SIST ISO 30302:2017
Information and documentation -- Management systems for records -- Guidelines for implementation
Information and documentation -- Management systems for records -- Guidelines for implementation
This International Standard gives guidance for the implementation of a MSR in accordance with
ISO 30301. This International Standard is intended to be used in conjunction with ISO 30300 and
ISO 30301. This International Standard does not modify and/or reduce the requirements specified in
ISO 30301. It describes the activities to be undertaken when designing and implementing a MSR.
This International Standard is intended to be used by any organization implementing a MSR. It is
applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit
organizations) of all sizes.
Information et documentation -- Système de gestion des documents d'activité -- Lignes directrices de mise en oeuvre
L'ISO 30302:2015 fournit des lignes directrices pour la mise en ?uvre d'un Syst�me de Gestion des Documents d'Activit� (SGDA) conforme � l'ISO 30301. La pr�sente Norme internationale est destin�e � �tre utilis�e conjointement avec l'ISO 30300 et l'ISO 30301. La pr�sente Norme internationale ne modifie pas et/ou ne restreint pas les exigences sp�cifi�es dans l'ISO 30301. Elle d�crit les activit�s � entreprendre pour concevoir et mettre en ?uvre un SGDA.
L'ISO 30302:2015 est destin�e � �tre utilis�e par tout organisme mettant en ?uvre un SGDA. Elle est applicable � tous les types d'organismes (par exemple: entreprises commerciales, organismes publics, organismes � but non lucratif) de toutes tailles.
Informatika in dokumentacija - Sistemi za upravljanje zapisov - Smernice za uvedbo
Ta mednarodni standard podaja smernice za uvedbo sistemov za upravljanje zapisov v skladu s standardom ISO 30301. Ta mednarodni standard je treba uporabljati v povezavi s standardoma ISO 30300 in ISO 30301. Ta mednarodni standard ne spreminja in/ali zmanjšuje nobenih zahtev, ki so podane v standardu ISO 30301. Opisuje dejavnosti, ki jih je treba izvesti pri načrtovanju in uvajanju sistema za upravljanje zapisov.
Ta mednarodni standard je namenjen organizacijam, ki uvajajo sistem za upravljanje zapisov. Uporablja
se za vse vrste organizacij (npr. komercialna podjetja, vladne agencije, neprofitne organizacije) vseh velikosti.
General Information
Relations
Buy Standard
Standards Content (Sample)
SLOVENSKI STANDARD
SIST ISO 30302:2017
01-februar-2017
Informatika in dokumentacija - Sistemi za upravljanje zapisov - Smernice za
uvedbo
Information and documentation -- Management systems for records -- Guidelines for
implementation
Information et documentation -- Système de gestion des documents d'activité -- Lignes
directrices de mise en oeuvre
Ta slovenski standard je istoveten z: ISO 30302:2015
ICS:
01.140.20 Informacijske vede Information sciences
03.100.70 Sistemi vodenja Management systems
SIST ISO 30302:2017 en,fr
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST ISO 30302:2017
---------------------- Page: 2 ----------------------
SIST ISO 30302:2017
INTERNATIONAL ISO
STANDARD 30302
First edition
2015-09-15
Information and documentation —
Management systems for records —
Guidelines for implementation
Information et documentation — Système de gestion des documents
d’activité — Lignes directrices de mise en oeuvre
Reference number
ISO 30302:2015(E)
©
ISO 2015
---------------------- Page: 3 ----------------------
SIST ISO 30302:2017
ISO 30302:2015(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2015 – All rights reserved
---------------------- Page: 4 ----------------------
SIST ISO 30302:2017
ISO 30302:2015(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 1
4.1 Understanding of the organization and its context . 1
4.2 Business, legal and other requirements . 2
4.3 Defining the scope of the MSR . 3
5 Leadership . 4
5.1 Management commitment . 4
5.2 Policy . 4
5.3 Organizational roles, responsibilities and authorities. 5
5.3.1 General. 5
5.3.2 Management responsibilities . 6
5.3.3 Operational responsibilities . 7
6 Planning . 7
6.1 Actions to address risks and opportunities . 7
6.2 Records objectives and plans to achieve them . 9
7 Support .10
7.1 Resources .10
7.2 Competence .11
7.3 Awareness and training .12
7.4 Communication .13
7.5 Documentation .14
7.5.1 General.14
7.5.2 Control of documentation .15
8 Operation .16
8.1 Operational planning and control .16
8.2 Design of records processes .16
8.3 Implementation of records systems .19
9 Performance evaluation .21
9.1 Monitoring, measurement, analysis and evaluation .21
9.1.1 Determining what and how to monitor, measure, analyse and evaluate .21
9.1.2 Evaluation of the performance of records processes, systems and the
effectiveness of the MSR .22
9.1.3 Assessing effectiveness .22
9.2 Internal system audit .23
9.3 Management review .24
10 Improvement .25
10.1 Nonconformity control and corrective actions .25
10.2 Continual improvement .26
Annex A (informative) Examples of sources of information and requirements supporting
the analysis of organizational context .27
Bibliography .30
© ISO 2015 – All rights reserved iii
---------------------- Page: 5 ----------------------
SIST ISO 30302:2017
ISO 30302:2015(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 46, Information and documentation,
Subcommittee SC 11, Archives/records management.
iv © ISO 2015 – All rights reserved
---------------------- Page: 6 ----------------------
SIST ISO 30302:2017
ISO 30302:2015(E)
Introduction
ISO 30302 is part of a series of International Standards, under the general title Information and
documentation — Management systems for records:
— ISO 30300, Information and documentation — Management systems for records — Fundamentals
and vocabulary
— ISO 30301, Information and documentation — Management systems for records — Requirements
— ISO 30302, Information and documentation — Management systems for records — Guidelines for
implementation
ISO 30300 specifies the terminology for the Management systems for records (MSR) series of standards
and the objectives and benefits of a MSR; ISO 30301 specifies the requirements for a MSR where an
organization needs to demonstrate its ability to create and control records from its business activities
for as long as they are required; ISO 30302 provides guidance for the implementation of a MSR.
The purpose of this International Standard is to provide practical guidance on how to implement a
management system for records (MSR) within an organization in accordance with ISO 30301. This
International Standard covers what is needed to establish and maintain a MSR.
The implementation of a MSR is generally executed as a project. A MSR can be implemented in
organizations with existing records systems or programmes to review and improve the management
of those systems or programmes or in organizations planning to implement a systematic and verifiable
approach to records creation and control for the first time. Guidance described in this International
Standard can be used in both situations.
It is assumed that organizations that decide to implement a MSR have made a preliminary assessment of
their existing records and records systems and have identified risks to be addressed and opportunities
for major improvements. For example, the decision to implement a MSR can be taken as a risk-reduction
measure for undertaking a major information technology platform change or outsourcing business
processes identified as high risk. Alternatively, the MSR can provide a standardized management
framework for major improvements such as integrating records processes with specific business
processes or improving control and management of records of online transactions or business use of
social media.
The use of this guidance is necessarily flexible. It depends on the size, nature and complexity of the
organization and the level of maturity of the MSR if one is already in place. Each organization’s context
and complexity is unique and its specific contextual requirements will drive the MSR implementation.
Smaller organizations will find that the activities described in this International Standard can be
simplified. Large or complex organizations might find that a layered management system is needed to
implement and manage the activities in this International Standard effectively.
Guidance in this International Standard follows the same structure as ISO 30301, describing the
activities to be undertaken to meet the requirements of ISO 30301 and how to document those activities.
Clause 4 deals with how to perform the analysis needed to implement a MSR. From this analysis, the
scope of the MSR is defined and the relationship between implementing a MSR and other management
systems is identified.
Clause 5 explains how to gain the commitment of top management. The commitment is expressed in a
records policy, the assignment of responsibilities, planning the implementation of the MSR and adopting
records objectives.
Clause 6 deals with planning, which is informed by high-level risk analysis, the contextual analysis (see
Clause 4), and the resources available (see Clause 7). Clause 7 outlines the support needed for the MSR,
such as resources, competence, training and communication, and documentation.
© ISO 2015 – All rights reserved v
---------------------- Page: 7 ----------------------
SIST ISO 30302:2017
ISO 30302:2015(E)
Clause 8 deals with defining or reviewing and planning the records processes to be implemented. It
draws on the contextual requirements and scope (see Clause 4) and is based on the records policy
(see 5.2), the risk analysis (see 6.1) and resources needed (see 7.1) to meet the records objectives
(see 6.2) in the planned implementation. Clause 8 explains what records processes and systems need to
be implemented for a MSR.
Clauses 9 and 10 deal with performance evaluation and improvement against planning, objectives and
requirements defined in ISO 30301.
For each of ISO 30301:2011, Clauses 4 to 10 , this International Standard provides the following:
a) the activities necessary to meet the requirements of ISO 30301 – activities can be done sequentially,
while some will need to be done simultaneously using the same contextual analysis;
b) inputs to the activities – these are the starting points and can be outputs from previous activities;
c) outputs of the activities – these are the results or deliverables on completion of the activities.
This International Standard is intended to be used by those responsible for leading the implementation
and maintenance of the MSR. It can also help top management in making decisions on the establishment,
scope and implementation of management systems in their organization. It is to be used by people
responsible for leading the implementation and maintenance of the MSR. The concepts of how to
design the operational records processes are based on the principles established by ISO 15489-1. Other
International Standards and Technical Reports developed by ISO/TC 46/SC 11 are the principal tools
for designing, implementing, monitoring and improving records processes, controls and systems, and
can be used in conjunction with this International Standard for implementing the detailed operational
elements of the MSR.
Organizations that have already implemented ISO 15489-1 can use this International Standard to
develop an organizational infrastructure for managing records under the systematic and verifiable
approach of the MSR.
vi © ISO 2015 – All rights reserved
---------------------- Page: 8 ----------------------
SIST ISO 30302:2017
INTERNATIONAL STANDARD ISO 30302:2015(E)
Information and documentation — Management systems
for records — Guidelines for implementation
1 Scope
This International Standard gives guidance for the implementation of a MSR in accordance with
ISO 30301. This International Standard is intended to be used in conjunction with ISO 30300 and
ISO 30301. This International Standard does not modify and/or reduce the requirements specified in
ISO 30301. It describes the activities to be undertaken when designing and implementing a MSR.
This International Standard is intended to be used by any organization implementing a MSR. It is
applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit
organizations) of all sizes.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 30300, Information and documentation — Management systems for records — Fundamentals and
vocabulary
ISO 30301:2011, Information and documentation — Management systems for records — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 30300 apply.
4 Context of the organization
4.1 Understanding of the organization and its context
The context of the organization should determine and drive the implementation and improvement of
a MSR. The requirements of this Clause are intended to ensure the organization has considered its
context and needs as part of the implementation of a MSR. These requirements are met by analysing
the organization’s context. This analysis should be performed as the first step of the implementation to
a) identify internal and external factors (see 4.1),
b) identify business, legal and other requirements (see 4.2), and
c) define the scope of the MSR (see 4.3) and identify risks (see Clause 6).
NOTE 1 When the scope of the MSR is stated by top management at the starting point, before identifying
factors and the need for records, the extent of the contextual analysis is defined by the scope as stated.
NOTE 2 This MSS approach for context analysis and identification of requirements is compatible with the
analysis process (appraisal) proposed by ISO 15489-1 which also includes elements of planning (see Clause 6)
and identification of needs of records (see Clause 8).
Contextual information needs to be from a reliable source, accurate, up to date and complete. Regular
review of the sources of this information ensures the accuracy and reliability of the contextual analysis.
© ISO 2015 – All rights reserved 1
---------------------- Page: 9 ----------------------
SIST ISO 30302:2017
ISO 30302:2015(E)
A.1 provides examples of sources of information about the organization’s internal and external context
and examples of potential stakeholders.
In identifying how the context affects the MSR, examples of important factors can be
1) how a competitive market affects the need to demonstrate efficient processes,
2) how external stakeholders’ values or perceptions affect records retention decisions or information
access decisions,
3) how the information technology infrastructure and information architecture can affect the
availability of records systems or records,
4) how the skills and competencies within the organization can affect the need for training or
external assistance,
5) how legislative instruments, policies, standards and codes affect the design of records processes
and controls,
6) how the organizational culture can affect compliance with the requirements of the MSR, and
7) how the complexity of the organization’s structure, business and legislative environment will affect
records policy, processes and controls (e.g. in a multi-jurisdictional environment).
Depending on the organization, the identification of internal and external factors may have been
performed for other purposes, including the implementation of other management system standards.
In such cases, a new analysis may not be needed and an adaptation will suffice.
The contextual analysis is a continual process. It informs the establishment and systematic evaluation
of the MSR (see Clause 9) and supports the cycle of continuous improvement (see Clause 10).
Output
Documented evidence that the analysis has been undertaken is a requirement of ISO 30301. Examples
are as follows:
— a list of internal and external factors to take into account;
— a chapter in a manual or project plan for implementing a MSR;
— a formal report on the analysis of the organization’s internal and external context and how it affects
and is affected by the MSR;
— a series of documents about the context of the organization.
4.2 Business, legal and other requirements
Using the result of the analysis described in 4.1 as the starting point, the legal, business and other
requirements are assessed in relation to the business activities and documented. The business
activities are the first elements that are analysed to identify the requirements that affect records
creation and control.
Identifying business requirements should take the following into account:
a) the nature of the activities of the organization (e.g. mining, financial advice, providing public
services, manufacturing, pharmaceutical, personal services, non-profit, community services);
b) the particular form or ownership of the organization (e.g. a trust, company or government
organization);
c) the particular sector to which the organization belongs (i.e. public or private sector, non-profit);
d) the jurisdiction(s) in which the organization operates.
2 © ISO 2015 – All rights reserved
---------------------- Page: 10 ----------------------
SIST ISO 30302:2017
ISO 30302:2015(E)
Business requirements should be identified from the performance of current business processes and
also from the perspective of future planning and development. Special attention is needed when the
organization is implementing automated or digital business processes. In these cases, requirements can
change and need to be discussed with the people responsible for the development and implementation
of the proposed new processes.
Activities to determine all the mandatory legal and regulatory instruments applicable to the
organization include the following:
1) reviewing compliance requirements for sector-related legislation;
2) reviewing compliance for privacy and other records/data management legislation.
A.2 provides examples of the business, legal and other requirements relating to the creation and control
of records and for sources of expert assistance in identifying business, legal and other requirements.
Output
Documentation of the identification of the business, legal and other requirements is mandatory in order
to comply with ISO 30301. Requirements can be documented all together or in separate documents by
type of requirement. Examples of the kind of documentation are as follows:
— a list of requirements identified by type (e.g. business, legislative);
— a chapter in a manual or project plan for implementing a MSR;
— A formal report on identification of requirements for the MSR;
— a list of all laws and other codified regulatory or mandatory instruments that apply to the
organization relating to the creation and control of records;
— a Precedents Profile (a set of legal precedents on particular subject matters relevant to the
organization).
4.3 Defining the scope of the MSR
The scope of the MSR is a decision made by top management and clearly outlines the boundaries,
inclusions, exclusions, roles and relationships of the component parts of the MSR.
The scope can be defined as a result of the contextual analysis, taking into account identified factors
(see 4.1) and requirements (see 4.2) but also can be stated by top management from the starting point
before identifying factors and requirements.
The scope includes the following:
a) identification of what parts or functions of the organization are included. It can be the whole
organization, an area or department, a specific function or business process or a group of them;
b) identification of what parts or functions of other (related) organizations are included and the
relationships between them;
c) description of how the MSR integrates with the overall management system and with other
specific management systems implemented by the organization (e.g. ISO 9000, ISO 14000 and
ISO/IEC 27000);
d) identification of any processes that affect the MSR that are outsourced and the controls for the
entities responsible for the outsourced process.
© ISO 2015 – All rights reserved 3
---------------------- Page: 11 ----------------------
SIST ISO 30302:2017
ISO 30302:2015(E)
Output
A documented statement defining the scope of the MSR is a requirement of the MSR. This statement can
be a single document or be included in other MSR documents such as the records policy (see 5.2) or in
manuals or project plans to implement the MSR.
5 Leadership
5.1 Management commitment
The commitment of top management to implementing the MSR is stated as explicitly and at the same
level of detail as for any other management systems implemented by the organization and as for its
other assets, e.g. human resources, finances and infrastructure. The requirement to demonstrate top
management commitment does not require a specific activity to be performed but is essential for
the success of the MSR. Commitment is also implicit in other requirements of ISO 30301 relating to
resources (see 7.1), communication (see 7.4) and management review (see 9.3).
Output
It is not mandatory to document top management’s commitment to the MSR, except in the records
policy (see 5.2), which can be considered as evidence of that commitment. Commitment can also be
demonstrated by actions or statements but depending on the nature and complexity of the organization,
evidence of commitment should be documented in addition to the records policy. Examples can be
found in the following:
— minutes of Boards of Directors or Boards of Management;
— statements in strategic and business plans;
— management resolutions and directives;
— budgets, business cases;
— communication plans.
5.2 Policy
The strategic direction of the organization, as defined by top management, is the basis for the records
policy. The records policy is established by top management as the driver for implementing and improving
an organization’s MSR and providing the benchmark for assessing the performance of the MSR.
Directions from top management need to be stated in a formal document. The document is not
normally drafted by top management but requires top management’s formal approval, independent of
the authors. Depending on the organization, top management can be identified by different positions
but the records policy should be endorsed by the person in the position recognized as the most senior.
The records policy contains the overall direction on how records creation a
...
INTERNATIONAL ISO
STANDARD 30302
First edition
2015-09-15
Information and documentation —
Management systems for records —
Guidelines for implementation
Information et documentation — Système de gestion des documents
d’activité — Lignes directrices de mise en oeuvre
Reference number
ISO 30302:2015(E)
©
ISO 2015
---------------------- Page: 1 ----------------------
ISO 30302:2015(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2015 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 30302:2015(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 1
4.1 Understanding of the organization and its context . 1
4.2 Business, legal and other requirements . 2
4.3 Defining the scope of the MSR . 3
5 Leadership . 4
5.1 Management commitment . 4
5.2 Policy . 4
5.3 Organizational roles, responsibilities and authorities. 5
5.3.1 General. 5
5.3.2 Management responsibilities . 6
5.3.3 Operational responsibilities . 7
6 Planning . 7
6.1 Actions to address risks and opportunities . 7
6.2 Records objectives and plans to achieve them . 9
7 Support .10
7.1 Resources .10
7.2 Competence .11
7.3 Awareness and training .12
7.4 Communication .13
7.5 Documentation .14
7.5.1 General.14
7.5.2 Control of documentation .15
8 Operation .16
8.1 Operational planning and control .16
8.2 Design of records processes .16
8.3 Implementation of records systems .19
9 Performance evaluation .21
9.1 Monitoring, measurement, analysis and evaluation .21
9.1.1 Determining what and how to monitor, measure, analyse and evaluate .21
9.1.2 Evaluation of the performance of records processes, systems and the
effectiveness of the MSR .22
9.1.3 Assessing effectiveness .22
9.2 Internal system audit .23
9.3 Management review .24
10 Improvement .25
10.1 Nonconformity control and corrective actions .25
10.2 Continual improvement .26
Annex A (informative) Examples of sources of information and requirements supporting
the analysis of organizational context .27
Bibliography .30
© ISO 2015 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 30302:2015(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 46, Information and documentation,
Subcommittee SC 11, Archives/records management.
iv © ISO 2015 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 30302:2015(E)
Introduction
ISO 30302 is part of a series of International Standards, under the general title Information and
documentation — Management systems for records:
— ISO 30300, Information and documentation — Management systems for records — Fundamentals
and vocabulary
— ISO 30301, Information and documentation — Management systems for records — Requirements
— ISO 30302, Information and documentation — Management systems for records — Guidelines for
implementation
ISO 30300 specifies the terminology for the Management systems for records (MSR) series of standards
and the objectives and benefits of a MSR; ISO 30301 specifies the requirements for a MSR where an
organization needs to demonstrate its ability to create and control records from its business activities
for as long as they are required; ISO 30302 provides guidance for the implementation of a MSR.
The purpose of this International Standard is to provide practical guidance on how to implement a
management system for records (MSR) within an organization in accordance with ISO 30301. This
International Standard covers what is needed to establish and maintain a MSR.
The implementation of a MSR is generally executed as a project. A MSR can be implemented in
organizations with existing records systems or programmes to review and improve the management
of those systems or programmes or in organizations planning to implement a systematic and verifiable
approach to records creation and control for the first time. Guidance described in this International
Standard can be used in both situations.
It is assumed that organizations that decide to implement a MSR have made a preliminary assessment of
their existing records and records systems and have identified risks to be addressed and opportunities
for major improvements. For example, the decision to implement a MSR can be taken as a risk-reduction
measure for undertaking a major information technology platform change or outsourcing business
processes identified as high risk. Alternatively, the MSR can provide a standardized management
framework for major improvements such as integrating records processes with specific business
processes or improving control and management of records of online transactions or business use of
social media.
The use of this guidance is necessarily flexible. It depends on the size, nature and complexity of the
organization and the level of maturity of the MSR if one is already in place. Each organization’s context
and complexity is unique and its specific contextual requirements will drive the MSR implementation.
Smaller organizations will find that the activities described in this International Standard can be
simplified. Large or complex organizations might find that a layered management system is needed to
implement and manage the activities in this International Standard effectively.
Guidance in this International Standard follows the same structure as ISO 30301, describing the
activities to be undertaken to meet the requirements of ISO 30301 and how to document those activities.
Clause 4 deals with how to perform the analysis needed to implement a MSR. From this analysis, the
scope of the MSR is defined and the relationship between implementing a MSR and other management
systems is identified.
Clause 5 explains how to gain the commitment of top management. The commitment is expressed in a
records policy, the assignment of responsibilities, planning the implementation of the MSR and adopting
records objectives.
Clause 6 deals with planning, which is informed by high-level risk analysis, the contextual analysis (see
Clause 4), and the resources available (see Clause 7). Clause 7 outlines the support needed for the MSR,
such as resources, competence, training and communication, and documentation.
© ISO 2015 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO 30302:2015(E)
Clause 8 deals with defining or reviewing and planning the records processes to be implemented. It
draws on the contextual requirements and scope (see Clause 4) and is based on the records policy
(see 5.2), the risk analysis (see 6.1) and resources needed (see 7.1) to meet the records objectives
(see 6.2) in the planned implementation. Clause 8 explains what records processes and systems need to
be implemented for a MSR.
Clauses 9 and 10 deal with performance evaluation and improvement against planning, objectives and
requirements defined in ISO 30301.
For each of ISO 30301:2011, Clauses 4 to 10 , this International Standard provides the following:
a) the activities necessary to meet the requirements of ISO 30301 – activities can be done sequentially,
while some will need to be done simultaneously using the same contextual analysis;
b) inputs to the activities – these are the starting points and can be outputs from previous activities;
c) outputs of the activities – these are the results or deliverables on completion of the activities.
This International Standard is intended to be used by those responsible for leading the implementation
and maintenance of the MSR. It can also help top management in making decisions on the establishment,
scope and implementation of management systems in their organization. It is to be used by people
responsible for leading the implementation and maintenance of the MSR. The concepts of how to
design the operational records processes are based on the principles established by ISO 15489-1. Other
International Standards and Technical Reports developed by ISO/TC 46/SC 11 are the principal tools
for designing, implementing, monitoring and improving records processes, controls and systems, and
can be used in conjunction with this International Standard for implementing the detailed operational
elements of the MSR.
Organizations that have already implemented ISO 15489-1 can use this International Standard to
develop an organizational infrastructure for managing records under the systematic and verifiable
approach of the MSR.
vi © ISO 2015 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO 30302:2015(E)
Information and documentation — Management systems
for records — Guidelines for implementation
1 Scope
This International Standard gives guidance for the implementation of a MSR in accordance with
ISO 30301. This International Standard is intended to be used in conjunction with ISO 30300 and
ISO 30301. This International Standard does not modify and/or reduce the requirements specified in
ISO 30301. It describes the activities to be undertaken when designing and implementing a MSR.
This International Standard is intended to be used by any organization implementing a MSR. It is
applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit
organizations) of all sizes.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 30300, Information and documentation — Management systems for records — Fundamentals and
vocabulary
ISO 30301:2011, Information and documentation — Management systems for records — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 30300 apply.
4 Context of the organization
4.1 Understanding of the organization and its context
The context of the organization should determine and drive the implementation and improvement of
a MSR. The requirements of this Clause are intended to ensure the organization has considered its
context and needs as part of the implementation of a MSR. These requirements are met by analysing
the organization’s context. This analysis should be performed as the first step of the implementation to
a) identify internal and external factors (see 4.1),
b) identify business, legal and other requirements (see 4.2), and
c) define the scope of the MSR (see 4.3) and identify risks (see Clause 6).
NOTE 1 When the scope of the MSR is stated by top management at the starting point, before identifying
factors and the need for records, the extent of the contextual analysis is defined by the scope as stated.
NOTE 2 This MSS approach for context analysis and identification of requirements is compatible with the
analysis process (appraisal) proposed by ISO 15489-1 which also includes elements of planning (see Clause 6)
and identification of needs of records (see Clause 8).
Contextual information needs to be from a reliable source, accurate, up to date and complete. Regular
review of the sources of this information ensures the accuracy and reliability of the contextual analysis.
© ISO 2015 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO 30302:2015(E)
A.1 provides examples of sources of information about the organization’s internal and external context
and examples of potential stakeholders.
In identifying how the context affects the MSR, examples of important factors can be
1) how a competitive market affects the need to demonstrate efficient processes,
2) how external stakeholders’ values or perceptions affect records retention decisions or information
access decisions,
3) how the information technology infrastructure and information architecture can affect the
availability of records systems or records,
4) how the skills and competencies within the organization can affect the need for training or
external assistance,
5) how legislative instruments, policies, standards and codes affect the design of records processes
and controls,
6) how the organizational culture can affect compliance with the requirements of the MSR, and
7) how the complexity of the organization’s structure, business and legislative environment will affect
records policy, processes and controls (e.g. in a multi-jurisdictional environment).
Depending on the organization, the identification of internal and external factors may have been
performed for other purposes, including the implementation of other management system standards.
In such cases, a new analysis may not be needed and an adaptation will suffice.
The contextual analysis is a continual process. It informs the establishment and systematic evaluation
of the MSR (see Clause 9) and supports the cycle of continuous improvement (see Clause 10).
Output
Documented evidence that the analysis has been undertaken is a requirement of ISO 30301. Examples
are as follows:
— a list of internal and external factors to take into account;
— a chapter in a manual or project plan for implementing a MSR;
— a formal report on the analysis of the organization’s internal and external context and how it affects
and is affected by the MSR;
— a series of documents about the context of the organization.
4.2 Business, legal and other requirements
Using the result of the analysis described in 4.1 as the starting point, the legal, business and other
requirements are assessed in relation to the business activities and documented. The business
activities are the first elements that are analysed to identify the requirements that affect records
creation and control.
Identifying business requirements should take the following into account:
a) the nature of the activities of the organization (e.g. mining, financial advice, providing public
services, manufacturing, pharmaceutical, personal services, non-profit, community services);
b) the particular form or ownership of the organization (e.g. a trust, company or government
organization);
c) the particular sector to which the organization belongs (i.e. public or private sector, non-profit);
d) the jurisdiction(s) in which the organization operates.
2 © ISO 2015 – All rights reserved
---------------------- Page: 8 ----------------------
ISO 30302:2015(E)
Business requirements should be identified from the performance of current business processes and
also from the perspective of future planning and development. Special attention is needed when the
organization is implementing automated or digital business processes. In these cases, requirements can
change and need to be discussed with the people responsible for the development and implementation
of the proposed new processes.
Activities to determine all the mandatory legal and regulatory instruments applicable to the
organization include the following:
1) reviewing compliance requirements for sector-related legislation;
2) reviewing compliance for privacy and other records/data management legislation.
A.2 provides examples of the business, legal and other requirements relating to the creation and control
of records and for sources of expert assistance in identifying business, legal and other requirements.
Output
Documentation of the identification of the business, legal and other requirements is mandatory in order
to comply with ISO 30301. Requirements can be documented all together or in separate documents by
type of requirement. Examples of the kind of documentation are as follows:
— a list of requirements identified by type (e.g. business, legislative);
— a chapter in a manual or project plan for implementing a MSR;
— A formal report on identification of requirements for the MSR;
— a list of all laws and other codified regulatory or mandatory instruments that apply to the
organization relating to the creation and control of records;
— a Precedents Profile (a set of legal precedents on particular subject matters relevant to the
organization).
4.3 Defining the scope of the MSR
The scope of the MSR is a decision made by top management and clearly outlines the boundaries,
inclusions, exclusions, roles and relationships of the component parts of the MSR.
The scope can be defined as a result of the contextual analysis, taking into account identified factors
(see 4.1) and requirements (see 4.2) but also can be stated by top management from the starting point
before identifying factors and requirements.
The scope includes the following:
a) identification of what parts or functions of the organization are included. It can be the whole
organization, an area or department, a specific function or business process or a group of them;
b) identification of what parts or functions of other (related) organizations are included and the
relationships between them;
c) description of how the MSR integrates with the overall management system and with other
specific management systems implemented by the organization (e.g. ISO 9000, ISO 14000 and
ISO/IEC 27000);
d) identification of any processes that affect the MSR that are outsourced and the controls for the
entities responsible for the outsourced process.
© ISO 2015 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO 30302:2015(E)
Output
A documented statement defining the scope of the MSR is a requirement of the MSR. This statement can
be a single document or be included in other MSR documents such as the records policy (see 5.2) or in
manuals or project plans to implement the MSR.
5 Leadership
5.1 Management commitment
The commitment of top management to implementing the MSR is stated as explicitly and at the same
level of detail as for any other management systems implemented by the organization and as for its
other assets, e.g. human resources, finances and infrastructure. The requirement to demonstrate top
management commitment does not require a specific activity to be performed but is essential for
the success of the MSR. Commitment is also implicit in other requirements of ISO 30301 relating to
resources (see 7.1), communication (see 7.4) and management review (see 9.3).
Output
It is not mandatory to document top management’s commitment to the MSR, except in the records
policy (see 5.2), which can be considered as evidence of that commitment. Commitment can also be
demonstrated by actions or statements but depending on the nature and complexity of the organization,
evidence of commitment should be documented in addition to the records policy. Examples can be
found in the following:
— minutes of Boards of Directors or Boards of Management;
— statements in strategic and business plans;
— management resolutions and directives;
— budgets, business cases;
— communication plans.
5.2 Policy
The strategic direction of the organization, as defined by top management, is the basis for the records
policy. The records policy is established by top management as the driver for implementing and improving
an organization’s MSR and providing the benchmark for assessing the performance of the MSR.
Directions from top management need to be stated in a formal document. The document is not
normally drafted by top management but requires top management’s formal approval, independent of
the authors. Depending on the organization, top management can be identified by different positions
but the records policy should be endorsed by the person in the position recognized as the most senior.
The records policy contains the overall direction on how records creation and control meet the
organizational goals and provides the principles for action. It can be integrated into an overarching
management policy where more than one management systems standard are implemented. In this case,
the records policy does not require separate management endorsement.
Inputs to the records policy include the following:
a) analysis of the organizational context and identification of the requirements (see 4.1 to 4.2);
b) organizational goals and strategies;
c) influence of, or relationship of the policy to other organizational policies;
d) scope of the MSR (see 4.3);
4 © ISO 2015 – All rights reserved
---------------------- Page: 10 ----------------------
ISO 30302:2015(E)
e) organizational structure and delegations.
The records policy is a statement of intent and includes, for example,
1) purpose,
2) high-level directions for the creation and control of records,
3) high-level responsibilities or commitment for the creation and control of records,
4) indicatio
...
NORME ISO
INTERNATIONALE 30302
Première édition
2015-10-15
Information et documentation —
Système de gestion des documents
d’activité — Lignes directrices de
mise en oeuvre
Information and documentation — Management systems for records
— Guidelines for implementation
Numéro de référence
ISO 30302:2015(F)
©
ISO 2015
---------------------- Page: 1 ----------------------
ISO 30302:2015(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2015, Publié en Suisse
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni utilisée
sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie, l’affichage sur
l’internet ou sur un Intranet, sans autorisation écrite préalable. Les demandes d’autorisation peuvent être adressées à l’ISO à
l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2015 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO 30302:2015(F)
Sommaire Page
Avant-propos .iv
Introduction .v
1 Domaine d’application . 1
2 Références normatives . 1
3 Termes et définitions . 1
4 Contexte de l’organisme . 1
4.1 Compréhension de l’organisme et de son contexte . 1
4.2 Exigences opérationnelles, légales et d’autres natures . 2
4.3 Détermination du domaine d’application du SGDA . 3
5 Responsabilité de la direction . 4
5.1 Engagement de la direction . 4
5.2 Politique . 4
5.3 Rôles, responsabilités et habilitations au sein de l’organisme . 5
5.3.1 Généralités . 5
5.3.2 Responsabilités de la direction. 7
5.3.3 Responsabilités opérationnelles . 7
6 Planification . 8
6.1 Actions à mener pour prendre en compte les risques et opportunités . 8
6.2 Objectifs à atteindre en matière de gestion des documents d’activité et moyens à
mettre en œuvre .10
7 Support .11
7.1 Ressources .11
7.2 Compétences .12
7.3 Sensibilisation et formation.13
7.4 Communication .14
7.5 Documentation .15
7.5.1 Généralités .15
7.5.2 Contrôle de la documentation .17
8 Réalisation .17
8.1 Planification et contrôle de la réalisation .17
8.2 Conception des processus liés aux documents d’activité .18
8.3 Mise en œuvre des systèmes documentaires .21
9 Évaluation de la performance .23
9.1 Surveillance, mesure, analyse et évaluation de la performance .23
9.1.1 Détermination de l’objet et du mode de contrôle, de mesure, d’analyse et
d’évaluation de la performance .23
9.1.2 Évaluation de la performance des processus et des systèmes
documentaires ainsi que de l’efficacité du SGDA .24
9.1.3 Évaluation de l’efficacité du SGDA .24
9.2 Audit interne du système .25
9.3 Revue de direction .26
10 Amélioration .27
10.1 Contrôle des non-conformités et actions correctives .27
10.2 Amélioration continue .29
Annexe A (informative) Exemples de sources d’informations et d’exigences étayant
l’analyse du contexte organisationnel . .30
Bibliographie .33
© ISO 2015 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO 30302:2015(F)
Avant-propos
L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes
nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est
en général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude
a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,
gouvernementales et non gouvernementales, en liaison avec l’ISO participent également aux travaux.
L’ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui
concerne la normalisation électrotechnique.
Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier de prendre note des différents
critères d’approbation requis pour les différents types de documents ISO. Le présent document a été
rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir www.
iso.org/directives).
L’attention est appelée sur le fait que certains des éléments du présent document peuvent faire l’objet de
droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable
de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant
les références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de
l’élaboration du document sont indiqués dans l’Introduction et/ou dans la liste des déclarations de
brevets reçues par l’ISO (voir www.iso.org/brevets).
Les appellations commerciales éventuellement mentionnées dans le présent document sont données
pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer
un engagement.
Pour une explication de la signification des termes et expressions spécifiques de l’ISO liés à
l’évaluation de la conformité, ou pour toute information au sujet de l’adhésion de l’ISO aux principes
de l’OMC concernant les obstacles techniques au commerce (OTC), voir le lien suivant: Avant-propos —
Informations supplémentaires.
Le comité chargé de l’élaboration du présent document est l’ISO/TC 46, Information et documentation,
sous-comité SC 11, Archives/Gestion des documents d’activité.
iv © ISO 2015 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO 30302:2015(F)
Introduction
L’ISO 30302 fait partie d’une série de Normes internationales présentées sous le titre général Information
et documentation — Systèmes de gestion des documents d’activité:
— ISO 30300, Information et documentation — Systèmes de gestion des documents d’activité — Principes
essentiels et vocabulaire
— ISO 30301, Information et documentation — Systèmes de gestion des documents d’activité — Exigences
— ISO 30302, Information et documentation — Systèmes de gestion des documents d’activité — Lignes
directrices de mise en œuvre
L’ISO 30300 spécifie la terminologie employée dans la série de normes relatives aux systèmes de gestion
des documents d’activité (SGDA), ainsi que les objectifs et les avantages d’un tel système. L’ISO 30301
spécifie les exigences relatives à un système de gestion des documents d’activité lorsqu’un organisme
démontre son aptitude à créer et à contrôler les documents de ses activités aussi longtemps que ces
documents sont nécessaires. L’ISO 30302 fournit des lignes directrices relatives à la mise en œuvre d’un
système de gestion des documents d’activité.
La présente Norme internationale a pour objet de fournir des lignes directrices pratiques sur la
manière de mettre en œuvre au sein d’un organisme un système de gestion des documents d’activité
(SGDA) conforme aux exigences de l’ISO 30301. La présente Norme internationale traite des aspects
nécessaires à l’élaboration et à la maintenance d’un SGDA.
La mise en œuvre d’un SGDA est généralement réalisée sous forme de projet. Un SGDA peut être mis
en œuvre dans des organismes possédant déjà des systèmes ou des programmes documentaires pour
revoir et améliorer la gestion de ces systèmes ou de ces programmes, ou bien dans des organismes
qui entendent mettre en œuvre pour la première fois une méthode systématique et vérifiable de
création et de contrôle de documents d’activité. Les lignes directrices décrites dans la présente Norme
internationale peuvent être utilisées dans ces deux cas.
Il est tenu pour acquis que les organismes qui décident de mettre en œuvre un SGDA ont procédé à une
évaluation préliminaire de leurs documents d’activité et de leurs systèmes documentaires existants et
qu’ils ont identifié les risques devant être traités et les opportunités d’améliorations significatives. Par
exemple, la décision de mettre en œuvre un SGDA peut constituer une mesure de réduction d’un risque
engendré par la modification significative d’une plateforme informatique ou par l’externalisation de
processus d’activité identifiés comme présentant un risque élevé. Le SGDA peut également fournir un
cadre de gestion normalisé pour la mise en œuvre d’améliorations significatives comme l’intégration
des processus documentaires à des processus opérationnels spécifiques ou l’amélioration du contrôle et
de la gestion des documents d’activité liés aux transactions en ligne ou à l’utilisation des médias sociaux.
L’utilisation de ces lignes directrices laisse nécessairement place à une certaine souplesse. Elle est
fonction de la taille, de la nature et de la complexité de l’organisme, ainsi que du degré de maturité
du SGDA éventuellement déjà en place. Le contexte et la complexité de chaque organisme sont uniques
et les exigences contextuelles spécifiques à l’organisme conditionneront la mise en œuvre du SGDA.
Les organismes de petite taille s’apercevront que les activités décrites dans la présente Norme
internationale peuvent être simplifiées. Les organismes de grande taille ou complexes peuvent être
amenés à constater qu’un système de gestion à couches multiples s’avère nécessaire pour mettre en
œuvre et gérer efficacement les activités prévues dans la présente Norme internationale.
Les lignes directrices de la présente Norme internationale suivent la même structure que celle de
l’ISO 30301, pour décrire les activités à entreprendre en vue de répondre aux exigences de l’ISO 30301
et la façon de documenter ces activités.
L’Article 4 explique comment réaliser l’analyse nécessaire à toute mise en œuvre d’un SGDA. Cette
analyse permet de définir le domaine d’application du SGDA et de déterminer les relations entre la mise
en œuvre d’un SGDA et les autres systèmes de management.
© ISO 2015 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO 30302:2015(F)
L’Article 5 explique comment obtenir l’engagement de la direction. Cet engagement s’exprime par une
politique relative aux documents d’activité, l’attribution des responsabilités, la planification de la mise
en œuvre du SGDA et l’adoption d’objectifs en matière de documents d’activité.
L’Article 6 traite de la planification, qui prend en compte l’analyse du risque de niveau élevé, l’analyse
contextuelle (voir l’Article 4) et les ressources disponibles (voir l’Article 7). L’Article 7 décrit le
support dont doit disposer un SGDA, par exemple les ressources, les compétences, la formation et la
communication et la documentation.
L’Article 8 traite de la définition ou de la revue et de la planification des processus documentaires à
mettre en œuvre. Il respecte les exigences contextuelles et le domaine d’application (voir l’Article 4) et
repose sur la politique des documents d’activité (voir 5.2), l’analyse du risque (voir 6.1) et les ressources
nécessaires (voir 7.1) pour répondre aux objectifs associés aux documents d’activité (voir 6.2) dans le
cadre de la mise en œuvre planifiée. L’Article 8 donne des explications sur les processus et les systèmes
documentaires devant être mis en œuvre dans le cadre d’un SGDA.
Les Articles 9 et 10 traitent de l’évaluation et de l’amélioration de la performance par rapport à la
planification, aux objectifs et aux exigences définis dans l’ISO 30301.
Pour chacun des articles 4 à 10 de l’ISO 30301:2011, la présente Norme internationale décrit les
éléments suivants:
a) les activités nécessaires pour répondre aux exigences de l’ISO 30301:— ces activités peuvent être
réalisées l’une après l’autre, tandis que certaines nécessiteront d’être menées simultanément en
utilisant la même analyse contextuelle;
b) les éléments d’entrée des activités – ils constituent les points de départ et peuvent correspondre
aux éléments de sortie d’activités antérieures;
c) les éléments de sortie des activités – il s’agit des résultats ou des livrables obtenus à l’achèvement
des activités.
La présente Norme internationale est destinée à être utilisée par les personnes responsables de la mise
en œuvre et de la maintenance des systèmes de gestion de l’organisme. Elle aide également la direction
à prendre des décisions en matière d’instauration, de définition du domaine d’application et de mise en
œuvre des systèmes de gestion de l’organisme. Elle doit être utilisée par les personnes responsables de
la mise en œuvre et de la maintenance du SGDA. Les éléments de conception des processus opérationnels
liés aux documents d’activité reposent sur les principes énoncés par l’ISO 15489-1. Les autres Normes
internationales et Rapports techniques rédigés par l’ISO/TC 46/SC 11 constituent les principaux outils
de conception, de mise en œuvre, de surveillance et d’amélioration des processus, des contrôles et des
systèmes documentaires, et peuvent être utilisés conjointement avec la présente Norme internationale
pour la mise en œuvre des éléments opérationnels précis du SGDA.
Les organismes ayant déjà mis en œuvre l’ISO 15489-1 peuvent utiliser la présente Norme internationale
pour élaborer une infrastructure organisationnelle de gestion des documents d’activité dans le cadre
de la méthode systématique et vérifiable du SGDA.
vi © ISO 2015 – Tous droits réservés
---------------------- Page: 6 ----------------------
NORME INTERNATIONALE ISO 30302:2015(F)
Information et documentation — Système de gestion des
documents d’activité — Lignes directrices de mise en oeuvre
1 Domaine d’application
La présente Norme internationale fournit des lignes directrices pour la mise en œuvre d’un Système de
Gestion des Documents d’Activité (SGDA) conforme à l’ISO 30301. La présente Norme internationale est
destinée à être utilisée conjointement avec l’ISO 30300 et l’ISO 30301. La présente Norme internationale
ne modifie pas et/ou ne restreint pas les exigences spécifiées dans l’ISO 30301. Elle décrit les activités à
entreprendre pour concevoir et mettre en œuvre un SGDA.
La présente Norme internationale est destinée à être utilisée par tout organisme mettant en œuvre
un SGDA. Elle est applicable à tous les types d’organismes (par exemple: entreprises commerciales,
organismes publics, organismes à but non lucratif) de toutes tailles.
2 Références normatives
Les documents ci-après, dans leur intégralité ou non, sont des références normatives indispensables à
l’application du présent document. Pour les références datées, seule l’édition citée s’applique. Pour les
références non datées, la dernière édition du document de référence s’applique (y compris les éventuels
amendements).
ISO 30300, Information et documentation — Systèmes de gestion des documents d’activité — Principes
essentiels et vocabulaire
ISO 30301:2011, Information et documentation — Systèmes de gestion des documents d’activité — Exigences
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions donnés dans l’ISO 30300 s’appliquent.
4 Contexte de l’organisme
4.1 Compréhension de l’organisme et de son contexte
Il convient que le contexte de l’organisme détermine et conditionne la mise en œuvre et l’amélioration
d’un SGDA. Les exigences du présent article visent à vérifier que l’organisme prend en compte le contexte
et les besoins qui lui sont propres dans le cadre de la mise en œuvre d’un SGDA. Ces exigences sont
satisfaites en analysant le contexte de l’organisme. Il convient que cette analyse constitue la première
étape de la mise en œuvre, afin de:
a) déterminer les facteurs internes et externes (voir 4.1),
b) déterminer les exigences opérationnelles, légales et d’autres natures (voir 4.2), et
c) définir le domaine d’application du SGDA (voir 4.3) et identifier les risques (voir l’Article 6).
NOTE 1 Lorsque le domaine d’application du SGDA est formulé par la direction au point de départ, avant la
détermination des facteurs et des besoins en documents d’activité, l’étendue de l’analyse contextuelle est définie
par le domaine d’application formulé.
© ISO 2015 – Tous droits réservés 1
---------------------- Page: 7 ----------------------
ISO 30302:2015(F)
NOTE 2 L’approche des NSM (normes de systèmes de management) en matière d’analyse contextuelle et
d’identification des exigences est compatible avec le processus d’analyse (évaluation) proposé par l’ISO 15489-1
qui intègre également des éléments de planification (voir l’Article 6) et d’identification de besoins en documents
d’activité (voir l’Article 8).
Il est nécessaire que les informations contextuelles proviennent d’une source fiable, qu’elles soient
exactes, à jour et exhaustives. Une revue régulière des sources de ces informations garantit l’exactitude
et la fiabilité de l’analyse contextuelle.
L’Article A.1 présente des exemples de sources d’information sur le contexte interne et externe d’un
organisme et des exemples de possibles parties intéressées.
Voici des exemples possibles de facteurs significatifs à prendre en compte lors de la détermination de la
façon dont le contexte influe sur le SGDA:
1) la façon dont un marché concurrentiel influe sur la nécessité de démontrer l’efficacité de ses processus,
2) la façon dont les valeurs ou les perceptions des parties prenantes externes influent sur les décisions
de conservation des documents d’activité ou sur les décisions d’accès à l’information,
3) la façon dont l’infrastructure informatique et l’architecture de l’information peuvent influer sur la
disponibilité des systèmes documentaires ou des documents d’activité,
4) la façon dont les qualifications et les compétences au sein de l’organisme peuvent influer sur les
besoins en formation ou en assistance externe,
5) la façon dont les instruments législatifs, les politiques, les normes et les codes influent sur la
conception des processus et des contrôles documentaires,
6) la façon dont la culture organisationnelle peut influer sur la conformité aux exigences du SGDA, et
7) la façon dont la complexité de la structure de l’organisme, de son environnement opérationnel et
législatif peut influer sur la politique, les processus et les contrôles documentaires (par exemple,
dans un environnement plurijuridictionnel).
En fonction de l’organisme, l’identification des facteurs internes et externes peut avoir été réalisée à
d’autres fins, notamment la mise en œuvre d’autres normes de systèmes de management. Dans ces cas-
là, une nouvelle analyse peut ne pas être nécessaire et une adaptation suffira.
L’analyse contextuelle est un processus continu. Elle influence l’établissement et l’évaluation
systématique du SGDA (voir l’Article 9) et étaye le cycle d’amélioration continue (voir l’Article 10).
Éléments de sortie
L’ISO 30301 exige des preuves documentées que l’analyse a été entreprise. En voici des exemples:
— une liste des facteurs internes et externes à prendre en compte;
— un chapitre d’un manuel ou d’un plan de projet consacré à la mise en œuvre d’un SGDA;
— un rapport formel sur l’analyse du contexte interne et externe de l’organisme et sur la façon dont il
influe sur le SGDA et dont il est influencé par celui-ci;
— un ensemble de documents sur le contexte de l’organisme.
4.2 Exigences opérationnelles, légales et d’autres natures
En utilisant le résultat de l’analyse décrite en 4.1 comme point de départ, les exigences opérationnelles,
légales et d’autres natures sont évaluées par rapport aux activités opérationnelles et sont documentées.
Les activités opérationnelles sont les premiers éléments qui sont analysés en vue d’identifier les
exigences qui influent sur la création et le contrôle des documents d’activité.
2 © ISO 2015 – Tous droits réservés
---------------------- Page: 8 ----------------------
ISO 30302:2015(F)
Il convient que l’identification des exigences opérationnelles prenne en compte les éléments suivants:
a) la nature des activités de l’organisme (par exemple, exploitation minière, conseil financier,
prestations de services collectifs, fabrication, industrie pharmaceutique, services à la personne,
services bénévoles (d’intérêt général));
b) la forme particulière de l’organisme ou sa propriété (par exemple, société fiduciaire, entreprise ou
organisme gouvernemental);
c) le secteur particulier dont relève l’organisme (c’est-à-dire secteur public ou privé, à but non lucratif);
d) la ou les juridictions dans le cadre desquelles l’organisme exerce son activité.
Il convient d’identifier les exigences opérationnelles à partir de la performance des processus
opérationnels en cours et également sous l’angle de la planification et du développement envisagés. Il
est nécessaire d’accorder une attention particulière aux situations dans lesquelles l’organisme met en
œuvre des processus opérationnels automatisés ou numériques. Dans ce type de situations, les exigences
peuvent changer et nécessiter d’être débattues avec les personnes responsables de l’élaboration et de la
mise en œuvre des nouveaux processus proposés.
Les activités permettant de déterminer tous les instruments juridiques et réglementaires obligatoires
applicables à l’organisme incluent les suivantes:
1) une revue des exigences de conformité à la législation associée au secteur concerné;
2) une revue de la conformité à la législation sur la protection des données personnelles et la gestion
des documents d’activité/autres données.
L’Article A.2 fournit des exemples d’exigences opérationnelles, légales et d’autres natures se rapportant
à la création et au contrôle des documents d’activité, ainsi que des sources d’assistance spécialisée pour
identifier les exigences opérationnelles, légales et d’autres natures.
Éléments de sortie
Pour être en conformité avec l’ISO 30301, il est obligatoire de procéder à la documentation de la phase
d’identification des exigences opérationnelles, légales et d’autres natures. Les exigences peuvent être
documentées en un seul ensemble ou dans des documents distincts par type d’exigence. Des exemples
de types de documents incluent les suivants:
— une liste des exigences identifiées par type (par exemple opérationnelles, législatives);
— un chapitre d’un manuel ou d’un plan de projet consacré à la mise en œuvre d’un SGDA;
— un rapport formel sur l’identification des exigences relatives au SGDA;
— une liste de toutes les lois et autres instruments codifiés réglementaires ou obligatoires qui
s’appliquent à l’organisme et se rapportent à la création et au contrôle des documents d’activité;
— une jurisprudence (un ensemble de précédents juridiques sur des problématiques spécifiques
pertinentes pour l’organisme).
4.3 Détermination du domaine d’application du SGDA
Le domaine d’application du SGDA relève d’une décision prise par la direction et expose clairement le
périmètre, les inclusions, les exclusions, les rôles et les relations entre les parties constituantes du SGDA.
Le domaine d’application peut être déterminé à la suite de l’analyse contextuelle, en prenant en compte
les facteurs identifiés (voir 4.1) et les exigences (voir 4.2) mais peut être également formulé par la
direction dès le début, avant l’identification des facteurs et des exigences.
© ISO 2015 – Tous droits réservés 3
---------------------- Page: 9 ----------------------
ISO 30302:2015(F)
Le domaine d’application inclut les éléments suivants:
a) l’identification des parties ou des fonctions de l’organisme concernées. Ce peut être l’organisme
dans son ensemble, une zone ou un service, une fonction spécifique ou un processus opérati
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.