Document management -- Electronically stored information -- Recommendations for trustworthiness and reliability

ISO/TR 15801:2017 describes the implementation and operation of information management systems that store and make available for use electronically stored information (ESI) in a trustworthy and reliable manner. Such ESI can be of any type, including "page based" information, information in databases and audio/video information. ISO/TR 15801:2017 is for use by any organization that uses systems to store trustworthy ESI over time. Such systems incorporate policies, procedures, technology and audit requirements that ensure that trustworthiness of the ESI is maintained. ISO/TR 15801:2017 does not cover processes used to evaluate whether ESI can be considered to be trustworthy prior to it being stored or imported into the system. However, it can be used to demonstrate that, once the electronic information is stored, output from the system will be a true and accurate reproduction of the ESI created and/or imported.

Gestion de document -- Information stockée électroniquement -- Recommandations pour contribuer à l'intégrité et à la fiabilité des informations stockées

General Information

Status
Published
Publication Date
16-May-2017
Current Stage
9092 - International Standard to be revised
Start Date
01-Jun-2021
Ref Project

RELATIONS

Buy Standard

Technical report
ISO/TR 15801:2017 - Document management -- Electronically stored information -- Recommendations for trustworthiness and reliability
English language
44 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

TECHNICAL ISO/TR
REPORT 15801
Third edition
2017-05
Document management —
Electronically stored information —
Recommendations for trustworthiness
and reliability
Gestion de document — Information stockée électroniquement —
Recommandations pour contribuer à l’intégrité et à la fiabilité des
informations stockées
Reference number
ISO/TR 15801:2017(E)
ISO 2017
---------------------- Page: 1 ----------------------
ISO/TR 15801:2017(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2017, Published in Switzerland

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2017 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/TR 15801:2017(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................vi

Introduction ..............................................................................................................................................................................................................................vii

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Information management policy ......................................................................................................................................................... 2

4.1 General ........................................................................................................................................................................................................... 2

4.2 Information management policy document .................................................................................................................. 2

4.2.1 Contents ...................................................................... ............................................................................................................. 2

4.2.2 ESI covered ........................................................................................................................................................................... 3

4.2.3 ESI roles and responsibilities ................................................................................................................................ 3

4.2.4 ESI security classification ......................................................................................................................................... 3

4.2.5 Storage media ..................................................................................................................................................................... 4

4.2.6 Data file formats and compression .................................................................................................................. 4

4.2.7 Outsourcing .......................................................................................................................................................................... 4

4.2.8 Standards related to information management .................................................................................... 4

4.2.9 Retention and disposal schedules ..................................................................................................................... 5

4.2.10 Information management responsibilities .................. .............................................................................. 5

4.2.11 Compliance with policy .............................................................................................................................................. 5

5 Duty of care ................................................................................................................................................................................................................ 5

5.1 General ........................................................................................................................................................................................................... 5

5.1.1 Trusted system .................................................................................................................................................................. 5

5.1.2 Controls .................................................................................................................................................................................... 5

5.1.3 Segregation of roles ....................................................................................................................................................... 6

5.2 Information security management ........................................................................................................................................ 6

5.2.1 Information security policy .................................................................................................................................... 6

5.2.2 Risk assessment ...................................................................... .......................................................................................... 7

5.2.3 Information security framework ....................................................................................................................... 8

5.3 Business continuity planning ..................................................................................................................................................... 8

5.4 Consultations ............................................................................................................................................................................................ 8

6 Procedures and processes .......................................................................................................................................................................... 9

6.1 General ........................................................................................................................................................................................................... 9

6.2 Procedures manual ............................................................................................................................................................................. 9

6.2.1 Documentation .................................................................................................................................................................. 9

6.2.2 Content ..................................................................................................................................................................................... 9

6.2.3 Compliance with procedures .............................................................................................................................10

6.2.4 Updating and reviews ...............................................................................................................................................10

6.3 ESI capture ...............................................................................................................................................................................................10

6.3.1 General...................................................................................................................................................................................10

6.3.2 Creation and importing ...........................................................................................................................................11

6.3.3 Information loss ............................................................................................................................................................11

6.3.4 Metadata ..............................................................................................................................................................................12

6.4 Document image capture ............................................................................................................................................................12

6.4.1 General...................................................................................................................................................................................12

6.4.2 Preparation of paper documents ....................................................................................................................12

6.4.3 Document batching .....................................................................................................................................................13

6.4.4 Photocopying ...................................................................................................................................................................13

6.4.5 Scanning processes .....................................................................................................................................................14

6.4.6 Quality control ................................................................................................................................................................15

6.4.7 Rescanning .........................................................................................................................................................................17

6.4.8 Image processing ..........................................................................................................................................................17

6.5 Data capture ...........................................................................................................................................................................................17

© ISO 2017 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/TR 15801:2017(E)

6.5.1 Data creation ....................................................................................................................................................................17

6.5.2 Conversion and migration ....................................................................................................................................18

6.6 Database considerations .............................................................................................................................................................18

6.6.1 General...................................................................................................................................................................................18

6.6.2 Database systems .........................................................................................................................................................18

6.6.3 Database schemas ........................................................................................................................................................20

6.6.4 Master data management ......................................................................................................................................20

6.6.5 Transactional vs. updating ...................................................................................................................................21

6.7 Indexing .....................................................................................................................................................................................................21

6.7.1 General...................................................................................................................................................................................21

6.7.2 Manual indexing ............................................................................................................................................................21

6.7.3 Automatic indexing .....................................................................................................................................................21

6.7.4 Index storage ....................................................................................................................................................................21

6.7.5 Index amendments .....................................................................................................................................................22

6.7.6 Index accuracy ................................................................................................................................................................22

6.8 Authenticated output procedures .......................................................................................................................................22

6.9 ESI transmission .................................................................................................................................................................................23

6.9.1 Intra-system ESI transfer .......................................................................................................................................23

6.9.2 External transmission of files ............................................................................................................................23

6.10 Information retention ....................................................................................................................................................................24

6.11 Information preservation ...........................................................................................................................................................25

6.12 Information destruction ..............................................................................................................................................................25

6.13 Backup and system recovery ...................................................................................................................................................25

6.14 System maintenance .......................................................................................................................................................................26

6.14.1 General...................................................................................................................................................................................26

6.14.2 Scanning systems .........................................................................................................................................................26

6.15 Security and protection ................................................................................................................................................................27

6.15.1 Security procedures ...................................................................................................................................................27

6.15.2 Encryption keys .............................................................................................................................................................27

6.16 Use of contracted services ......... .................................................................................................................................................28

6.16.1 General...................................................................................................................................................................................28

6.16.2 Procedural considerations ...................................................................................................................................28

6.16.3 Transportation of paper documents ............................................................................................................29

6.16.4 Use of trusted third party ......................................................................................................................................29

6.17 Workflow ...................................................................................................................................................................................................29

6.18 Date and time stamps .....................................................................................................................................................................30

6.19 Version control .....................................................................................................................................................................................30

6.19.1 Information........................................................................................................................................................................30

6.19.2 Documentation ...............................................................................................................................................................30

6.19.3 Procedures and processes ....................................................................................................................................31

6.20 Maintenance of documentation .............................................................................................................................................31

7 Enabling technologies ..................................................................................................................................................................................31

7.1 General ........................................................................................................................................................................................................31

7.2 System description manual .......................................................................................................................................................32

7.3 Storage media and sub-system considerations .......................................................................................................32

7.4 Access levels ...........................................................................................................................................................................................33

7.5 System integrity checks ................................................................................................................................................................33

7.5.1 General...................................................................................................................................................................................33

7.5.2 Digital and electronic signatures (including biometric signatures) .................................34

7.6 Image processing ...............................................................................................................................................................................34

7.7 Compression techniques .............................................................................................................................................................35

7.8 Form overlays and form removal .........................................................................................................................................36

7.9 Environmental considerations ...............................................................................................................................................36

7.10 Migration ...................................................................................................................................................................................................36

7.11 Information deletion and/or expungement ...............................................................................................................37

8 Audit trails ...............................................................................................................................................................................................................37

8.1 General ........................................................................................................................................................................................................37

iv © ISO 2017 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/TR 15801:2017(E)

8.1.1 Audit trail data ................................................................................................................................................................37

8.1.2 Creation ................................................................................................................................................................................38

8.1.3 Date and time ...................................................................................................................................................................38

8.1.4 Storage ...................................................................................................................................................................................38

8.1.5 Access .....................................................................................................................................................................................39

8.1.6 Security and protection ...........................................................................................................................................39

8.2 System..........................................................................................................................................................................................................39

8.2.1 General...................................................................................................................................................................................39

8.2.2 Audit trail information .............................................................................................................................................40

8.2.3 Migration and conversion .....................................................................................................................................40

8.3 ESI ...................................................................................................................................................................................................................40

8.3.1 General...................................................................................................................................................................................40

8.3.2 ESI capture .........................................................................................................................................................................40

8.3.3 Batch information ........................................................................................................................................................41

8.3.4 Indexing ................................................................................................................................................................................42

8.3.5 Change control ................................................................................................................................................................42

8.3.6 Digital signatures ...................................................................... ....................................................................................42

8.3.7 Destruction of information ..................................................................................................................................43

8.3.8 Workflow .............................................................................................................................................................................43

Bibliography .............................................................................................................................................................................................................................44

© ISO 2017 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/TR 15801:2017(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following

URL: w w w . i s o .org/ iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 171, Document management applications,

Subcommittee SC 1, Quality, preservation and integrity of information.

This third edition cancels and replaces the second edition (ISO/TR 15801:2009), which has been

technically revised.
vi © ISO 2017 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/TR 15801:2017(E)
Introduction

This document defines recommended practices for electronic storage of business or other information

in an electronic form. As such, complying with its recommendations is of value to organizations even

when the trustworthiness of the stored information is not being challenged, especially in jurisdictions

with e-discovery legislation.

Information originates from many sources. This document covers information in any form, from the

traditional scanned images, word processed documents and spreadsheets to the more “modern” forms

which include e-mail, web content, instant messages, CAD drawing files, blogs, wikis, etc. Also included

is information stored in databases and other data storage systems. Recommendations in this document

can be useful in systems that use local and/or cloud storage.

Users of this document should be aware that the implementation of these recommendations does

not automatically ensure acceptability of the evidence contained within the information. Where

electronically stored information (ESI) might be required in court or other adversarial situation,

implementers of this document are advised to seek legal advice to ascertain the precise situation within

their relevant legal environment.

This document describes means by which it can be demonstrated, at any time, that the information

created or existing within an information management system has not changed since it was created

within the system or imported into it.

Regardless of the original format, it will be possible to demonstrate that information stored in a

trustworthy information management system can be reliably reproduced in a consistent manner and

accurately reflects what was originally stored without any material modification.

Alternative versions of the information in a document might legitimately develop, e.g. revision of a

contract. In these cases, the new versions are treated as new documents. The same principle can be

applied when a sig
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.