assurances et les

détails des polices. Dans un deuxième temps, il convient que la planification de la continuité de l’activité

de l’organisme identifie les fonctions qui doivent être restaurées en priorité et les documents d’activité

permettant de le faire.

Il convient de porter une attention particulière aux situations dans lesquelles une combinaison de risques

concerne des documents d’activité identifiés comme étant essentiels à l’exploitation de l’organisme.

5 Identification du risque
5.1 Généralités

L’identification des risques est structurée selon les catégories suivantes: contexte, systèmes et processus

impliqués dans la création et le contrôle des documents d’activité de l’organisme.

Le contexte externe de l’organisme renvoie aux facteurs politiques et sociétaux, macro-économiques

et technologiques, physiques et environnementaux échappant à son contrôle, mais qui ont des

conséquences sur ses opérations et qui sont pris en compte lors de la détermination de ses exigences en

matière de documents d’activité. Le contexte externe inclut les parties prenantes externes qui ont un

intérêt particulier dans les opérations de l’organisme.

L’organisme possède également un contexte interne, à savoir les facteurs internes échappant au contrôle

du (des) professionnel(s) de la gestion documentaire(s) responsable(s) des processus et des systèmes

documentaires. Le contexte interne comprend des facteurs tels que la structure et les finances de

l’organisme, la technologie qu’il déploie, ses ressources (humaines et budgétaires), ainsi que la culture

de l’organisme, tous ces facteurs influençant les politiques et les pratiques de gestion des documents

d’activité.

Les événements potentiels aux effets incertains peuvent être externes ou internes à l’organisme.

Les effets incertains provoqués par un changement dans le contexte externe peuvent diverger en

fonction du point de vue des différents niveaux de l’organisme (voir Figure 2). Il est également reconnu

que tout changement implique des perspectives pouvant avoir un effet positif.
4 © ISO 2014 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO/TR 18128:2014(F)

Figure 2 — Multiples éléments de contexte influant sur les documents d’activité et les processus

documentaires d’un organisme

L’objectif de l’identification du risque consiste à identifier ce qui peut se produire ou le type de situation

pouvant survenir, susceptible d’avoir une incidence sur la capacité des documents d’activité à répondre

aux besoins de l’organisme.

Le processus d’identification du risque englobe l’identification des causes et de la source du risque,

des évènements, des situations ou des circonstances pouvant avoir des conséquences matérielles

sur les objectifs de l’organisme, ainsi que la nature de ces conséquences. Il existe de nombreuses

méthodes d’identification du risque. Pour une comparaison des principales méthodes, se reporter à

l’IEC 31010:2009, Annexe B.

Il convient de documenter les risques identifiés, soit dans un registre des risques spécifique aux

documents d’activité, soit dans le registre des risques de l’organisme. Voir l’exemple fourni en Annexe A.

NOTE L’Annexe B constitue un exemple de liste de contrôle, basée sur la structure de l’Article 5, qu’un

organisme peut utiliser pour identifier de façon systématique les risques liés aux processus et aux systèmes

documentaires.
5.2 Contexte: Facteurs externes
5.2.1 Zones d’incertitude: Changements dans le contexte politique et social

Des changements intervenant dans le climat politique et social, au niveau national ou international,

peuvent avoir une incidence sur l’évolution des mentalités vis-à-vis du gouvernement et sur le

comportement de l’entreprise. Ceci peut provoquer des réformes juridiques et réglementaires, qui ont

une incidence sur les opérations de l’organisme et, par conséquent, sur ses exigences liées aux documents

d’activité.

La sécurité nationale, l’accès aux informations d’un gouvernement ou d’une entreprise, la protection

des données personnelles, les droits de propriété intellectuelle et les responsabilités de remontées

d’informations d’une entreprise constituent des exemples de zones de changement des mentalités

© ISO 2014 – Tous droits réservés 5
---------------------- Page: 11 ----------------------
ISO/TR 18128:2014(F)

pouvant avoir une incidence sur les exigences liées aux documents d’activité. De façon plus générale,

parmi les exemples de zones d’incertitude figurent:

a) les changements juridiques et réglementaires ayant une incidence sur les exigences liées aux

documents d’activité de l’organisme;

b) les changements dans les politiques gouvernementales ayant une incidence sur les documents

d’activité, sur les processus et les systèmes documentaires de l’organisme;

c) les nouvelles normes ou les codes de pratique ayant une incidence sur les documents d’activité, les

processus et les systèmes documentaires de l’organisme;
d) un changement au niveau de la demande en services documentaires;
e) un changement dans les attentes des parties prenantes;

f) des changements affectant la réputation ou la confiance placée dans l’aptitude d’un organisme à

délivrer ses prestations.
5.2.2 Zones d’incertitude: Environnement macro-économique et technologique

Des changements dans l’environnement macro-économique, commercial et industriel, ainsi que dans le

secteur de la technologie informatique, ont de grandes conséquences sur la concurrence et l’attente des

clients. Les changements peuvent s’opérer de façon progressive et continue ou ponctuellement, en raison

de crises, mais ils constituent une zone d’incertitude qui peut présenter des perspectives positives.

Parmi les exemples de zones d’incertitude résultant de changements dans l’environnement macro-

économique et commercial, figurent:

a) les changements intervenant dans la propriété et/ou les ressources financières de l’organisme ayant

une incidence sur les priorités de gestion, notamment sur la gestion des documents d’activité;

b) les changements intervenant dans les objectifs, les fonctions et les opérations de l’organisme,

entraînant des changements au niveau des exigences liées aux documents d’activité;

c) une augmentation de l’activité des organismes de régulation, entraînant une augmentation des

demandes extérieures en documents d’activité;

d) une augmentation des litiges, entraînant une augmentation des demandes de documents d’activité;

e) l’introduction et l’adoption de nouvelles technologies au sein de la société;

EXEMPLES L’expansion des médias sociaux à des fins commerciales; l’utilisation de dispositifs

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.