Document management -- Minimum requirements for the storage of documents

This document specifies the minimum requirements necessary to maintain the authenticity, integrity and readability of documents managed by an electronic document management system. Clarifying the methods and procedures for appropriately handling electronic documents promotes the usability of the documents, in both a legal and business context. This document expresses a general business process as a document handling process. The document handling processes include receiving, processing and delivering the documents as follows: —   approving the receipt of a document in a manner that is appropriate for a work process; —   storing the formal document in the work process environment; —   delivery of the document to another organization. This document establishes the controls for execution of the work processes while maintaining the authenticity and integrity of the document received. This document establishes the policies for the storage of documents used as part of the work process. It also details the controls for performing the receipt and conversion process appropriately.

Gestion de documents -- Exigences minimales pour le stockage des documents

General Information

Status
Published
Publication Date
09-Jun-2021
Current Stage
5060 - Close of voting Proof returned by Secretariat
Start Date
19-May-2021
Completion Date
18-May-2021
Ref Project

RELATIONS

Buy Standard

Standard
ISO 19475:2021 - Document management -- Minimum requirements for the storage of documents
English language
15 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/FDIS 19475:Version 20-mar-2021 - Document management -- Minimum requirements for the storage of documents
English language
15 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO
STANDARD 19475
First edition
2021-06
Document management — Minimum
requirements for the storage of
documents
Gestion de documents — Exigences minimales pour le stockage des
documents
Reference number
ISO 19475:2021(E)
ISO 2021
---------------------- Page: 1 ----------------------
ISO 19475:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 19475:2021(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 General ............................................................................................................................................................................................................................ 2

4.1 Policy ............................................................................................................................................................................................................... 2

4.2 Document types ..................................................................................................................................................................................... 3

4.3 Controlling a received and delivered document ........................................................................................................ 4

4.4 Risks in document handling and measures .................................................................................................................... 4

4.4.1 Receipt and conversion .............................................................................................................................................. 4

4.4.2 Recipient and delivery ................................................................................................................................................ 4

5 Receipt and approval ....................................................................................................................................................................................... 5

5.1 Requirements ........................................................................................................................................................................................... 5

5.2 Controls for receipt ............................................................................................................................................................................. 5

5.3 Controls for approval ......................................................................................................................................................................... 5

5.4 Document to be used at processing ...................................................................................................................................... 5

5.5 Preserving the receiving and approved context ......................................................................................................... 6

6 Delivery .......................................................................................................................................................................................................................... 6

6.1 Requirements ........................................................................................................................................................................................... 6

6.2 Controls for the delivery process ............................................................................................................................................ 6

6.3 Controls for the recipient process .......................................................................................................................................... 7

6.4 Preservation of the delivery context .................................................................................................................................... 7

6.5 Monitoring of the delivered document .............................................................................................................................. 8

7 Storage ............................................................................................................................................................................................................................ 8

Annex A (informative) Requirements for EDMS/ECM ........................................................................................................................ 9

Annex B (informative) Approval processes ................................................................................................................................................11

Annex C (informative) Delivery – Format of the document to be delivered ..............................................................13

Bibliography .............................................................................................................................................................................................................................15

© ISO 2021 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 19475:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 171, Document management applications,

Subcommittee SC 1, Quality, preservation and integrity of information.

This first edition cancels and replaces ISO/TS 19475-1, ISO/TS 19475-2, and ISO/TS 19475-3.

Any feedback or questions about this document should be directed to the user’s national standards

body. A complete listing of these bodies can be found at www .iso .org/ members .html.

iv © ISO 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 19475:2021(E)
Introduction

This document specifies the minimum requirements for the operation of a document management

system necessary to maintain authenticity, integrity and readability of those managed documents.

Overall business operations are composed of the functions of receiving the document(s), performing

the work processes according to its contents, reporting the results of the processes and delivering

an outcome. A document management system serves the basic purpose of controlling the handling of

the received document, establishing the work processes and delivering the result of those processes.

Therefore, the reliability of the business processes and the process itself heavily depend on the

reliability of the document used as well as the reliability of the document management system.

The following operations are specified in this document, which relate to maintaining the reliability of

business activities:
— an operation that maintains the reliability of the received documents;
— an operation that maintains the integrity of the process activities; and
— an operation that ensures the authenticity of the delivered documents.

The reliability of the work processes is demonstrated by the effectiveness evaluation of the internal

controls of the organizations. Management is responsible for creating evidence during the organization's

business activities, ensuring and maintaining authenticity and integrity of the documents. Retained

documents produced as evidence of work are audited and assessed for validity. The framework and the

controls for preserving documents are described in ISO 15489.

ISO 14641 describes the methods for storing created or received electronic documents and provides

the guidelines for maintaining their integrity.

An electronic document management system (EDMS) is an effective technology for handling storage to

ensure the reliability of documents processed internally in an organization.

The above-mentioned mechanisms are a useful foundation for demonstrating the integrity of work

processes.

However, in executing their business operations, organizations create or receive various types of

documents and deliver them to other organizations. Sharing documents has the potential for a variety

of risks.

There is the risk that the organization can receive a document without any right to use it. There is

also the risk that the document contains false information, that the information was received through

inappropriate communication channels or, that the information is inappropriate for business purposes.

Any of these circumstances degrade the reliability of the work processes.

There are also risks involved when delivering a document to another organization. For example, it can

be delivered to the wrong party or the information is not appropriate to be shared. Organizations need

to take the necessary steps to mitigate these risks.

Organizations need to clarify their handling process procedures for receipt and delivery of documents.

Document handling procedures need to include quality criteria for the documents to be processed.

By applying the controls described in this document, an organization can operate their document

management system appropriately.
© ISO 2021 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 19475:2021(E)
Document management — Minimum requirements for the
storage of documents
1 Scope

This document specifies the minimum requirements necessary to maintain the authenticity, integrity

and readability of documents managed by an electronic document management system. Clarifying the

methods and procedures for appropriately handling electronic documents promotes the usability of the

documents, in both a legal and business context.

This document expresses a general business process as a document handling process. The document

handling processes include receiving, processing and delivering the documents as follows:

— approving the receipt of a document in a manner that is appropriate for a work process;

— storing the formal document in the work process environment;
— delivery of the document to another organization.

This document establishes the controls for execution of the work processes while maintaining the

authenticity and integrity of the document received.

This document establishes the policies for the storage of documents used as part of the work process. It

also details the controls for performing the receipt and conversion process appropriately.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes the requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 14641, Electronic document management — Design and operation of an information system for the

preservation of electronic documents — Specifications
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
enterprise content management
ECM

strategies, methods and tools used to capture, manage, store, preserve and deliver content and

documents (3.6) related to organizational processes
[SOURCE: ISO 12651-1:2012, 4.53, modified — Note 1 to entry has been removed.]
© ISO 2021 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO 19475:2021(E)
3.2
electronic document management system
EDMS

software program that manages the creation, storage and control of documents (3.6) electronically

3.3
preservation system

system that maintains the authenticity, integrity (3.7) and readability of documents (3.6) over time

3.4
storage system

information technology system that has the capability of managing electronically stored documents

(3.6)
3.5
database

collection of machine-readable information organized so that it can be easily accessed, managed and

updated
[SOURCE: ISO 5127:2017, 3.1.13.03]
3.6
document
information and the medium on which it is contained

[SOURCE: ISO 9000:2015, 3.8.5, modified — The Example and Notes 1 to 3 to entry have been removed.]

3.7
integrity
property of accuracy and completeness
[SOURCE: ISO/IEC 27000:2018, 3.36]
3.8
metadata

data about other data, documents (3.6) or records that describes their content, context, structure, data

format, provenance, and/or rights attached to them
[SOURCE: ISO 5127:2017, 3.1.10.26.01]
4 General
4.1 Policy

This document specifies the minimum requirements for the handling of electronic documents in

the framework of a business process. Storage of the document(s) involved with the general handling

processes are controlled in accordance with EDMS and ECM requirements (see Annex A). The

preservation and maintenance of the evidential value of the information used in business processes are

in accordance with the preservation system specified in ISO 14641.

This document describes a document handling process. The document handling process includes, but is

not limited to, receipt, processing and delivery of documents. The relationships are shown in Figure 1.

When a document is received, the receiving organization stores it and, if necessary, sets the data format

and form appropriate for the processing process.

Each receiving organization stores the document in a storage system so that the change history of the

document throughout the handling process is securely maintained. Maintaining a log of the handling

process in the preservation system also is required.
2 © ISO 2021 – All rights reserved
---------------------- Page: 7 ----------------------
ISO 19475:2021(E)

After processing is complete, if necessary, the delivering organization formats the document

appropriately for the recipient’s use. The organization sending the document transfers or shares it to

another organization.

The integrity of a delivered document should be tracked throughout the document processing process.

Therefore, organizations can use work-related documentation to fulfil accountability.

Figure 1 — Document handling processes

The organization validates that the document received contains the information required for

processing, and whether the organization had the right to receive it. After the document is received, it

can be converted into a format appropriate for handling. There is also a process for the verification that

the conversion was made accurately.

The organization review documents that are created or received by following the specified processes.

These processes include checks that confirm the integrity of the processing results and approved the

document.

The approved document may be reformatted as appropriate for the recipient’s use prior to delivery.

The delivered document is then stored within the preservation system. The delivered document is

monitored in terms of use, transfer, copying, updates and disposal.

By handling the document according to the methods described in this document, the integrity of

document handling is assured.
4.2 Document types
Types of document to be received by the organization are as follows:
— in paper form, such as an application document;

— a scanned electronic document from an original hard copy or photograph (.jpeg image), etc.;

— a document that was packaged with other forms of data (office systems, CAD, etc.);

— a document extracted from database information using an application program interface (API);

— a document obtained through a network via API (in this case, the document is not actually moving);

— a document that is part of a data stream.
© ISO 2021 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO 19475:2021(E)

Each type of information needs a different type of control. Therefore, having specific controls for each

type reduces the risk of losing information or creating an error.
4.3 Controlling a received and delivered document

To maintain the quality of the handling process, the integrity of the document received and delivered

shall be confirmed.

This is critical to ensure the integrity and reliability of the receipt the document, converting where

appropriate into a usable format and this approving the deliverable form and delivery processes of the

document.
To maintain reliability of these processes, manage the document as follows:
— define the type of document to be handled;
— define the handling procedure for each type of document;
— note the context of the handling process so that each process can be audited;

— when any problems are found during an audit, conduct correction and improvement actions.

NOTE “Context” is defined as information related to the document handling history. Examples include the

document author, references, update log, handling logs related to processing, etc.

4.4 Risks in document handling and measures
4.4.1 Receipt and conversion

An organization receives and, where necessary, converts the documents it receives into a format that is

appropriate for use in the organization. This document is then used according to the handling process

specified in this document.

This subclause describes the risks associated with the organization responsible for receiving and

converting the documents.
Examples of the risks are as follows:
— an organization can receive a document that it does not have the right to use;

— an inadequate decision can be taken if inappropriate documentation is processed

— incorrect worker assignments can cause information leakage and false information;

— when authenticity of the document received is not confirmed, it is not possible to maintain the

integrity of the documentation process and the delivered documents.
4.4.2 Recipient and delivery
This subclause describes the risks associated delivery processes.
Examples of the risks are as follows:

— the delivery of the document is inconsistent with the work process (tampering);

— inappropriate documents are delivered (error);
— the document is delivered to unauthorized users;
— the document is destroyed while in use.
4 © ISO 2021 – All rights reserved
---------------------- Page: 9 ----------------------
ISO 19475:2021(E)
5 Receipt and approval
5.1 Requirements

Organizations should define handling methods for each type of document to properly control the

documents they receive.

The type of document and the handling methods are defined according to the receiving policy and the

contract with the vendor or customer.

NOTE The type of document is defined by its use and purpose. The format of the document is defined by its

handling method.
5.2 Controls for receipt

The organization shall confirm the skill level of the person responsible for receiving the document

before giving the work order.

The organization shall confirm whether it has the rights and privileges to receive and use a received

document.

An organization shall not receive types of document they do not have the rights and privileges to use.

The organization shall maintain the integrity of the document received and approved in accordance

with its purpose for processing.

The organization shall maintain the quality of the equipment involved in the receiving and approval

processes.

When outsourcing receipt duties to another organization, care shall be taken to avoid receiving

documents not authorized to be outsourced.

NOTE The authenticity and reliability of the document received is either confirmed by such public credibility

information as an electronic signature or time stamp, or the organizational trust or credibility of the party who

sent the information.
5.3 Controls for approval

Controls for the approval process of the document received from an outside organization into a format

appropriate for the document handling process are explained below.

Approval processes for the purpose of conversion include digitizing a paper document received,

registering or duplicating the document, whether received in paper form or an electronic file, and

deploying a data file received into processing.

NOTE Security risks in terms of physical security or system security are not discussed in this document.

Please refer to the relevant IT security standards.

When converting a document into a format that is appropriate for processing, the organization should

ensure that the information content of the received document and the converted document are not

compromised.

During the receipt process, handling shall be suspended if the information includes a document that

is not able to be approved. When the receipt process is suspended, the organization shall store the

information in question and return the relevant document to the sender.

NOTE See Annex B for the controls for inspection of the document format received.

5.4 Document to be used at processing

Metadata shall be extracted from the received document that will be used during processing.

© ISO 2021 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO 19475:2021(E)

Metadata to be used during the document handling processes contains rights and privileged information,

information for identifying the document, and the purpose of the document being processed for use.

Metadata is used to control the processes of the users and custodians of the document, as well as to

identify the processing procedures.

The organization shall store the extracted metadata as well as the received contents into the EDMS or

ECM.
NOTE The requirements for EDMS and ECM are shown in Annex A.
5.5 Preserving the receiving and approved context

The context of the receiving and approval operations shall be recorded as a system log or as an

operations log. The context information contains the received and approved documents; the software

used for approval and the converted documents (if necessary) for use, and stores this information in

the preservation system.

The document metadata shall contain the name of the person that created it, an electronic signature

and a time stamp marking the date it was preserved. The use of an electronic signature and time stamp

shall be as described in ISO 14641.

NOTE 1 The requirements for ensuring the authenticity of the preserved document can vary depending on

local regulations.
1) Authorize the output document.

2) Authenticate and apply a time stamp for both the received document and the output document.

3) Documents are stored with a trusted storage service. This document is called a true copy.

In addition, the context information (use log, reference log, update log, etc.) related to the generation

of the document is preserved with an electronic signature and time stamp.

4) In addition to 2), the name and version of the software program used for editing and creation is

also recorded and stored.

In addition to above, the usage history of the system program should be required.

NOTE 2 Local legislation can exist concerning the evidential requirements of documents.

NOTE 3 The document to be stored contains the name of the person, the date of creation, etc. It is critical to

decide on the handling procedures to ensure data integrity according to the information handling rules.

6 Delivery
6.1 Requirements

Organizations should define the handling methods for each type of document to be controlled and

delivered.

The type of document and the handling methods are defined according to the delivery policy and the

contract with the vendor or customer.

NOTE See Annex C for the controls for inspection of the document format that is deliverable.

6.2 Controls for the delivery process

The organization shall preserve appropriate and validated business processes according to roles and

responsibilities. Thus, the organization maintains the integrity of the processing process.

6 © ISO 2021 – All rights reserved
---------------------- Page: 11 ----------------------
ISO 19475:2021(E)
The organization shall assign appropriate workers to the delivery process.

The organization shall ensure that the organization to which the document is to be delivered has the

rights and privileges to use the document that is being shipped to them.

The organization shall only deliver documents that they have the authority and privileges to deliver.

The organization shall maintain the integrity of the delivery process.

The organization shall maintain the quality of the equipment used for the delivery process.

The organization shall suppress the format and range of the document against the request of the

delivery destination.

In addition, the organization shall convert to the format and range of the documents that have been

made to the destination request.
The organization shall select an appropriate communication channel.

The organization shall be able to monitor the usage status of the information delivered.

The organization shall define the expiration date of the delivered document.

The document delivered and the preservation of the delivery log shall not be destroyed within the

period specified.
The delivered document shall be recovered or disposed of upon expiration.
6.3 Controls for the recipient process

The receipt process is the process of converting the document into a format appropriate for its delivery

and use by the other party, where this is necessary. This includes editing or redacting the document

according to the rights and privileges of the receiving organization.

When converting a document to a format that is appropriate for delivery, the organization should

ensure that the information content of the processed document and the converted document are not

compromised.

The organization shall not convert a document that is not appropriate for delivery.

The organization shall handle the documents to be delivered in accordance with confidentiality or

integrity requirements.
6.4 Preservation of the delivery context

The organization shall preserve within the created document the context information related to

approval for recipient and delivery. This context information contains approval for recipient and delivery

details and the content of the document. It also includes details of the software used for processing,

usage information and data regarding storage of the document into the preservation system.

Document metadata includes the name of the
...

FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 19475
ISO/TC 171/SC 1
Document management — Minimum
Secretariat: BSI
requirements for the storage of
Voting begins on:
2021­03­23 documents
Voting terminates on:
Gestion de documents — Exigences minimales pour le stockage des
2021­05­18
documents
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/FDIS 19475:2021(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. ISO 2021
---------------------- Page: 1 ----------------------
ISO/FDIS 19475:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH­1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/FDIS 19475:2021(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 General ............................................................................................................................................................................................................................ 2

4.1 Policy ............................................................................................................................................................................................................... 2

4.2 Document types ..................................................................................................................................................................................... 3

4.3 Controlling a received and delivered document ........................................................................................................ 4

4.4 Risks in document handling and measures .................................................................................................................... 4

4.4.1 Receipt and conversion .............................................................................................................................................. 4

4.4.2 Recipient and delivery ................................................................................................................................................ 4

5 Receipt and approval ....................................................................................................................................................................................... 5

5.1 Requirements ........................................................................................................................................................................................... 5

5.2 Controls for receipt ............................................................................................................................................................................. 5

5.3 Controls for approval ......................................................................................................................................................................... 5

5.4 Document to be used at processing ...................................................................................................................................... 5

5.5 Preserving the receiving and approved context ......................................................................................................... 6

6 Delivery .......................................................................................................................................................................................................................... 6

6.1 Requirements ........................................................................................................................................................................................... 6

6.2 Controls for the delivery process ............................................................................................................................................ 6

6.3 Controls for the recipient process .......................................................................................................................................... 7

6.4 Preservation of the delivery context .................................................................................................................................... 7

6.5 Monitoring of the delivered document .............................................................................................................................. 8

7 Storage ............................................................................................................................................................................................................................ 8

7.1 Storage ........................................................................................................................................................................................................... 8

Annex A (informative) Requirements for EDMS/ECM ........................................................................................................................ 9

Annex B (informative) Approval processes ................................................................................................................................................11

Annex C (informative) Delivery – Format of the document to be delivered ..............................................................13

Bibliography .............................................................................................................................................................................................................................15

© ISO 2021 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/FDIS 19475:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non­governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 171, Document management applications,

Subcommittee SC 1, Quality, preservation and integrity of information.

This first edition cancels and replaces ISO/TS 19475-1, ISO/TS 19475-2, and ISO/TS 19475-3.

Any feedback or questions about this document should be directed to the user’s national standards

body. A complete listing of these bodies can be found at www .iso .org/ members .html.

iv © ISO 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/FDIS 19475:2021(E)
Introduction

This document specifies the minimum requirements for the operation of a document management

system necessary to maintain authenticity, integrity and readability of those managed documents.

Overall business operations are composed of the functions of receiving the document(s), performing

the work processes according to its contents, reporting the results of the processes and delivering

an outcome. A document management system serves the basic purpose of controlling the handling of

the received document, establishing the work processes and delivering the result of those processes.

Therefore, the reliability of the business processes and the process itself heavily depend on the

reliability of the document used as well as the reliability of the document management system.

The following operations are specified in this document, which relate to maintaining the reliability of

business activities:
— an operation that maintains the reliability of the received documents;
— an operation that maintains the integrity of the process activities; and
— an operation that ensures the authenticity of the delivered documents.

The reliability of the work processes is demonstrated by the effectiveness evaluation of the internal

controls of the organizations. Management is responsible for creating evidence during the organization's

business activities, ensuring and maintaining authenticity and integrity of the documents. Retained

documents produced as evidence of work are audited and assessed for validity. The framework and the

controls for preserving documents are described in ISO 15489.

ISO 14641 describes the methods for storing created or received electronic documents and provides

the guidelines for maintaining their integrity.

An electronic document management system (EDMS) is an effective technology for handling storage to

ensure the reliability of documents processed internally in an organization.

The above-mentioned mechanisms are a useful foundation for demonstrating the integrity of work

processes.

However, in executing their business operations, organizations create or receive various types of

documents and deliver them to other organizations. Sharing documents has the potential for a variety

of risks.

There is the risk that the organization can receive a document without any right to use it. There is

also the risk that the document contains false information, that the information was received through

inappropriate communication channels or, that the information is inappropriate for business purposes.

Any of these circumstances degrade the reliability of the work processes.

There are also risks involved when delivering a document to another organization. For example, it can

be delivered to the wrong party or the information is not appropriate to be shared. Organizations need

to take the necessary steps to mitigate these risks.

Organizations need to clarify their handling process procedures for receipt and delivery of documents.

Document handling procedures need to include quality criteria for the documents to be processed.

By applying the controls described in this document, an organization can operate their document

management system appropriately.
© ISO 2021 – All rights reserved v
---------------------- Page: 5 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/FDIS 19475:2021(E)
Document management — Minimum requirements for the
storage of documents
1 Scope

This document specifies the minimum requirements necessary to maintain the authenticity, integrity

and readability of documents managed by an electronic document management system. Clarifying the

methods and procedures for appropriately handling electronic documents promotes the usability of the

documents, in both a legal and business context.

This document expresses a general business process as a document handling process. The document

handling processes include receiving, processing and delivering the documents as follows:

— approving the receipt of a document in a manner that is appropriate for a work process;

— storing the formal document in the work process environment;
— delivery of the document to another organization.

This document establishes the controls for execution of the work processes while maintaining the

authenticity and integrity of the document received.

This document establishes the policies for the storage of documents used as part of the work process. It

also details the controls for performing the receipt and conversion process appropriately.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes the requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 14641, Electronic document management — Design and operation of an information system for the

preservation of electronic documents — Specifications
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
enterprise content management
ECM

strategies, methods and tools used to capture, manage, store, preserve and deliver content and

documents (3.6) related to organizational processes
[SOURCE: ISO 12651-1:2012, 4.53, modified — Note 1 to entry has been removed.]
© ISO 2021 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/FDIS 19475:2021(E)
3.2
electronic document management system
EDMS

software program that manages the creation, storage and control of documents (3.6) electronically

3.3
preservation system

system that maintains the authenticity, integrity (3.7) and readability of documents (3.6) over time

3.4
storage system

information technology system that has the capability of managing electronically stored documents (3.6)

3.5
database

collection of machine-readable information organized so that it can be easily accessed, managed

and updated
[SOURCE: ISO 5127:2017, 3.1.13.03]
3.6
document
information and the medium on which it is contained

[SOURCE: ISO 9000:2015, 3.8.5, modified — The Example and Notes 1 to 3 to entry have been removed.]

3.7
integrity
property of accuracy and completeness
[SOURCE: ISO/IEC 27000:2018, 3.36]
3.8
metadata

data about other data, documents (3.6) or records that describes their content, context, structure, data

format, provenance, and/or rights attached to them
[SOURCE: ISO 5127:2017, 3.1.10.26.01]
4 General
4.1 Policy

This document specifies the minimum requirements for the handling of electronic documents in

the framework of a business process. Storage of the document(s) involved with the general handling

processes are controlled in accordance with EDMS and ECM requirements (see Annex A). The

preservation and maintenance of the evidential value of the information used in business processes are

in accordance with the preservation system specified in ISO 14641.

This document describes a document handling process. The document handling process includes, but is

not limited to, receipt, processing and delivery of documents. The relationships are shown in Figure 1.

When a document is received, the receiving organization stores it and, if necessary, sets the data format

and form appropriate for the processing process.

Each receiving organization stores the document in a storage system so that the change history of the

document throughout the handling process is securely maintained. Maintaining a log of the handling

process in the preservation system also is required.
2 © ISO 2021 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/FDIS 19475:2021(E)

After processing is complete, if necessary, the delivering organization formats the document

appropriately for the recipient’s use. The organization sending the document transfers or shares it to

another organization.

The integrity of a delivered document should be tracked throughout the document processing process.

Therefore, organizations can use work-related documentation to fulfil accountability.

Figure 1 — Document handling processes

The organization validates that the document received contains the information required for

processing, and whether the organization had the right to receive it. After the document is received, it

can be converted into a format appropriate for handling. There is also a process for the verification that

the conversion was made accurately.

The organization review documents that are created or received by following the specified processes.

These processes include checks that confirm the integrity of the processing results and approved the

document.

The approved document may be reformatted as appropriate for the recipient’s use prior to delivery.

The delivered document is then stored within the preservation system. The delivered document is

monitored in terms of use, transfer, copying, updates and disposal.

By handling the document according to the methods described in this document, the integrity of

document handling is assured.
4.2 Document types
Types of document to be received by the organization are as follows:
— in paper form, such as an application document;

— a scanned electronic document from an original hard copy or photograph (.jpeg image), etc.;

— a document that was packaged with other forms of data (office systems, CAD, etc.);

— a document extracted from database information using an application program interface (API);

— a document obtained through a network via API (in this case, the document is not actually moving);

— a document that is part of a data stream.
© ISO 2021 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/FDIS 19475:2021(E)

Each type of information needs a different type of control. Therefore, having specific controls for each

type reduces the risk of losing information or creating an error.
4.3 Controlling a received and delivered document

To maintain the quality of the handling process, the integrity of the document received and delivered

shall be confirmed.

This is critical to ensure the integrity and reliability of the receipt the document, converting where

appropriate into a usable format and this approving the deliverable form and delivery processes of the

document.
To maintain reliability of these processes, manage the document as follows:
— define the type of document to be handled;
— define the handling procedure for each type of document;
— note the context of the handling process so that each process can be audited;

— when any problems are found during an audit, conduct correction and improvement actions.

NOTE “Context” is defined as information related to the document handling history. Examples include the

document author, references, update log, handling logs related to processing, etc.

4.4 Risks in document handling and measures
4.4.1 Receipt and conversion

An organization receives and, where necessary, converts the documents it receives into a format that is

appropriate for use in the organization. This document is then used according to the handling process

specified in this document.

This subclause describes the risks associated with the organization responsible for receiving and

converting the documents.
Examples of the risks are as follows:
— an organization can receive a document that it does not have the right to use;

— an inadequate decision can be taken if inappropriate documentation is processed

— incorrect worker assignments can cause information leakage and false information;

— when authenticity of the document received is not confirmed, it is not possible to maintain the

integrity of the documentation process and the delivered documents.
4.4.2 Recipient and delivery
This subclause describes the risks associated delivery processes.
Examples of the risks are as follows:

— the delivery of the document is inconsistent with the work process (tampering);

— inappropriate documents are delivered (error);
— the document is delivered to unauthorized users;
— the document is destroyed while in use.
4 © ISO 2021 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/FDIS 19475:2021(E)
5 Receipt and approval
5.1 Requirements

Organizations should define handling methods for each type of document to properly control the

documents they receive.

The type of document and the handling methods are defined according to the receiving policy and the

contract with the vendor or customer.

NOTE The type of document is defined by its use and purpose. The format of the document is defined by its

handling method.
5.2 Controls for receipt

The organization shall confirm the skill level of the person responsible for receiving the document

before giving the work order.

The organization shall confirm whether it has the rights and privileges to receive and use a received

document.

An organization shall not receive types of document they do not have the rights and privileges to use.

The organization shall maintain the integrity of the document received and approved in accordance

with its purpose for processing.

The organization shall maintain the quality of the equipment involved in the receiving and approval

processes.

When outsourcing receipt duties to another organization, care shall be taken to avoid receiving

documents not authorized to be outsourced.

NOTE The authenticity and reliability of the document received is either confirmed by such public credibility

information as an electronic signature or time stamp, or the organizational trust or credibility of the party who

sent the information.
5.3 Controls for approval

Controls for the approval process of the document received from an outside organization into a format

appropriate for the document handling process are explained below.

Approval processes for the purpose of conversion include digitizing a paper document received,

registering or duplicating the document, whether received in paper form or an electronic file, and

deploying a data file received into processing.

NOTE Security risks in terms of physical security or system security are not discussed in this document.

Please refer to the relevant IT security standards.

When converting a document into a format that is appropriate for processing, the organization should

ensure that the information content of the received document and the converted document are not

compromised.

During the receipt process, handling shall be suspended if the information includes a document that

is not able to be approved. When the receipt process is suspended, the organization shall store the

information in question and return the relevant document to the sender.

NOTE See Annex B for the controls for inspection of the document format received.

5.4 Document to be used at processing

Metadata shall be extracted from the received document that will be used during processing.

© ISO 2021 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/FDIS 19475:2021(E)

Metadata to be used during the document handling processes contains rights and privileged information,

information for identifying the document, and the purpose of the document being processed for use.

Metadata is used to control the processes of the users and custodians of the document, as well as to

identify the processing procedures.

The organization shall store the extracted metadata as well as the received contents into the EDMS or

ECM.
NOTE The requirements for EDMS and ECM are shown in Annex A.
5.5 Preserving the receiving and approved context

The context of the receiving and approval operations shall be recorded as a system log or as an

operations log. The context information contains the received and approved documents; the software

used for approval and the converted documents (if necessary) for use, and stores this information in

the preservation system.

The document metadata shall contain the name of the person that created it, an electronic signature

and a time stamp marking the date it was preserved. The use of an electronic signature and time stamp

shall be as described in ISO 14641.

NOTE 1 The requirements for ensuring the authenticity of the preserved document can vary depending on

local regulations.
1) Authorize the output document.

2) Authenticate and apply a time stamp for both the received document and the output document.

3) Documents are stored with a trusted storage service. This document is called a true copy.

In addition, the context information (use log, reference log, update log, etc.) related to the generation

of the document is preserved with an electronic signature and time stamp.

4) In addition to 2), the name and version of the software program used for editing and creation is

also recorded and stored.

In addition to above, the usage history of the system program should be required.

NOTE 2 Local legislation can exist concerning the evidential requirements of documents.

NOTE 3 The document to be stored contains the name of the person, the date of creation, etc. It is critical to

decide on the handling procedures to ensure data integrity according to the information handling rules.

6 Delivery
6.1 Requirements

Organizations should define the handling methods for each type of document to be controlled and

delivered.

The type of document and the handling methods are defined according to the delivery policy and the

contract with the vendor or customer.

NOTE See Annex C for the controls for inspection of the document format that is deliverable.

6.2 Controls for the delivery process

The organization shall preserve appropriate and validated business processes according to roles and

responsibilities. Thus, the organization maintains the integrity of the processing process.

6 © ISO 2021 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/FDIS 19475:2021(E)
The organization shall assign appropriate workers to the delivery process.

The organization shall ensure that the organization to which the document is to be delivered has the

rights and privileges to use the document that is being shipped to them.

The organization shall only deliver documents that they have the authority and privileges to deliver.

The organization shall maintain the integrity of the delivery process.

The organization shall maintain the quality of the equipment used for the delivery process.

The organization shall suppress the format and range of the document against the request of the

delivery destination.

In addition, the organization shall convert to the format and range of the documents that have been

made to the destination request.
The organization shall select an appropriate communication channel.

The organization shall be able to monitor the usage status of the information delivered.

The organization shall define the expiration date of the delivered document.

The document delivered and the preservation of the delivery log shall not be destroyed within the

period specified.
The delivered document shall be recovered or disposed of upon expiration.
6.3 Controls for the recipient process

The receipt process is the process of converting the document into a format appropriate for its delivery

and use by the other party, where this is necessary. This includes editing or redacting the document

according to the rights and privileges of the receiving organization.
When converting a document to a format
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.