ISO 19475:2021

INTERNATIONAL ISO
STANDARD 19475
First edition
2021-06
Document management — Minimum
requirements for the storage of
documents
Gestion de documents — Exigences minimales pour le stockage des
documents
Reference number
ISO 19475:2021(E)
©
ISO 2021

---------------------- Page: 1 ----------------------
ISO 19475:2021(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 19475:2021(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General . 2
4.1 Policy . 2
4.2 Document types . 3
4.3 Controlling a received and delivered document . 4
4.4 Risks in document handling and measures . 4
4.4.1 Receipt and conversion . 4
4.4.2 Recipient and delivery . 4
5 Receipt and approval . 5
5.1 Requirements . 5
5.2 Controls for receipt . 5
5.3 Controls for approval . 5
5.4 Document to be used at processing . 5
5.5 Preserving the receiving and approved context . 6
6 Delivery . 6
6.1 Requirements . 6
6.2 Controls for the delivery process . 6
6.3 Controls for the recipient process . 7
6.4 Preservation of the delivery context . 7
6.5 Monitoring of the delivered document . 8
7 Storage . 8
Annex A (informative) Requirements for EDMS/ECM . 9
Annex B (informative) Approval processes .11
Annex C (informative) Delivery – Format of the document to be delivered .13
Bibliography .15
© ISO 2021 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 19475:2021(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 171, Document management applications,
Subcommittee SC 1, Quality, preservation and integrity of information.
This first edition cancels and replaces ISO/TS 19475-1, ISO/TS 19475-2, and ISO/TS 19475-3.
Any feedback or questions about this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO 2021 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 19475:2021(E)

Introduction
This document specifies the minimum requirements for the operation of a document management
system necessary to maintain authenticity, integrity and readability of those managed documents.
Overall business operations are composed of the functions of receiving the document(s), performing
the work processes according to its contents, reporting the results of the processes and delivering
an outcome. A document management system serves the basic purpose of controlling the handling of
the received document, establishing the work processes and delivering the result of those processes.
Therefore, the reliability of the business processes and the process itself heavily depend on the
reliability of the document used as well as the reliability of the document management system.
The following operations are specified in this document, which relate to maintaining the reliability of
business activities:
— an operation that maintains the reliability of the received documents;
— an operation that maintains the integrity of the process activities; and
— an operation that ensures the authenticity of the delivered documents.
The reliability of the work processes is demonstrated by the effectiveness evaluation of the internal
controls of the organizations. Management is responsible for creating evidence during the organization's
business activities, ensuring and maintaining authenticity and integrity of the documents. Retained
documents produced as evidence of work are audited and assessed for validity. The framework and the
controls for preserving documents are described in ISO 15489.
ISO 14641 describes the methods for storing created or received electronic documents and provides
the guidelines for maintaining their integrity.
An electronic document management system (EDMS) is an effective technology for handling storage to
ensure the reliability of documents processed internally in an organization.
The above-mentioned mechanisms are a useful foundation for demonstrating the integrity of work
processes.
However, in executing their business operations, organizations create or receive various types of
documents and deliver them to other organizations. Sharing documents has the potential for a variety
of risks.
There is the risk that the organization can receive a document without any right to use it. There is
also the risk that the document contains false information, that the information was received through
inappropriate communication channels or, that the information is inappropriate for business purposes.
Any of these circumstances degrade the reliability of the work processes.
There are also risks involved when delivering a document to another organization. For example, it can
be delivered to the wrong party or the information is not appropriate to be shared. Organizations need
to take the necessary steps to mitigate these risks.
Organizations need to clarify their handling process procedures for receipt and delivery of documents.
Document handling procedures need to include quality criteria for the documents to be processed.
By applying the controls described in this document, an organization can operate their document
management system appropriately.
© ISO 2021 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 19475:2021(E)
Document management — Minimum requirements for the
storage of documents
1 Scope
This document specifies the minimum requirements necessary to maintain the authenticity, integrity
and readability of documents managed by an electronic document management system. Clarifying the
methods and procedures for appropriately handling electronic documents promotes the usability of the
documents, in both a legal and business context.
This document expresses a general business process as a document handling process. The document
handling processes include receiving, processing and delivering the documents as follows:
— approving the receipt of a document in a manner that is appropriate for a work process;
— storing the formal document in the work process environment;
— delivery of the document to another organization.
This document establishes the controls for execution of the work processes while maintaining the
authenticity and integrity of the document received.
This document establishes the policies for the storage of documents used as part of the work process. It
also details the controls for performing the receipt and conversion process appropriately.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes the requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 14641, Electronic document management — Design and operation of an information system for the
preservation of electronic documents — Specifications
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
enterprise content management
ECM
strategies, methods and tools used to capture, manage, store, preserve and deliver content and
documents (3.6) related to organizational processes
[SOURCE: ISO 12651-1:2012, 4.53, modified — Note 1 to entry has been removed.]
© ISO 2021 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO 19475:2021(E)

3.2
electronic document management system
EDMS
software program that manages the creation, storage and control of documents (3.6) electronically
3.3
preservation system
system that maintains the authenticity, integrity (3.7) and readability of documents (3.6) over time
3.4
storage system
information technology system that has the capability of managing electronically stored documents
(3.6)
3.5
database
collection of machine-readable information organized so that it can be easily accessed, managed and
updated
[SOURCE: ISO 5127:2017, 3.1.13.03]
3.6
document
information and the medium on which it is contained
[SOURCE: ISO 9000:2015, 3.8.5, modified — The Example and Notes 1 to 3 to entry have been removed.]
3.7
integrity
property of accuracy and completeness
[SOURCE: ISO/IEC 27000:2018, 3.36]
3.8
metadata
data about other data, documents (3.6) or records that describes their content, context, structure, data
format, provenance, and/or rights attached to them
[SOURCE: ISO 5127:2017, 3.1.10.26.01]
4 General
4.1 Policy
This document specifies the minimum requirements for the handling of electronic documents in
the framework of a business process. Storage of the document(s) involved with the general handling
processes are controlled in accordance with EDMS and ECM requirements (see Annex A). The
preservation and maintenance of the evidential value of the information used in business processes are
in accordance with the preservation system specified in ISO 14641.
This document describes a document handling process. The document handling process includes, but is
not limited to, receipt, processing and delivery of documents. The relationships are shown in Figure 1.
When a document is received, the receiving organization stores it and, if necessary, sets the data format
and form appropriate for the processing process.
Each receiving organization stores the document in a storage system so that the change history of the
document throughout the handling process is securely maintained. Maintaining a log of the handling
process in the preservation system also is required.
2 © ISO 2021 – All rights reserved

---------------------- Page: 7 ----------------------
ISO 19475:2021(E)

After processing is complete, if necessary, the delivering organization formats the document
appropriately for the recipient’s use. The organization sending the document transfers or shares it to
another organization.
The integrity of a delivered document should be tracked throughout the document processing process.
Therefore, organizations can use work-related documentation to fulfil accountability.
Figure 1 — Document handling processes
The organization validates that the document received contains the information required for
processing, and whether the organization had the right to receive it. After the document is received, it
can be converted into a format appropriate for handling. There is also a process for the verification that
the conversion was made accurately.
The organization review documents that are created or received by following the specified processes.
These processes include checks that confirm the integrity of the processing results and approved the
document.
The approved document may be reformatted as appropriate for the recipient’s use prior to delivery.
The delivered document is then stored within the preservation system. The delivered document is
monitored in terms of use, transfer, copying, updates and disposal.
By handling the document according to the methods described in this document, the integrity of
document handling is assured.
4.2 Document types
Types of document to be received by the organization are as follows:
— in paper form, such as an application document;
— a scanned electronic document from an original hard copy or photograph (.jpeg image), etc.;
— a document that was packaged with other forms of data (office systems, CAD, etc.);
— a document extracted from database information using an application program interface (API);
— a document obtained through a network via API (in this case, the document is not actually moving);
— a document that is part of a data stream.
© ISO 2021 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO 19475:2021(E)

Each type of information needs a different type of control. Therefore, having specific controls for each
type reduces the risk of losing information or creating an error.
4.3 Controlling a received and delivered document
To maintain the quality of the handling process, the integrity of the document received and delivered
shall be confirmed.
This is critical to ensure the integrity and reliability of the receipt the document, converting where
appropriate into a usable format and this approving the deliverable form and delivery processes of the
document.
To maintain reliability of these processes, manage the document as follows:
— define the type of document to be handled;
— define the handling procedure for each type of document;
— note the context of the handling process so that each process can be audited;
— when any problems are found during an audit, conduct correction and improvement actions.
NOTE “Context” is defined as information related to the document handling history. Examples include the
document author, references, update log, handling logs related to processing, etc.
4.4 Risks in document handling and measures
4.4.1 Receipt and conversion
An organization receives and, where necessary, converts the documents it receives into a format that is
appropriate for use in the organization. This document is then used according to the handling process
specified in this document.
This subclause describes the risks associated with the organization responsible for receiving and
converting the documents.
Examples of the risks are as follows:
— an organization can receive a document that it does not have the right to use;
— an inadequate decision can be taken if inappropriate documentation is processed
— incorrect worker assignments can cause information leakage and false information;
— when authenticity of the document received is not confirmed, it is not possible to maintain the
integrity of the documentation process and the delivered documents.
4.4.2 Recipient and delivery
This subclause describes the risks associated delivery processes.
Examples of the risks are as follows:
— the delivery of the document is inconsistent with the work process (tampering);
— inappropriate documents are delivered (error);
— the document is delivered to unauthorized users;
— the document is destroyed while in use.
4 © ISO 2021 – All rights reserved

---------------------- Page: 9 ----------------------
ISO 19475:2021(E)

5 Receipt and approval
5.1 Requirements
Organizations should define handling methods for each type of document to properly control the
documents they receive.
The type of document and the handling methods are defined according to the receiving policy and the
contract with the vendor or customer.
NOTE The type of document is defined by its use and purpose. The format of the document is defined by its
handling method.
5.2 Controls for receipt
The organization shall confirm the skill level of the person responsible for receiving the document
before giving the work order.
The organization shall confirm whether it has the rights and privileges to receive and use a received
document.
An organization shall not receive types of document they do not have the rights and privileges to use.
The organization shall maintain the integrity of the document received and approved in accordance
with its purpose for processing.
The organization shall maintain the quality of the equipment involved in the receiving and approval
processes.
When outsourcing receipt duties to another organization, care shall be taken to avoid receiving
documents not authorized to be outsourced.
NOTE The authenticity and reliability of the document received is either confirmed by such public credibility
information as an electronic signature or time stamp, or the organizational trust or credibility of the party who
sent the information.
5.3 Controls for approval
Controls for the approval process of the document received from an outside organization into a format
appropriate for the document handling process are explained below.
Approval processes for the purpose of conversion include digitizing a paper document received,
registering or duplicating the document, whether received in paper form or an electronic file, and
deploying a data file received into processing.
NOTE Security risks in terms of physical security or system security are not discussed in this document.
Please refer to the relevant IT security standards.
When converting a document into a format that is appropriate for processing, the organization should
ensure that the information content of the received document and the converted document are not
compromised.
During the receipt process, handling shall be suspended if the information includes a document that
is not able to be approved. When the receipt process is suspended, the organization shall store the
information in question and return the relevant document to the sender.
NOTE See Annex B for the controls for inspection of the document format received.
5.4 Document to be used at processing
Metadata shall be extracted from the received document that will be used during processing.
© ISO 2021 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO 19475:2021(E)

Metadata to be used during the document handling processes contains rights and privileged information,
information for identifying the document, and the purpose of the document being processed for use.
Metadata is used to control the processes of the users and custodians of the document, as well as to
identify the processing procedures.
The organization shall store the extracted metadata as well as the received contents into the EDMS or
ECM.
NOTE The requirements for EDMS and ECM are shown in Annex A.
5.5 Preserving the receiving and approved context
The context of the receiving and approval operations shall be recorded as a system log or as an
operations log. The context information contains the received and approved documents; the software
used for approval and the converted documents (if necessary) for use, and stores this information in
the preservation system.
The document metadata shall contain the name of the person that created it, an electronic signature
and a time stamp marking the date it was preserved. The use of an electronic signature and time stamp
shall be as described in ISO 14641.
NOTE 1 The requirements for ensuring the authenticity of the preserved document can vary depending on
local regulations.
1) Authorize the output document.
2) Authenticate and apply a time stamp for both the received document and the output document.
3) Documents are stored with a trusted storage service. This document is called a true copy.
In addition, the context information (use log, reference log, update log, etc.) related to the generation
of the document is preserved with an electronic signature and time stamp.
4) In addition to 2), the name and version of the software program used for editing and creation is
also recorded and stored.
In addition to above, the usage history of the system program should be required.
NOTE 2 Local legislation can exist concerning the evidential requirements of documents.
NOTE 3 The document to be stored contains the name of the person, the date of creation, etc. It is critical to
decide on the handling procedures to ensure data integrity according to the information handling rules.
6 Delivery
6.1 Requirements
Organizations should define the handling methods for each type of document to be controlled and
delivered.
The type of document and the handling methods are defined according to the delivery policy and the
contract with the vendor or customer.
NOTE See Annex C for the controls for inspection of the document format that is deliverable.
6.2 Controls for the delivery process
The organization shall preserve appropriate and validated business processes according to roles and
responsibilities. Thus, the organization maintains the integrity of the processing process.
6 © ISO 2021 – All rights reserved

---------------------- Page: 11 ----------------------
ISO 19475:2021(E)

The organization shall assign appropriate workers to the delivery process.
The organization shall ensure that the organization to which the document is to be delivered has the
rights and privileges to use the document that is being shipped to them.
The organization shall only deliver documents that they have the authority and privileges to deliver.
The organization shall maintain the integrity of the delivery process.
The organization shall maintain the quality of the equipment used for the delivery process.
The organization shall suppress the format and range of the document against the request of the
delivery destination.
In addition, the organization shall convert to the format and range of the documents that have been
made to the destination request.
The organization shall select an appropriate communication channel.
The organization shall be able to monitor the usage status of the information delivered.
The organization shall define the expiration date of the delivered document.
The document delivered and the preservation of the delivery log shall not be destroyed within the
period specified.
The delivered document shall be recovered or disposed of upon expiration.
6.3 Controls for the recipient process
The receipt process is the process of converting the document into a format appropriate for its delivery
and use by the other party, where this is necessary. This includes editing or redacting the document
according to the rights and privileges of the receiving organization.
When converting a document to a format that is appropriate for delivery, the organization should
ensure that the information content of the processed document and the converted document are not
compromised.
The organization shall not convert a document that is not appropriate for delivery.
The organization shall handle the documents to be delivered in accordance with confidentiality or
integrity requirements.
6.4 Preservation of the delivery context
The organization shall preserve within the created document the context information related to
approval for recipient and delivery. This context information contains approval for recipient and delivery
details and the content of the document. It also includes details of the software used for processing,
usage information and data regarding storage of the document into the preservation system.
Document metadata includes the name of the
...