ISO 19475:2021

INTERNATIONAL ISO
STANDARD 19475
First edition
2021-06
Document management — Minimum
requirements for the storage of
documents
Gestion de documents — Exigences minimales pour le stockage des
documents
Reference number
©
ISO 2021
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General . 2
4.1 Policy . 2
4.2 Document types . 3
4.3 Controlling a received and delivered document . 4
4.4 Risks in document handling and measures . 4
4.4.1 Receipt and conversion . 4
4.4.2 Recipient and delivery . 4
5 Receipt and approval . 5
5.1 Requirements . 5
5.2 Controls for receipt . 5
5.3 Controls for approval . 5
5.4 Document to be used at processing . 5
5.5 Preserving the receiving and approved context . 6
6 Delivery . 6
6.1 Requirements . 6
6.2 Controls for the delivery process . 6
6.3 Controls for the recipient process . 7
6.4 Preservation of the delivery context . 7
6.5 Monitoring of the delivered document . 8
7 Storage . 8
Annex A (informative) Requirements for EDMS/ECM . 9
Annex B (informative) Approval processes .11
Annex C (informative) Delivery – Format of the document to be delivered .13
Bibliography .15
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 171, Document management applications,
Subcommittee SC 1, Quality, preservation and integrity of information.
This first edition cancels and replaces ISO/TS 19475-1, ISO/TS 19475-2, and ISO/TS 19475-3.
Any feedback or questions about this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO 2021 – All rights reserved

Introduction
This document specifies the minimum requirements for the operation of a document management
system necessary to maintain authenticity, integrity and readability of those managed documents.
Overall business operations are composed of the functions of receiving the document(s), performing
the work processes according to its contents, reporting the results of the processes and delivering
an outcome. A document management system serves the basic purpose of controlling the handling of
the received document, establishing the work processes and delivering the result of those processes.
Therefore, the reliability of the business processes and the process itself heavily depend on the
reliability of the document used as well as the reliability of the document management system.
The following operations are specified in this document, which relate to maintaining the reliability of
business activities:
— an operation that maintains the reliability of the received documents;
— an operation that maintains the integrity of the process activities; and
— an operation that ensures the authenticity of the delivered documents.
The reliability of the work processes is demonstrated by the effectiveness evaluation of the internal
controls of the organizations. Management is responsible for creating evidence during the organization's
business activities, ensuring and maintaining authenticity and integrity of the documents. Retained
documents produced as evidence of work are audited and assessed for validity. The framework and the
controls for preserving documents are described in ISO 15489.
ISO 14641 describes the methods for storing created or received electronic documents and provides
the guidelines for maintaining their integrity.
An electronic document management system (EDMS) is an effective technology for handling storage to
ensure the reliability of documents processed internally in an organization.
The above-mentioned mechanisms are a useful foundation for demonstrating the integrity of work
processes.
However, in executing their business operations, organizations create or receive various types of
documents and deliver them to other organizations. Sharing documents has the potential for a variety
of risks.
There is the risk that the organization can receive a document without any right to use it. There is
also the risk that the document contains false information, that the information was received through
inappropriate communication channels or, that the information is inappropriate for business purposes.
Any of these circumstances degrade the reliability of the work processes.
There are also risks involved when delivering a document to another organization. For example, it can
be delivered to the wrong party or the information is not appropriate to be shared. Organizations need
to take the necessary steps to mitigate these risks.
Organizations need to clarify their handling process procedures for receipt and delivery of documents.
Document handling procedures need to include quality criteria for the documents to be processed.
By applying the controls described in this document, an organization can operate their document
management system appropriately.
INTERNATIONAL STANDARD ISO 19475:2021(E)
Document management — Minimum requirements for the
storage of documents
1 Scope
This document specifies the minimum requirements necessary to maintain the authenticity, integrity
and readability of documents managed by an electronic document management system. Clarifying the
methods and procedures for appropriately handling electronic documents promotes the usability of the
documents, in both a legal and business context.
This document expresses a general business process as a document handling process. The document
handling processes include receiving, processing and delivering the documents as follows:
— approving the receipt of a document in a manner that is appropriate for a work process;
— storing the formal document in the work process environment;
— delivery of the document to another organization.
This document establishes the controls for execution of the work processes while maintaining the
authenticity and integrity of the document received.
This document establishes the policies for the storage of documents used as part of the work process. It
also details the controls for performing the receipt and conversion process appropriately.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes the requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 14641, Electronic document management — Design and operation of an information system for the
preservation of electronic documents — Specifications
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
enterprise content management
ECM
strategies, methods and tools used to capture, manage, store, preserve and deliver content and
documents (3.6) related to organizational processes
[SOURCE: ISO 12651-1:2012, 4.53, modified — Note 1 to entry has been removed.]
3.2
electronic document management system
EDMS
software program that manages the creation, storage and control of documents (3.6) electronically
3.3
preservation system
system that maintains the authenticity, integrity (3.7) and readability of documents (3.6) over time
3.4
storage system
information technology system that has the capability of managing electronically stored documents
(3.6)
3.5
database
collection of machine-readable information organized so that it can be easily accessed, managed and
updated
[SOURCE: ISO 5127:2017, 3.1.13.03]
3.6
document
information and the medium on which it is contained
[SOURCE: ISO 9000:2015, 3.8.5, modified — The Example and Notes 1 to 3 to entry have been removed.]
3.7
integrity
property of accuracy and completeness
[SOURCE: ISO/IEC 27000:2018, 3.36]
3.8
metadata
data about other data, documents (3.6) or records that describes their content, context, structure, data
format, provenance, and/or rights attached to them
[SOURCE: ISO 5127:2017, 3.1.10.26.01]
4 General
4.1 Policy
This document specifies the minimum requirements for the handling of electronic documents in
the framework of a business process. Storage of the document(s) involved with the general handling
processes are controlled in accordance with EDMS and ECM requirements (see Annex A). The
preservation and maintenance of the evidential value of the information used in business processes are
in accordance with the preservation system specified in ISO 14641.
This document describes a document handling process. The document handling process includes, but is
not limited to, receipt, processing and delivery of documents. The relationships are shown in Figure 1.
When a document is received, the receiving organization stores it and, if necessary, sets the data format
and form appropriate for the processing process.
Each receiving organization stores the document in a storage system so that the change history of the
document throughout the handling process is securely maintained. Maintaining a log of the handling
process in the preservation system also is required.
2 © ISO 2021 – All rights reserved

After processing is complete, if necessary, the delivering organization formats the document
appropriately for the recipient’s use. The organization sending the document transfers or shares it to
another organization.
The integrity of a delivered document should be tracked throughout the document processing process.
Therefore, organizations can use work-related documentation to fulfil accountability.
Figure 1 — Document handling processes
The organization validates that the document received contains the information required for
processing, and whether the organization had the right to receive it. After the document is received, it
can be converted into a format appropriate for handling. There is also a process for the verification that
the conversion was made accurately.
The organization review documents that are created or received by following the specified processes.
These processes include checks that confirm the integrity of the processing results and approved the
document.
The approved document may be reformatted as appropriate for the recipient’s use prior to delivery.
The delivered document is then stored within the preservation system. The delivered document is
monitored in terms of use, transfer, copying, updates and disposal.
By handling the document according to the methods described in this document, the integrity of
document handling is assured.
4.2 Document types
Types of document to be received by the organization are as follows:
— in paper form, such as an application document;
— a scanned electronic document from an original hard copy or photograph (.jpeg image), etc.;
— a document that was packaged with other forms of data (office systems, CAD, etc.);
— a document extracted from database information using an application program interface (API);
— a document obtained through a network via API (in this case, the document is not actually moving);
— a document that is part of a data stream.
Each type of information needs a different type of control. Therefore, having specific controls for each
type reduces the risk of losing information or creating an error.
4.3 Controlling a received and delivered document
To maintain the quality of the handling process, the integrity of the document received and delivered
shall be confirmed.
This is critical to ensure the integrity and reliability of the receipt the document, converting where
appropriate into a usable format and this approving the deliverable form and delivery processes of the
document.
To maintain reliability of these processes, manage the document as follows:
— define the type of document to be handled;
— define the handling procedure for each type of document;
— note the context of the handling process so that each process can be audited;
— when any problems are found during an audit, conduct correction and improvement actions.
NOTE “Context” is defined as information related to the document handling history. Examples include the
document author, references, update log, handling logs related to processing, etc.
4.4 Risks in document handling and measures
4.4.1 Receipt and conversion
An organization receives and, where necessary, converts the documents it receives into a format that is
appropriate for use in the organization. This document is then used according to the handling process
specified in this document.
This subclause describes the risks associated with the organization responsible for receiving and
converting the documents.
Examples of the risks are as follows:
— an organization can receive a document that it does not have the right to use;
— an inadequate decision can be taken if inappropriate documentation is processed
— incorrect worker assignments can cause information leakage and false information;
— when authenticity of the document received is not confirmed, it is not possible to maintain the
integrity of the documentation process and the delivered documents.
4.4.2 Recipient and delivery
This subclause describes the risks associated delivery processes.
Examples of the risks are as follows:
— the delivery of the document is inconsistent with the work process (tampering);
— inappropriate documents are delivered (error);
— the document is delivered to unauthorized users;
— the document is destroyed while in use.
4 © ISO 2021 – All rights reserved

5 Receipt and approval
5.1 Requirements
Organizations should define handling methods for each type of document to properly control the
documents they receive.
The type of document and the handling methods are defined according to the receiving policy and the
contract with the vendor or customer.
NOTE The type of document is defined by its use and purpose. The format of the document is defined by its
handling method.
5.2 Controls for receipt
The organization shall confirm the skill level of the person responsible for receiving the document
before giving the work order.
The organization shall confirm whether it has the rights and privileges to receive and use a received
document.
An organization shall not receive types of document they do not have the rights and privileges to use.
The organization shall maintain the integrity of the document received and approv
...