SIST-TP ISO/TR 18128:2018
Information and documentation -- Risk assessment for records processes and systems
Information and documentation -- Risk assessment for records processes and systems
ISO/TR 18128:2014 intends to assist organizations in assessing risks to records processes and systems so they can ensure records continue to meet identified business needs as long as required.
ISO/TR 18128:2014:
a) establishes a method of analysis for identifying risks related to records processes and systems,
b) provides a method of analysing the potential effects of adverse events on records processes and systems,
c) provides guidelines for conducting an assessment of risks related to records processes and systems, and
d) provides guidelines for documenting identified and assessed risks in preparation for mitigation.
ISO/TR 18128:2014 can be used by all organizations regardless of size, nature of their activities, or complexity of their functions and structure. These factors, and the regulatory regime in which the organization operates which prescribes the creation and control of its records, are taken into account when identifying and assessing risk related to records and records systems.
ISO/TR 18128:2014 can be used by records professionals or people who have responsibility for records in their organizations and by auditors or managers who have responsibility for risk management programs in their organizations.
Information et documentation -- Evaluation du risque pour les processus et systèmes d'enregistrement
L'ISO/TR 18128:2014 a pour objet d'aider les organismes à apprécier les risques liés aux processus et aux systèmes documentaires de manière qu'ils puissent s'assurer que les documents d'activité répondent aux besoins de gestion identifiés aussi longtemps que nécessaire.
L'ISO/TR 18128:2014
a) établit une méthode d'analyse pour l'identification des risques liés aux processus et aux systèmes documentaires,
b) fournit une méthode d'analyse des effets potentiels des événements indésirables sur les processus et les systèmes documentaires,
c) fournit des lignes directrices pour mener une appréciation des risques liés aux processus et aux systèmes documentaires, et
d) fournit des lignes directrices pour la documentation des risques identifiés et appréciés pour préparer des mesures d'atténuation.
L'ISO/TR 18128:2014 peut être utilisé par tous les organismes, quelles que soient leur taille, la nature de leurs activités ou la complexité de leurs fonctions et de leur structure. Ces facteurs, ainsi que le régime réglementaire dans lequel l'organisme évolue et qui prescrit la création et le contrôle de ces documents d'activité, sont pris en compte au moment de l'identification et de l'appréciation des risques liés aux documents d'activité et aux systèmes documentaires.
L'ISO/TR 18128:2014 peut être utilisé par des professionnels de la gestion documentaire ou par des personnes responsables des documents d'activité de leur organisme, ainsi que par des auditeurs ou des dirigeants responsables des programmes de management du risque de leur organisme.
Informatika in dokumentacija - Ocena tveganja za postopke procesov in sisteme vodenja zapisov
To tehnično poročilo je namenjeno podpori organizacijam pri ocenjevanju tveganj za postopke procesov in sisteme vodenja zapisov, da lahko zagotovijo ustreznost zapisov za identificirane poslovne potrebe.
Poročilo
a) določa metodo za analizo, s katero se identificira tveganja, povezana s postopki procesov in sistemi vodenja zapisov,
b) določa metodo za analiziranje potencialnih učinkov neželenih dogodkov na postopke procesov in sisteme vodenja zapisov,
c) podaja smernice za izvajanje ocene tveganj, povezanih s postopki procesov in sistemi vodenja zapisov, ter
d) podaja smernice za dokumentiranje identificiranih in ocenjenih tveganj pri pripravi za zmanjševanje.
To tehnično poročilo ne naslavlja splošnih tveganj pri poslovanju organizacije, ki jih je mogoče zmanjševati z ustvarjanjem zapisov.
To tehnično poročilo lahko uporabijo vse organizacije, ne glede na velikost, naravo svojih dejavnosti ali zapletenost njihovih funkcij in strukture. Ti dejavniki in ureditveni režim, v katerem organizacija deluje ter predpisuje ustvarjanje in nadzor zapisov, se upoštevajo pri identificiranju in ocenjevanju tveganj, povezanih s postopki procesov in sistemi vodenja zapisov.
Definiranje organizacije ali identificiranje njenih meja mora upoštevati zapletene strukture in partnerstva ter pogodbene ureditve za storitve zunanjega izvajanja in nabavne verige, ki so pogoste značilnosti sodobnih državnih organov in poslovnih subjektov. Identificiranje meja organizacije je prvi korak pri definiranju obsega projekta ocene tveganja, povezane z zapisi.
To tehnično poročilo ne naslavlja neposredno zmanjševanja tveganja, saj se metode za to razlikujejo od organizacije do organizacije.
Tehnično poročilo lahko uporabijo strokovnjaki za zapise ali osebe, ki so v svojih organizacijah odgovorne za zapise, ter revizorji ali vodje, ki so v svojih organizacijah odgovorni za programe upravljanja tveganja.
General Information
- Status
- Withdrawn
- Public Enquiry End Date
- 30-Dec-2016
- Publication Date
- 23-Aug-2018
- Withdrawal Date
- 17-Sep-2024
- Technical Committee
- IDT - Information, documentation, language and terminology
- Current Stage
- 9900 - Withdrawal (Adopted Project)
- Start Date
- 18-Sep-2024
- Due Date
- 11-Oct-2024
- Completion Date
- 18-Sep-2024
Relations
- Effective Date
- 01-Nov-2024
ISO/TR 18128:2014 - Information and documentation — Risk assessment for records processes and systems Released:3/3/2014
ISO/TR 18128:2014 - Information et documentation — Evaluation du risque pour les processus et systèmes d'enregistrement Released:4/23/2014
Frequently Asked Questions
SIST-TP ISO/TR 18128:2018 is a technical report published by the Slovenian Institute for Standardization (SIST). Its full title is "Information and documentation -- Risk assessment for records processes and systems". This standard covers: ISO/TR 18128:2014 intends to assist organizations in assessing risks to records processes and systems so they can ensure records continue to meet identified business needs as long as required. ISO/TR 18128:2014: a) establishes a method of analysis for identifying risks related to records processes and systems, b) provides a method of analysing the potential effects of adverse events on records processes and systems, c) provides guidelines for conducting an assessment of risks related to records processes and systems, and d) provides guidelines for documenting identified and assessed risks in preparation for mitigation. ISO/TR 18128:2014 can be used by all organizations regardless of size, nature of their activities, or complexity of their functions and structure. These factors, and the regulatory regime in which the organization operates which prescribes the creation and control of its records, are taken into account when identifying and assessing risk related to records and records systems. ISO/TR 18128:2014 can be used by records professionals or people who have responsibility for records in their organizations and by auditors or managers who have responsibility for risk management programs in their organizations.
ISO/TR 18128:2014 intends to assist organizations in assessing risks to records processes and systems so they can ensure records continue to meet identified business needs as long as required. ISO/TR 18128:2014: a) establishes a method of analysis for identifying risks related to records processes and systems, b) provides a method of analysing the potential effects of adverse events on records processes and systems, c) provides guidelines for conducting an assessment of risks related to records processes and systems, and d) provides guidelines for documenting identified and assessed risks in preparation for mitigation. ISO/TR 18128:2014 can be used by all organizations regardless of size, nature of their activities, or complexity of their functions and structure. These factors, and the regulatory regime in which the organization operates which prescribes the creation and control of its records, are taken into account when identifying and assessing risk related to records and records systems. ISO/TR 18128:2014 can be used by records professionals or people who have responsibility for records in their organizations and by auditors or managers who have responsibility for risk management programs in their organizations.
SIST-TP ISO/TR 18128:2018 is classified under the following ICS (International Classification for Standards) categories: 01.140.20 - Information sciences; 03.100.01 - Company organization and management in general. The ICS classification helps identify the subject area and facilitates finding related standards.
SIST-TP ISO/TR 18128:2018 has the following relationships with other standards: It is inter standard links to SIST ISO 18128:2024. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase SIST-TP ISO/TR 18128:2018 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of SIST standards.
Standards Content (Sample)
TECHNICAL ISO/TR
REPORT 18128
First edition
2014-03-15
Information and documentation —
Risk assessment for records processes
and systems
Information et documentation — Evaluation du risque pour les
processus et systèmes d’enregistrement
Reference number
©
ISO 2014
© ISO 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
3.1 Terms specific to risk . 2
3.2 Terms specific to records . 2
4 Risk assessment criteria for the organization . 2
4.1 Assessment of risk . 2
4.2 Risk criteria . 3
4.3 Assignment of priority . 3
5 Risk identification . 3
5.1 General . 3
5.2 Context: External factors . 5
5.3 Context: Internal factors . 6
5.4 Records systems . 8
5.5 Records processes .11
6 Analysing identified risks .12
6.1 General .12
6.2 Likelihood analysis and probability estimation .13
7 Evaluating risks .15
7.1 General .15
7.2 Evaluating impact of adverse events .16
7.3 Evaluating the risk .16
8 Communicating the identified risks .17
Annex A (informative) Example of a documented risk entry in a risk register .19
Annex B (informative) Example: checklists for identifying areas of uncertainty .20
Annex C (informative) Guide to using controls from ISO/IEC 27001, Annex A .27
Bibliography .37
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 46, Information and documentation, Subcommittee
SC 11, Archives/records management.
iv © ISO 2014 – All rights reserved
Introduction
All organizations identify and manage the risks to their functioning successfully. Identifying and
managing the risks to records processes and systems is the responsibility of the organization’s records
professional.
This Technical Report is intended to help records professionals and people who have responsibility for
records in their organization to assess the risks related to records processes and systems.
NOTE System means any business application which creates and stores records.
This is distinct from the task of identifying and assessing the organization’s business risks to which
creating and keeping adequate records is one strategic response. The decisions to create or not create
records in response to general business risk are business decisions which should be informed by the
analysis of the organization’s records requirements undertaken by records professionals together with
business managers. The premise of this Technical Report is that the organization has created records
of its business activities to meet operational and other purposes and has established at least minimal
mechanisms for the systematic management and control of the records.
The consequence of risk events to records processes and systems is the loss of, or damage to, records
which are therefore no longer useable, reliable, authentic, complete, or unaltered, and therefore can fail
to meet the organization’s purposes.
The Technical Report provides guidance and examples based on the general risk management process
established in ISO 31000 (see Figure 1) to apply to risks related to records processes and systems. It
covers
a) risk identification,
b) risk analysis, and
c) risk evaluation.
The results of the analysis of risk to records processes and systems should be incorporated into the
organization’s general risk management framework. As a result, the organization will have better
control of its records and their quality for business purposes.
Clause 5 provides a comprehensive list of areas of uncertainty related to records processes and systems
as a guide for risk identification.
Clause 6 provides guidance to determining the consequences and probabilities of identified risk events,
taking into account the presence (or not) and the effectiveness of any existing controls.
Clause 7 provides guidance to determining the significance of the level and type of risks identified.
The report does not deal with risk treatment. Once the assessment of risks related to records processes
and systems has been completed, the assessed risks are documented and communicated to the
organization’s risk management section. Response to the assessed risks is undertaken as part of the
organization’s overall risk management program. The priority assigned by the records professional to
the assessed risks is provided to inform the organization’s decisions about managing those risks.
Figure 1 — Risk Management process
NOTE Figure 1 from ISO 31000:2009. Numbering refers to text of ISO 31000.
vi © ISO 2014 – All rights reserved
TECHNICAL REPORT ISO/TR 18128:2014(E)
Information and documentation — Risk assessment for
records processes and systems
1 Scope
This Technical Report intends to assist organizations in assessing risks to records processes and systems
so they can ensure records continue to meet identified business needs as long as required.
The report
a) establishes a method of analysis for identifying risks related to records processes and systems,
b) provides a method of analysing the potential effects of adverse events on records processes and
systems,
c) provides guidelines for conducting an assessment of risks related to records processes and systems,
and
d) provides guidelines for documenting identified and assessed risks in preparation for mitigation.
This Technical Report does not address the general risks to an organization’s operations which can be
mitigated by creating records.
This Technical Report can be used by all organizations regardless of size, nature of their activities,
or complexity of their functions and structure. These factors, and the regulatory regime in which the
organization operates which prescribes the creation and control of its records, are taken into account
when identifying and assessing risk related to records and records systems.
Defining an organization or identifying its boundaries should take into account the complex structures
and partnerships and contractual arrangements for outsourcing services and supply chains which are a
common feature of contemporary government and corporate entities. Identifying the boundaries of the
organization is the initial step in defining the scope of the project of risk assessment related to records.
This Technical Report does not address directly the mitigation of risks as methods for these will vary
from organization to organization.
The Technical Report can be used by records professionals or people who have responsibility for records
in their organizations and by auditors or managers who have responsibility for risk management
programs in their organizations.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 30300:2011, Information and documentation — Management systems for records — Fundamentals
and vocabulary
ISO Guide 73:2009, Risk management — Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 30300, ISO Guide 73 and the
following apply.
3.1 Terms specific to risk
3.1.1
risk
effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events (ISO Guide 73:2009, 3.5.1.3) and
consequences (ISO Guide 73:2009, 3.6.1.3) or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated likelihood (ISO Guide 73, 3.6.1.1) of occurrence.
[SOURCE: ISO Guide 73:2009, definition 1.1]
3.2 Terms specific to records
3.2.1
records system
information system which captures, manages, and provides access to records through time
Note 1 to entry: This can include business applications or systems which create and maintain records.
[SOURCE: ISO 30300:2011, definition 3.4.4]
3.2.2
records processes
sets of activities by which records are created, controlled, used, kept and disposed of by the organization
4 Risk assessment criteria for the organization
4.1 Assessment of risk
Assessing risks for records processes and systems should be included, where it exists, in the
organization’s general risk management process. In this case, records professionals should take into
account the organization’s external and internal context and the context of the risk management process
itself, including the following:
a) Roles and responsibilities: The role of records professionals in the assessment of risk related to
records processes and systems should be specified.
b) Extent and scope of the risk assessment activities: Relationships with other risk assessment areas,
such as information security, should be made explicit to avoid redundancy and conflicts and enable
an integrated approach to risk assessment which includes records.
c) Methodology: The standard risk assessment methodology should be applied using the available risk
assessment tools and reporting to the designated area or person.
d) Risk criteria: Where general risk criteria for the organization are established, risks related to
records processes and systems should be assessed using these criteria.
2 © ISO 2014 – All rights reserved
Where the organization has not established a general risk management process, records professionals
need to establish the risk criteria applying to records processes and systems prior to the assessment
process.
4.2 Risk criteria
Criteria should be based on the legal requirements for the organization’s jurisdiction and should include
the following:
a) the nature and types of consequences to be included and how they will be measured;
b) the way in which probabilities are to be expressed;
c) how a level of risk will be determined;
d) the criteria by which it will be decided when a risk needs treatment;
e) the criteria for deciding when a risk is acceptable and/or tolerable;
f) whether and how combinations of risks will be taken into account.
Regarding the nature and types of consequences to be included in the risk assessment of records
processes and systems, there is a general starting point which applies to all organizations. Records
which are authentic, reliable, have integrity, and are useable for as long as they are required will support
the needs of the organization. Risks are identified based on their potential to undermine those general
characteristics of records which would make them fail to meet the purposes for which they are created.
For discussion of probability and frequency of events in risk assessment, see 6.2.
Criteria for evaluating risks, including the criteria by which it will be decided when a risk is acceptable
or needs treatment, include the size and reach of the records systems in the organization, the number of
users, and the use made of the system in the operations of the organization.
Similarly, criteria for evaluating risks affecting records processes should include the frequency of the
process, how many systems it is used in, its relative importance in creating or managing records, the
tracking of processes, and the potential for reversing or remedying adverse effects.
4.3 Assignment of priority
Generally, the organization shall determine which records are the core records of its operations and the
level of significance attached to them. These are business decisions based on the advice of both records
professionals and the business managers.
The priority assigned to individual records, their aggregations, records processes, or specific records
systems can also be assessed in relation to responses to major disasters affecting all or many business
operations. For example, first, certain records are needed in the immediate aftermath of a natural
disaster, such as security contacts’ addresses and phone numbers, building/facility entry records,
contact details of disaster plan response teams, and insurance contacts and policy details. Second, the
organization’s business continuity planning should identify the functions which need to be restored
first and the records needed to do so.
Special attention should be paid to where a combination of risks applies to records identified as core
operational.
5 Risk identification
5.1 General
Identification of risks is structured under the following categories: context, systems, and processes
involved in creating and controlling the records of the organization.
The external context of the organization refers to the political and societal, the macro-economic and
technological, and the physical and environmental factors beyond its control, which have an impact
on its operations and are taken into account when determining its records requirements. The external
context includes the external stakeholders, who or which have a particular interest in the organization’s
operations.
The organization also has an internal context which is the internal factors not controlled by the records
professional(s) responsible for the records processes and systems. The internal context includes factors
such as the structure and finances of the organization, the technology it deploys, the resourcing of
activities (people and budgets), and the organization’s culture, all of which influence the policies and
practices for managing records.
Potential events with uncertain effects can be external or internal to the organization.
Uncertain effects caused by change in the external context can differ according to the perspective of
the different levels of the organization (see Figure 2). It is also recognized that all change presents
opportunities which can be positive in effect.
Figure 2 — The multiple layers of context of an organization’s records and records processes
The purpose of risk identification is to identify what can happen or what situations can exist that could
affect the capacity of records to support the needs of the organization.
The risk identification process includes identifying the causes and source of the risk, events, situations,
or circumstances which could have a material impact upon the organization’s objectives and the
nature of that impact. There are numerous methods for risk identification. See IEC 31010, Annex B for a
comparison of major methods.
Identified risks should be documented in a risk register, either in one specific to records or in the
organization’s risk register. See the example given in Annex A.
NOTE Annex B is an example of a checklist based on the structure of Clause 5 which can be used in an
organization to identify risks to records processes and systems systematically.
4 © ISO 2014 – All rights reserved
5.2 Context: External factors
5.2.1 Areas of uncertainty: Changes in political-societal context
Changes in the political and societal climate, nationally and internationally, can affect public attitudes to
governments’ and corporate behaviour. This can bring about legal and regulatory change, which impacts
the organization’s operations and, consequently, its records requirements.
Examples of areas of changing public attitudes which can affect records requirements are national
security, access to government and corporate information, privacy, intellectual property rights, and
corporate reporting responsibilities. More generally, examples of areas of uncertainty include the
following:
a) legal and regulatory changes affecting the organization’s records requirements;
a) changes in government policies affecting the organization’s records, records processes, and systems;
b) new standards or codes of practice that affect the organization’s records, records processes, and
systems;
c) changing demand for records services;
d) changing stakeholders’ expectations;
e) changes to reputation of, or trust in, the organization’s ability to deliver its services.
5.2.2 Areas of uncertainty: Macro-economic and technological environment
Changes in the macro-economic, business, and industrial environment and in information technology
have high impact on competition and customer demand. Change can be gradual and continuous, or
punctuated by crises, but also constitutes an area of uncertainty which can offer positive opportunities.
Examples of areas of uncertainty arising from such changes to the macro-economic and business
environment include the following:
a) changes in ownership and/or revenues of the organization which affect management priorities
including managing records;
b) changes in the objectives, functions, and operations of the organization, changing records
requirements;
c) increased activity from regulators, increasing external demands for records;
d) increased litigation, increasing demands for records;
e) introduction and adoption of new technologies across society;
EXAMPLES Spread of social media to business use; use of mobile computing devices for business.
f) changes in the market or client base of the organization.
These changes will be reflected in organizational changes which are discussed below (see 5.3.1).
5.2.3 Areas of uncertainty: Physical environment and infrastructure
The possibility of large-scale, natural or man-made disasters affecting the general operations of the
organization is a major area of uncertainty requiring identification and assessment. The potential
damage of such disasters include direct impact on the records and their storage and the less direct
impact of loss of services upon which the organization depends, for example, water and power supply
and other services. Areas of uncertainty include the following:
a) regional or local destructive or disruptive environmental phenomena such as earthquake,
hurricane/cyclone, tsunami, flood, fire, major storms, or prolonged drought;
b) the potential for acts of war or terrorism to cause major structural damage or disruption to service
supply to premises or vicinity of the organization;
c) other disruption to the organization’s power, water, waste management, information technology,
transport services, or other core utilities and services.
5.2.4 Areas of uncertainty: External security threats
Risk identification shall include hostile external security threats with the potential impacts ranging
from damage to premises or service supply to unauthorised access to systems including records systems.
Examples of external security threats include the following:
a) unauthorised external intrusion/access into records systems and unauthorised changes to records;
b) unidentified security compromise or exploitation of vulnerability that is not monitored and leads to
information degradation;
EXAMPLE Use of spyware or malware and vulnerability from unpatched software security breaches or
weaknesses.
c) physical intrusion into records storage or IT hardware space;
d) denial of services or other intentional attack on Internet services;
e) physical vandalism;
f) loss of third-party services on which the records systems are dependent.
NOTE Risk assessment is an integral element of the implementation of ISO/IEC 27000 series of International
Standards for information security. They provide extensive coverage of areas of uncertainty related to information
security.
5.3 Context: Internal factors
5.3.1 Areas of uncertainty: Organizational change
Management decisions affecting the organization such as amalgamations, take-overs, and other
acquisitions, restructuring, downsizing, outsourcing, or the reverse, off-shoring of services constitute a
significant area of uncertainty in the internal context of the organization. These decisions will affect the
records processes and systems, for example,
a) change of ownership of records and records systems and consequent transfer of records to and
from the organization,
b) change of ownership of records and records systems resulting in forced migration of records or
amalgamations of systems,
c) access arrangements to records systems for continuing right of access to records, following transfers
and migrations,
d) inheritance of responsibility for records and records systems without adequate documentation,
e) loss of personnel or corporate memory affecting knowledge, of current records and systems,
including knowledge of procedures to retrieve and use them, and of older records inherited through
organizational change,
6 © ISO 2014 – All rights reserved
f) abandonment of records and records systems, especially legacy systems, where no responsibility is
assigned,
g) change of terms within third-party service contracts,
h) new internal policies or modified existing ones within the organization that affect the records
systems and processes,
i) policies and procedures which have not been reviewed and updated, and are no longer applicable,
or are inconsistent or contradictory following organizational change,
j) changes in organization’s personnel that can affect responsibility for records,
k) changes in personnel policy, training budget, and opportunities that affect the capacity of people
who are responsible for records, and
l) disaster recovery plan is not updated which can affect records in the event of a disaster.
5.3.2 Areas of uncertainty: Technological change
Introduction of new technologies and systems are opportunities for improvement but also constitute
areas of uncertainty with potential for adverse effects. The areas of uncertainty include the following:
a) technological changes that affect interoperability between systems that create or control records;
b) compatibility with existing platforms and systems;
c) planning and implementation of migration of records;
d) reconfiguration of responsibilities and controls of records processes;
e) effectiveness of implementation of change;
EXAMPLE Adequacy of planning and management of project to implement new platform or software.
f) extent to which the existing policies cover new technologies that the organization has adopted;
EXAMPLE Using cloud services, social media, RFID, GPS.
g) capacity of system administrators and developers deploying new technologies to understand
the implications of those technologies for records requirements, at the project stage and in
implementation;
EXAMPLE Use of collaborative software or wiki environments for development of new systems which
cannot capture the project records and system documentation adequately.
h) capacity of existing technical infrastructure to meet new requirements resulting from organization’s
or records systems’ technological development.
5.3.3 Areas of uncertainty: Resources — People and competencies
The organization is dependent on competent staff to deliver all its operations including the records
processes and systems. The records professional or people who have responsibility for records
management assesses areas of uncertainty including the following:
a) number of personnel to create and control records and to design and maintain records systems;
b) awareness of records policies and processes;
c) engagement of top management in support for records management;
d) awareness of risks related to records processes and systems and ability of top management to make
decisions on appropriate mitigation;
e) management of the relationship between the administrative responsibilities for the records systems
and the viewpoints of operational users;
f) adequacy of the competencies to create and control records of personnel;
g) loss of key personnel with vital skills and in-depth organizational knowledge or history;
h) deterioration of skill levels of personnel;
i) adequacy of means to evaluate effectiveness or suitability of personnel.
5.3.4 Areas of uncertainty: Resources — Finances and materials
The funding and material resources available to manage the record processes and systems adequately
are affected by both the external, economic, and business environment and by the level of support for
records management in the organization. Areas of uncertainty include the following:
a) adequacy of financial resources to meet commitments and goals of records management;
b) adequacy of financial resources to purchase, upgrade, or maintain adequate systems.
5.4 Records systems
When assessing the impact of risk on the systems which create or control records, the design of the
systems, the issues of maintenance, sustainability, continuity, interoperability, and security should be
taken into account. The systems used by the organization change over time according to the economic
circumstances, changes in its activities and personnel, and changes in its size and structure. It is critical
that top management is adequately informed about risk to records systems and takes responsibility for
the organizational response.
NOTE 1 All references to systems in this section can be understood as references to records systems in 3.2.1.
NOTE 2 When identifying risks relating to systems in organizations which have implemented ISO/IEC 27001
controls, records professionals should take into account how these controls can mitigate risks in some areas. In
organizations where ISO/IEC 27001 has not been implemented, its controls can be used as a source for mitigation
actions. Annex C is a table that links the examples of areas of uncertainty relating to records systems and
ISO/IEC 27001 controls.
5.4.1 Areas of uncertainty: System design
System design and configuration is critical to record creation and longevity. It intersects with the
risk identification for records processes. Adequate documentation of the system configuration is the
foundation for addressing other areas of risk at the system level but also for the system’s processes.
NOTE See 5.5 for records processes in systems.
Based on contemporary experience, identification of risks in system design, especially in the digital
context, includes the following:
a) definition of records so the system creates and manages records adequate to the system’s purposes;
EXAMPLE All records elements in a transactional database are identified and managed so transactions
can be retrieved or re-created.
b) adequate identification of retention requirements;
EXAMPLE Retention periods and “triggers” for disposition action are specified in the record elements.
c) identification and documentation of all necessary records processes to be managed by the system;
d) effectiveness of design of the records systems appropriate to organization’s employees and
technology;
8 © ISO 2014 – All rights reserved
e) negotiation of dependence on vendor support;
f) access to vendor documentation.
5.4.2 Areas of uncertainty: Maintenance
Maintenance of the records systems refers primarily to the technological platform and systems support
aspects which are affected by structural change in the organization, implementation of new systems,
technological change, and competence and reliability of the technical support.
Areas of uncertainty include the following:
a) changes in business and operating systems affecting records systems;
b) skill level of system administrators and their understanding of requirements for managing records
in systems;
c) reliability of systems suppliers and their ability to maintain and keep the systems technologically
up to date;
d) adequacy of documentation of procedures for operational maintenance;
e) adequacy of technical documentation of the systems;
f) adequacy of documented back-up procedures for the records systems;
g) adequacy of restoration from backups.
5.4.3 Areas of uncertainty: Sustainability and Continuity
The sustainability of the records systems depends on the monitoring of change in the external and
internal context of the organization so the records systems are updated to respond to changes in needs.
Continuity planning for records systems takes into account the organization’s planning for business
continuity. In the absence of a business continuity plan for the organization, the records professional
assesses the records systems to establish priority and procedures for restoration following a disruption
to service.
Areas of uncertainty include the following:
a) change in external and internal context affecting the organization’s records requirements;
b) adequacy of quality assurance monitoring to identify changes in records requirements;
c) adequacy of assessment of actual costs of implementation and maintenance of the records systems
including human resources;
d) adequacy of identification and documentation of records systems;
e) maintenance and accessibility of system specifications and documentation;
f) adequacy of documentation of decisions taken in the implementation of records systems available
to all users who need them;
g) ability of a records system to maintain the usability of records;
h) capacity to import records from legacy or other business systems;
i) migration of records to a new records system due to either change in records requirements or in
technology;
j) changes to other systems upon which the records system is dependent;
k) ability of cloud-based systems to export records when required and to re-integrate them into the
organization’s systems;
l) adequacy of a records system’s event history, including its retention for the life of the system and
management of dependence on other systems, to ensure it remains meaningful over time;
EXAMPLE Maintenance of documentation of unique identifiers used in event history for users or
business units.
m) ability of records systems to support business continuity by providing access to records in the event
of a disaster;
n) contingency planning for disruptions of service.
5.4.4 Areas of uncertainty: Interoperability
Records systems have dependencies on and relationships with other systems which can be points of
vulnerability.
Areas of uncertainty include the following:
a) adequacy of identification and specification of interoperability required between records systems
and other business systems;
b) dependency of records systems on data sources external to the records system and capacity to
exchange data with or link or refer to data in these systems (e.g. cloud, other external storage
services);
c) compatibility of standards or specifications for the exchange of records or interoperability between
systems;
d) the effectiveness of system interoperability after changes or technological upgrades to either or
both of the integrated systems;
e) management of metadata relating to record controls between systems to sustain usability and
meaning of the records.
5.4.5 Areas of uncertainty: Security
Risk assessment of security of records systems can be conducted using the ISO/IEC 27000 series of
standards and applied as part of the organization’s information security management system, where
available. National information system security standards or requirements can also be applicable to
records systems.
ISO/IEC 27005, Annexes B to D, include examples of uncertainty areas that apply to any information
system. Uncertainties more specific to records systems also include the following:
a) adequacy of the organization’s security policy with respect to records, records processes, and
systems;
b) ability to enforce and protect access rules and permissions related to records, records processes,
and systems;
c) policy and controls for third parties working on behalf of the organization that affects the storage,
access and control of records, and records systems.
10 © ISO 2014 – All rights reserved
5.5 Records processes
Risk identification focuses on the creation of the records (or record elements) and control processes for
managing the records and the records systems.
NOTE It is assumed that the records professional refers to ISO 15489-1, ISO/TR 15489-2, ISO 23081-1,
ISO 23081-2, and ISO/TR 23081-3 for guidance on design of records and records processes.
5.5.1 Areas of uncertainty: Records design
The areas of uncertainty in the design processes are the following:
a) business activities are adequately analysed to identify records requirements;
b) gathering of records requirements is comprehensive for each business process, including needs of
all interested parties;
c) adequacy of design of the records (e.g. identification of content and definition of metadata for
identity, description, use, event history, and event planning) meets the records requirements;
d) naming and classification schema adequate for their purpose.
5.5.2 Areas of uncertainty: Records creation and records system implementation
The areas of uncertainty in the creation and implementation processes are the following:
a) points of creation or capture of all records elements are appropriate (timely, integrated, complete)
to the business process and records system(s);
b) effectiveness of integration of records creation and control processes with the business processes
where appropriate;
c) responsibilities of the record creators and the agents (if different) in the business transactions are
adequately defined and documented;
d) allocation of responsibilities for capturing the organization’s records from external environments
meets the requirements;
e) metadata specifications are adequately documented and maintained;
f) processes for managing and recording access to records are appropriately documented and
monitored.
5.5.3 Areas of uncertainty: Metadata
The areas of uncertainty in the metadata management processes are the following:
a) metadata technical specifications for documentation of records and records processes are accessible;
b) management of specifications enables updating as required.
5.5.4 Areas of uncertainty: Use of records and records systems
The areas of uncertainty in the access and use processes are the following:
a) consistency and timeliness of retrieval or access to records as required;
b) adequacy of management of user permissions for all records processes;
c) management of breaches of security or other access controls;
d) maintenance of records of who has accessed or modified records over time;
e) adequacy of training of personnel who use the processes;
f) compliance with the procedures.
5.5.4.1 Areas of uncertainty: Maintaining useability
The areas of uncertainty in the maintenance processes are the following:
a) maintenance of meaningfulness of records metadata over time, especially dependence on data from,
or links to, external systems;
b) adequacy of record processes to preserve the authenticity and reliability of records over time;
c) maintenance of accessibility of records over time;
d) management of use of encryption of records for transmission;
e) adequacy of management of versions of records over time;
f) adequacy of retention of event history of records, to support meaningfulness of records over time;
g) software (including format changes) and hardware obsolescence issues relating to both records
processes and systems.
EXAMPLE Older versions of digital records might not be accessible via current applications or versions of
applications.
5.5.5 Areas of uncertainty: Disposition of records
The areas of uncertainty in the disposition processes are the following:
a) disposition of records implemented as designed and authorized;
b) disposition procedures include provision for holding records past their nominated retention period
if required;
EXAMPLE Records required for legal proceedings or sought under Freedom of Information past their
date of disposition.
c) disposition implementation is documented;
d) destruction is appropriately authorized and documented;
e) testing undertaken as to whether forensic recovery is possible from the discarded hardware and/or
storage device.
EXAMPLE Adequacy of reformatting of hard drives of computers and printer-copiers, or storage devices such
as memory sticks, to erase all records.
6 Analysing identified risks
6.1 General
Risk is analysed by determining its potential consequences
...
SLOVENSKI STANDARD
01-september-2018
Informatika in dokumentacija - Ocena tveganja za postopke procesov in sisteme
vodenja zapisov
Information and documentation -- Risk assessment for records processes and systems
Information et documentation -- Evaluation du risque pour les processus et systèmes
d'enregistrement
Ta slovenski standard je istoveten z: ISO/TR 18128:2014
ICS:
01.140.20 Informacijske vede Information sciences
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
TECHNICAL ISO/TR
REPORT 18128
First edition
2014-03-15
Information and documentation —
Risk assessment for records processes
and systems
Information et documentation — Evaluation du risque pour les
processus et systèmes d’enregistrement
Reference number
©
ISO 2014
© ISO 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
3.1 Terms specific to risk . 2
3.2 Terms specific to records . 2
4 Risk assessment criteria for the organization . 2
4.1 Assessment of risk . 2
4.2 Risk criteria . 3
4.3 Assignment of priority . 3
5 Risk identification . 3
5.1 General . 3
5.2 Context: External factors . 5
5.3 Context: Internal factors . 6
5.4 Records systems . 8
5.5 Records processes .11
6 Analysing identified risks .12
6.1 General .12
6.2 Likelihood analysis and probability estimation .13
7 Evaluating risks .15
7.1 General .15
7.2 Evaluating impact of adverse events .16
7.3 Evaluating the risk .16
8 Communicating the identified risks .17
Annex A (informative) Example of a documented risk entry in a risk register .19
Annex B (informative) Example: checklists for identifying areas of uncertainty .20
Annex C (informative) Guide to using controls from ISO/IEC 27001, Annex A .27
Bibliography .37
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 46, Information and documentation, Subcommittee
SC 11, Archives/records management.
iv © ISO 2014 – All rights reserved
Introduction
All organizations identify and manage the risks to their functioning successfully. Identifying and
managing the risks to records processes and systems is the responsibility of the organization’s records
professional.
This Technical Report is intended to help records professionals and people who have responsibility for
records in their organization to assess the risks related to records processes and systems.
NOTE System means any business application which creates and stores records.
This is distinct from the task of identifying and assessing the organization’s business risks to which
creating and keeping adequate records is one strategic response. The decisions to create or not create
records in response to general business risk are business decisions which should be informed by the
analysis of the organization’s records requirements undertaken by records professionals together with
business managers. The premise of this Technical Report is that the organization has created records
of its business activities to meet operational and other purposes and has established at least minimal
mechanisms for the systematic management and control of the records.
The consequence of risk events to records processes and systems is the loss of, or damage to, records
which are therefore no longer useable, reliable, authentic, complete, or unaltered, and therefore can fail
to meet the organization’s purposes.
The Technical Report provides guidance and examples based on the general risk management process
established in ISO 31000 (see Figure 1) to apply to risks related to records processes and systems. It
covers
a) risk identification,
b) risk analysis, and
c) risk evaluation.
The results of the analysis of risk to records processes and systems should be incorporated into the
organization’s general risk management framework. As a result, the organization will have better
control of its records and their quality for business purposes.
Clause 5 provides a comprehensive list of areas of uncertainty related to records processes and systems
as a guide for risk identification.
Clause 6 provides guidance to determining the consequences and probabilities of identified risk events,
taking into account the presence (or not) and the effectiveness of any existing controls.
Clause 7 provides guidance to determining the significance of the level and type of risks identified.
The report does not deal with risk treatment. Once the assessment of risks related to records processes
and systems has been completed, the assessed risks are documented and communicated to the
organization’s risk management section. Response to the assessed risks is undertaken as part of the
organization’s overall risk management program. The priority assigned by the records professional to
the assessed risks is provided to inform the organization’s decisions about managing those risks.
Figure 1 — Risk Management process
NOTE Figure 1 from ISO 31000:2009. Numbering refers to text of ISO 31000.
vi © ISO 2014 – All rights reserved
TECHNICAL REPORT ISO/TR 18128:2014(E)
Information and documentation — Risk assessment for
records processes and systems
1 Scope
This Technical Report intends to assist organizations in assessing risks to records processes and systems
so they can ensure records continue to meet identified business needs as long as required.
The report
a) establishes a method of analysis for identifying risks related to records processes and systems,
b) provides a method of analysing the potential effects of adverse events on records processes and
systems,
c) provides guidelines for conducting an assessment of risks related to records processes and systems,
and
d) provides guidelines for documenting identified and assessed risks in preparation for mitigation.
This Technical Report does not address the general risks to an organization’s operations which can be
mitigated by creating records.
This Technical Report can be used by all organizations regardless of size, nature of their activities,
or complexity of their functions and structure. These factors, and the regulatory regime in which the
organization operates which prescribes the creation and control of its records, are taken into account
when identifying and assessing risk related to records and records systems.
Defining an organization or identifying its boundaries should take into account the complex structures
and partnerships and contractual arrangements for outsourcing services and supply chains which are a
common feature of contemporary government and corporate entities. Identifying the boundaries of the
organization is the initial step in defining the scope of the project of risk assessment related to records.
This Technical Report does not address directly the mitigation of risks as methods for these will vary
from organization to organization.
The Technical Report can be used by records professionals or people who have responsibility for records
in their organizations and by auditors or managers who have responsibility for risk management
programs in their organizations.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 30300:2011, Information and documentation — Management systems for records — Fundamentals
and vocabulary
ISO Guide 73:2009, Risk management — Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 30300, ISO Guide 73 and the
following apply.
3.1 Terms specific to risk
3.1.1
risk
effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events (ISO Guide 73:2009, 3.5.1.3) and
consequences (ISO Guide 73:2009, 3.6.1.3) or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated likelihood (ISO Guide 73, 3.6.1.1) of occurrence.
[SOURCE: ISO Guide 73:2009, definition 1.1]
3.2 Terms specific to records
3.2.1
records system
information system which captures, manages, and provides access to records through time
Note 1 to entry: This can include business applications or systems which create and maintain records.
[SOURCE: ISO 30300:2011, definition 3.4.4]
3.2.2
records processes
sets of activities by which records are created, controlled, used, kept and disposed of by the organization
4 Risk assessment criteria for the organization
4.1 Assessment of risk
Assessing risks for records processes and systems should be included, where it exists, in the
organization’s general risk management process. In this case, records professionals should take into
account the organization’s external and internal context and the context of the risk management process
itself, including the following:
a) Roles and responsibilities: The role of records professionals in the assessment of risk related to
records processes and systems should be specified.
b) Extent and scope of the risk assessment activities: Relationships with other risk assessment areas,
such as information security, should be made explicit to avoid redundancy and conflicts and enable
an integrated approach to risk assessment which includes records.
c) Methodology: The standard risk assessment methodology should be applied using the available risk
assessment tools and reporting to the designated area or person.
d) Risk criteria: Where general risk criteria for the organization are established, risks related to
records processes and systems should be assessed using these criteria.
2 © ISO 2014 – All rights reserved
Where the organization has not established a general risk management process, records professionals
need to establish the risk criteria applying to records processes and systems prior to the assessment
process.
4.2 Risk criteria
Criteria should be based on the legal requirements for the organization’s jurisdiction and should include
the following:
a) the nature and types of consequences to be included and how they will be measured;
b) the way in which probabilities are to be expressed;
c) how a level of risk will be determined;
d) the criteria by which it will be decided when a risk needs treatment;
e) the criteria for deciding when a risk is acceptable and/or tolerable;
f) whether and how combinations of risks will be taken into account.
Regarding the nature and types of consequences to be included in the risk assessment of records
processes and systems, there is a general starting point which applies to all organizations. Records
which are authentic, reliable, have integrity, and are useable for as long as they are required will support
the needs of the organization. Risks are identified based on their potential to undermine those general
characteristics of records which would make them fail to meet the purposes for which they are created.
For discussion of probability and frequency of events in risk assessment, see 6.2.
Criteria for evaluating risks, including the criteria by which it will be decided when a risk is acceptable
or needs treatment, include the size and reach of the records systems in the organization, the number of
users, and the use made of the system in the operations of the organization.
Similarly, criteria for evaluating risks affecting records processes should include the frequency of the
process, how many systems it is used in, its relative importance in creating or managing records, the
tracking of processes, and the potential for reversing or remedying adverse effects.
4.3 Assignment of priority
Generally, the organization shall determine which records are the core records of its operations and the
level of significance attached to them. These are business decisions based on the advice of both records
professionals and the business managers.
The priority assigned to individual records, their aggregations, records processes, or specific records
systems can also be assessed in relation to responses to major disasters affecting all or many business
operations. For example, first, certain records are needed in the immediate aftermath of a natural
disaster, such as security contacts’ addresses and phone numbers, building/facility entry records,
contact details of disaster plan response teams, and insurance contacts and policy details. Second, the
organization’s business continuity planning should identify the functions which need to be restored
first and the records needed to do so.
Special attention should be paid to where a combination of risks applies to records identified as core
operational.
5 Risk identification
5.1 General
Identification of risks is structured under the following categories: context, systems, and processes
involved in creating and controlling the records of the organization.
The external context of the organization refers to the political and societal, the macro-economic and
technological, and the physical and environmental factors beyond its control, which have an impact
on its operations and are taken into account when determining its records requirements. The external
context includes the external stakeholders, who or which have a particular interest in the organization’s
operations.
The organization also has an internal context which is the internal factors not controlled by the records
professional(s) responsible for the records processes and systems. The internal context includes factors
such as the structure and finances of the organization, the technology it deploys, the resourcing of
activities (people and budgets), and the organization’s culture, all of which influence the policies and
practices for managing records.
Potential events with uncertain effects can be external or internal to the organization.
Uncertain effects caused by change in the external context can differ according to the perspective of
the different levels of the organization (see Figure 2). It is also recognized that all change presents
opportunities which can be positive in effect.
Figure 2 — The multiple layers of context of an organization’s records and records processes
The purpose of risk identification is to identify what can happen or what situations can exist that could
affect the capacity of records to support the needs of the organization.
The risk identification process includes identifying the causes and source of the risk, events, situations,
or circumstances which could have a material impact upon the organization’s objectives and the
nature of that impact. There are numerous methods for risk identification. See IEC 31010, Annex B for a
comparison of major methods.
Identified risks should be documented in a risk register, either in one specific to records or in the
organization’s risk register. See the example given in Annex A.
NOTE Annex B is an example of a checklist based on the structure of Clause 5 which can be used in an
organization to identify risks to records processes and systems systematically.
4 © ISO 2014 – All rights reserved
5.2 Context: External factors
5.2.1 Areas of uncertainty: Changes in political-societal context
Changes in the political and societal climate, nationally and internationally, can affect public attitudes to
governments’ and corporate behaviour. This can bring about legal and regulatory change, which impacts
the organization’s operations and, consequently, its records requirements.
Examples of areas of changing public attitudes which can affect records requirements are national
security, access to government and corporate information, privacy, intellectual property rights, and
corporate reporting responsibilities. More generally, examples of areas of uncertainty include the
following:
a) legal and regulatory changes affecting the organization’s records requirements;
a) changes in government policies affecting the organization’s records, records processes, and systems;
b) new standards or codes of practice that affect the organization’s records, records processes, and
systems;
c) changing demand for records services;
d) changing stakeholders’ expectations;
e) changes to reputation of, or trust in, the organization’s ability to deliver its services.
5.2.2 Areas of uncertainty: Macro-economic and technological environment
Changes in the macro-economic, business, and industrial environment and in information technology
have high impact on competition and customer demand. Change can be gradual and continuous, or
punctuated by crises, but also constitutes an area of uncertainty which can offer positive opportunities.
Examples of areas of uncertainty arising from such changes to the macro-economic and business
environment include the following:
a) changes in ownership and/or revenues of the organization which affect management priorities
including managing records;
b) changes in the objectives, functions, and operations of the organization, changing records
requirements;
c) increased activity from regulators, increasing external demands for records;
d) increased litigation, increasing demands for records;
e) introduction and adoption of new technologies across society;
EXAMPLES Spread of social media to business use; use of mobile computing devices for business.
f) changes in the market or client base of the organization.
These changes will be reflected in organizational changes which are discussed below (see 5.3.1).
5.2.3 Areas of uncertainty: Physical environment and infrastructure
The possibility of large-scale, natural or man-made disasters affecting the general operations of the
organization is a major area of uncertainty requiring identification and assessment. The potential
damage of such disasters include direct impact on the records and their storage and the less direct
impact of loss of services upon which the organization depends, for example, water and power supply
and other services. Areas of uncertainty include the following:
a) regional or local destructive or disruptive environmental phenomena such as earthquake,
hurricane/cyclone, tsunami, flood, fire, major storms, or prolonged drought;
b) the potential for acts of war or terrorism to cause major structural damage or disruption to service
supply to premises or vicinity of the organization;
c) other disruption to the organization’s power, water, waste management, information technology,
transport services, or other core utilities and services.
5.2.4 Areas of uncertainty: External security threats
Risk identification shall include hostile external security threats with the potential impacts ranging
from damage to premises or service supply to unauthorised access to systems including records systems.
Examples of external security threats include the following:
a) unauthorised external intrusion/access into records systems and unauthorised changes to records;
b) unidentified security compromise or exploitation of vulnerability that is not monitored and leads to
information degradation;
EXAMPLE Use of spyware or malware and vulnerability from unpatched software security breaches or
weaknesses.
c) physical intrusion into records storage or IT hardware space;
d) denial of services or other intentional attack on Internet services;
e) physical vandalism;
f) loss of third-party services on which the records systems are dependent.
NOTE Risk assessment is an integral element of the implementation of ISO/IEC 27000 series of International
Standards for information security. They provide extensive coverage of areas of uncertainty related to information
security.
5.3 Context: Internal factors
5.3.1 Areas of uncertainty: Organizational change
Management decisions affecting the organization such as amalgamations, take-overs, and other
acquisitions, restructuring, downsizing, outsourcing, or the reverse, off-shoring of services constitute a
significant area of uncertainty in the internal context of the organization. These decisions will affect the
records processes and systems, for example,
a) change of ownership of records and records systems and consequent transfer of records to and
from the organization,
b) change of ownership of records and records systems resulting in forced migration of records or
amalgamations of systems,
c) access arrangements to records systems for continuing right of access to records, following transfers
and migrations,
d) inheritance of responsibility for records and records systems without adequate documentation,
e) loss of personnel or corporate memory affecting knowledge, of current records and systems,
including knowledge of procedures to retrieve and use them, and of older records inherited through
organizational change,
6 © ISO 2014 – All rights reserved
f) abandonment of records and records systems, especially legacy systems, where no responsibility is
assigned,
g) change of terms within third-party service contracts,
h) new internal policies or modified existing ones within the organization that affect the records
systems and processes,
i) policies and procedures which have not been reviewed and updated, and are no longer applicable,
or are inconsistent or contradictory following organizational change,
j) changes in organization’s personnel that can affect responsibility for records,
k) changes in personnel policy, training budget, and opportunities that affect the capacity of people
who are responsible for records, and
l) disaster recovery plan is not updated which can affect records in the event of a disaster.
5.3.2 Areas of uncertainty: Technological change
Introduction of new technologies and systems are opportunities for improvement but also constitute
areas of uncertainty with potential for adverse effects. The areas of uncertainty include the following:
a) technological changes that affect interoperability between systems that create or control records;
b) compatibility with existing platforms and systems;
c) planning and implementation of migration of records;
d) reconfiguration of responsibilities and controls of records processes;
e) effectiveness of implementation of change;
EXAMPLE Adequacy of planning and management of project to implement new platform or software.
f) extent to which the existing policies cover new technologies that the organization has adopted;
EXAMPLE Using cloud services, social media, RFID, GPS.
g) capacity of system administrators and developers deploying new technologies to understand
the implications of those technologies for records requirements, at the project stage and in
implementation;
EXAMPLE Use of collaborative software or wiki environments for development of new systems which
cannot capture the project records and system documentation adequately.
h) capacity of existing technical infrastructure to meet new requirements resulting from organization’s
or records systems’ technological development.
5.3.3 Areas of uncertainty: Resources — People and competencies
The organization is dependent on competent staff to deliver all its operations including the records
processes and systems. The records professional or people who have responsibility for records
management assesses areas of uncertainty including the following:
a) number of personnel to create and control records and to design and maintain records systems;
b) awareness of records policies and processes;
c) engagement of top management in support for records management;
d) awareness of risks related to records processes and systems and ability of top management to make
decisions on appropriate mitigation;
e) management of the relationship between the administrative responsibilities for the records systems
and the viewpoints of operational users;
f) adequacy of the competencies to create and control records of personnel;
g) loss of key personnel with vital skills and in-depth organizational knowledge or history;
h) deterioration of skill levels of personnel;
i) adequacy of means to evaluate effectiveness or suitability of personnel.
5.3.4 Areas of uncertainty: Resources — Finances and materials
The funding and material resources available to manage the record processes and systems adequately
are affected by both the external, economic, and business environment and by the level of support for
records management in the organization. Areas of uncertainty include the following:
a) adequacy of financial resources to meet commitments and goals of records management;
b) adequacy of financial resources to purchase, upgrade, or maintain adequate systems.
5.4 Records systems
When assessing the impact of risk on the systems which create or control records, the design of the
systems, the issues of maintenance, sustainability, continuity, interoperability, and security should be
taken into account. The systems used by the organization change over time according to the economic
circumstances, changes in its activities and personnel, and changes in its size and structure. It is critical
that top management is adequately informed about risk to records systems and takes responsibility for
the organizational response.
NOTE 1 All references to systems in this section can be understood as references to records systems in 3.2.1.
NOTE 2 When identifying risks relating to systems in organizations which have implemented ISO/IEC 27001
controls, records professionals should take into account how these controls can mitigate risks in some areas. In
organizations where ISO/IEC 27001 has not been implemented, its controls can be used as a source for mitigation
actions. Annex C is a table that links the examples of areas of uncertainty relating to records systems and
ISO/IEC 27001 controls.
5.4.1 Areas of uncertainty: System design
System design and configuration is critical to record creation and longevity. It intersects with the
risk identification for records processes. Adequate documentation of the system configuration is the
foundation for addressing other areas of risk at the system level but also for the system’s processes.
NOTE See 5.5 for records processes in systems.
Based on contemporary experience, identification of risks in system design, especially in the digital
context, includes the following:
a) definition of records so the system creates and manages records adequate to the system’s purposes;
EXAMPLE All records elements in a transactional database are identified and managed so transactions
can be retrieved or re-created.
b) adequate identification of retention requirements;
EXAMPLE Retention periods and “triggers” for disposition action are specified in the record elements.
c) identification and documentation of all necessary records processes to be managed by the system;
d) effectiveness of design of the records systems appropriate to organization’s employees and
technology;
8 © ISO 2014 – All rights reserved
e) negotiation of dependence on vendor support;
f) access to vendor documentation.
5.4.2 Areas of uncertainty: Maintenance
Maintenance of the records systems refers primarily to the technological platform and systems support
aspects which are affected by structural change in the organization, implementation of new systems,
technological change, and competence and reliability of the technical support.
Areas of uncertainty include the following:
a) changes in business and operating systems affecting records systems;
b) skill level of system administrators and their understanding of requirements for managing records
in systems;
c) reliability of systems suppliers and their ability to maintain and keep the systems technologically
up to date;
d) adequacy of documentation of procedures for operational maintenance;
e) adequacy of technical documentation of the systems;
f) adequacy of documented back-up procedures for the records systems;
g) adequacy of restoration from backups.
5.4.3 Areas of uncertainty: Sustainability and Continuity
The sustainability of the records systems depends on the monitoring of change in the external and
internal context of the organization so the records systems are updated to respond to changes in needs.
Continuity planning for records systems takes into account the organization’s planning for business
continuity. In the absence of a business continuity plan for the organization, the records professional
assesses the records systems to establish priority and procedures for restoration following a disruption
to service.
Areas of uncertainty include the following:
a) change in external and internal context affecting the organization’s records requirements;
b) adequacy of quality assurance monitoring to identify changes in records requirements;
c) adequacy of assessment of actual costs of implementation and maintenance of the records systems
including human resources;
d) adequacy of identification and documentation of records systems;
e) maintenance and accessibility of system specifications and documentation;
f) adequacy of documentation of decisions taken in the implementation of records systems available
to all users who need them;
g) ability of a records system to maintain the usability of records;
h) capacity to import records from legacy or other business systems;
i) migration of records to a new records system due to either change in records requirements or in
technology;
j) changes to other systems upon which the records system is dependent;
k) ability of cloud-based systems to export records when required and to re-integrate them into the
organization’s systems;
l) adequacy of a records system’s event history, including its retention for the life of the system and
management of dependence on other systems, to ensure it remains meaningful over time;
EXAMPLE Maintenance of documentation of unique identifiers used in event history for users or
business units.
m) ability of records systems to support business continuity by providing access to records in the event
of a disaster;
n) contingency planning for disruptions of service.
5.4.4 Areas of uncertainty: Interoperability
Records systems have dependencies on and relationships with other systems which can be points of
vulnerability.
Areas of uncertainty include the following:
a) adequacy of identification and specification of interoperability required between records systems
and other business systems;
b) dependency of records systems on data sources external to the records system and capacity to
exchange data with or link or refer to data in these systems (e.g. cloud, other external storage
services);
c) compatibility of standards or specifications for the exchange of records or interoperability between
systems;
d) the effectiveness of system interoperability after changes or technological upgrades to either or
both of the integrated systems;
e) management of metadata relating to record controls between systems to sustain usability and
meaning of the records.
5.4.5 Areas of uncertainty: Security
Risk assessment of security of records systems can be conducted using the ISO/IEC 27000 series of
standards and applied as part of the organization’s information security management system, where
available. National information system security standards or requirements can also be applicable to
records systems.
ISO/IEC 27005, Annexes B to D, include examples of uncertainty areas that apply to any information
system. Uncertainties more specific to records systems also include the following:
a) adequacy of the organization’s security policy with respect to records, records processes, and
systems;
b) ability to enforce and protect access rules and permissions related to records, records processes,
and systems;
c) policy and controls for third parties working on behalf of the organization that affects the storage,
access and control of records, and records systems.
10 © ISO 2014 – All rights reserved
5.5 Records processes
Risk identification focuses on the creation of the records (or record elements) and control processes for
managing the records and the records systems.
NOTE It is assumed that the records professional refers to ISO 15489-1, ISO/TR 15489-2, ISO 23081-1,
ISO 23081-2, and ISO/TR 23081-3 for guidance on design of records and records processes.
5.5.1 Areas of uncertainty: Records design
The areas of uncertainty in the design processes are the following:
a) business activities are adequately analysed to identify records requirements;
b) gathering of records requirements is comprehensive for each business process, including needs of
all interested parties;
c) adequacy of design of the records (e.g. identification of content and definition of metadata for
identity, description, use, event history, and event planning) meets the records requirements;
d) naming and classification schema adequate for their purpose.
5.5.2 Areas of uncertainty: Records creation and records system implementation
The areas of uncertainty in the creation and implementation processes are the following:
a) points of creation or capture of all records elements are appropriate (timely, integrated, complete)
to the business process and records system(s);
b) effectiveness of integration of records creation and control processes with the business processes
where appropriate;
c) responsibilities of the record creators and the agents (if different) in the business transactions are
adequately defined and documented;
d) allocation of responsibilities for capturing the organization’s records from external environments
meets the requirements;
e) metadata specifications are adequately documented and maintained;
f) processes for managing and recording access to records are appropriately documented and
monitored.
5.5.3 Areas of uncertainty: Metadata
The areas of uncertainty in the metadata management processes are the following:
a) metadata technical specifications for documentation of records and records processes are accessible;
b) management of specifications enables updating as required.
5.5.4 Areas of uncertainty: Use of records and records systems
The areas of uncertainty in the access and use processes are the following:
a) consistency and timeliness of retrieval or access to records as required;
b) adequacy of management of user permissions for all records processes;
c) management of breaches of security or other access controls;
d) maintenance of records of who has accessed or modified records over time;
e) adequacy of training of personnel who use the processes;
f) compliance with the procedures.
5.5.4.1 Areas of uncertainty: Maintaining useability
The areas of uncertainty in the maintenance processes are the following:
a) maintenance of meaningfulness of records metadata over time, especially dependence on data from,
or links to, external systems;
b) adequacy of record processes to preserve the authenticity and reliability of records over time;
c) maintenance of accessibility of records over time;
d) management of us
...
RAPPORT ISO/TR
TECHNIQUE 18128
Première édition
2014-03-15
Information et documentation —
Evaluation du risque pour
les processus et systèmes
d’enregistrement
Information and documentation — Risk assessment for records
processes and systems
Numéro de référence
©
ISO 2014
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2014
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni utilisée
sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie, l’affichage sur
l’internet ou sur un Intranet, sans autorisation écrite préalable. Les demandes d’autorisation peuvent être adressées à l’ISO à
l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Publié en Suisse
ii © ISO 2014 – Tous droits réservés
Sommaire Page
Avant-propos .iv
Introduction .v
1 Domaine d’application . 1
2 Références normatives . 1
3 Termes et définitions . 2
3.1 Termes spécifiques au risque . 2
3.2 Termes spécifiques aux documents d’activité . 2
4 Critère d’appréciation du risque de l’organisme . 2
4.1 Appréciation du risque . 2
4.2 Critères de risque. 3
4.3 Attribution des priorités . 3
5 Identification du risque . 4
5.1 Généralités . 4
5.2 Contexte: Facteurs externes. 5
5.3 Contexte: Facteurs internes . 7
5.4 Systèmes documentaires . 9
5.5 Processus documentaires .12
6 Analyse des risques identifiés .14
6.1 Généralités .14
6.2 Analyse de la vraisemblance et estimation des probabilités .14
7 Évaluation du risque .17
7.1 Généralités .17
7.2 Évaluation des conséquences des événements indésirables .18
7.3 Évaluation du risque .19
8 Communication des risques identifiés .21
Annexe A (informative) Exemple d’une entrée de risque documentée dans un registre
des risques .22
Annexe B (informative) Exemple: listes de contrôle visant à identifier les zones d’incertitude .23
Annexe C (informative) Guide d’utilisation des mesures de l’Annexe A de l’ISO/IEC 27001 .31
Bibliographie .43
Avant-propos
L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes
nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est
en général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude
a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,
gouvernementales et non gouvernementales, en liaison avec l’ISO participent également aux travaux.
L’ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui concerne
la normalisation électrotechnique.
Les procédures utilisées pour l’élaboration du présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/CEI, Partie 1. Il convient, en particulier, de prendre note des différents
critères d’approbation requis pour les différents types de documents ISO. Le présent document a été
rédigé conformément aux règles de rédaction données dans les Directives ISO/CEI, Partie 2 (voir www.
iso.org/directives).
L’attention est appelée sur le fait que certains des éléments du présent document peuvent faire l’objet de
droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable
de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant les
références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de l’élaboration
du document sont indiqués dans l’Introduction et/ou sur la liste ISO des déclarations de brevets reçues
(voir www.iso.org/patents).
Les éventuelles appellations commerciales utilisées dans le présent document sont données pour
information à l’attention des utilisateurs et ne constituent pas une approbation ou une recommandation.
Pour une explication de la signification des termes et expressions spécifiques de l’ISO liés à l’évaluation de
la conformité et pour toute information au sujet de l’adhésion de l’ISO aux principes de l’OMC concernant
les obstacles techniques au commerce (OTC), voir le lien suivant: Avant-propos — Informations
supplémentaires Foreword - Supplementary information
Le Comité responsable du présent document est le Comité technique ISO/TC 46, Information et
documentation, Sous-comité SC 11, Archives/Gestion des documents d’activité.
iv © ISO 2014 – Tous droits réservés
Introduction
Tous les organismes identifient et gèrent les risques pouvant avoir une incidence sur leur bon
fonctionnement. L’identification et le management des risques liés aux processus et aux systèmes
documentaires relèvent de la responsabilité du professionnel de la gestion documentaire.
Le présent Rapport technique est destiné à aider les professionnels de la gestion documentaire et les
personnes responsables, au sein de leur organisme, des documents d’activité à apprécier les risques liés
aux processus et aux systèmes documentaires.
NOTE «Système» désigne toute application professionnelle qui crée et stocke des documents d’activité.
Il s’agit d’une activité distincte de la tâche consistant à identifier et apprécier les risques professionnels
de l’organisme, pour lequel la création et la tenue des documents d’activité appropriés constituent
une réponse stratégique. Les décisions relatives à la création ou non des documents d’activité pour
répondre au risque général de l’activité sont des décisions de gestion qu’il convient d’éclairer par
l’analyse des exigences de l’organisme en matière de documents d’activité; cette analyse est assurée par
des professionnels de la gestion documentaire conjointement avec les dirigeants. Le présent Rapport
technique repose sur le principe que l’organisme a créé des documents d’activité concernant ses activités
professionnelles pour répondre à des objectifs opérationnels ou autres, et qu’il a mis en place au moins
les mécanismes minimaux de gestion et de contrôle systématiques de ces documents d’activité.
Pour les processus et les systèmes documentaires, les conséquences des événements porteurs de
risques se traduisent par la perte ou l’altération des documents d’activité qui, par conséquent, ne sont
plus exploitables, fiables, authentiques, complets ou inaltérés et qui, donc, peuvent ne plus répondre aux
objectifs de l’organisme.
Le présent Rapport technique prodigue des conseils et fournit des exemples en se basant sur le processus
général de management du risque défini dans l’ISO 31000 (voir Figure 1) à appliquer aux risques liés aux
processus et aux systèmes documentaires. Il traite de
a) l’identification des risques,
b) l’analyse des risques et
c) l’évaluation des risques.
Il convient d’intégrer au cadre organisationnel général de management du risque de l’organisme les
résultats de l’analyse des risques liés aux processus et aux systèmes documentaires. En procédant ainsi,
l’organisme aura un meilleur contrôle de ses documents d’activité et de leur qualité pour répondre aux
besoins de son activité.
L’Article 5 présente une liste exhaustive des zones d’incertitude liées aux processus et aux systèmes
documentaires, servant de guide d’identification des risques.
L’Article 6 dispense des conseils permettant de déterminer les conséquences et les probabilités des
événements porteurs de risques qui ont été identifiés, en tenant compte de la présence (ou de l’absence)
et de l’efficacité des contrôles existants.
L’Article 7 dispense des conseils permettant de déterminer l’importance du niveau de risque et du type
de risque identifiés.
Le présent rapport n’aborde pas le traitement des risques. Une fois l’appréciation des risques liés aux
processus et aux systèmes documentaires achevée, les risques objets de l’appréciation sont documentés
et communiqués au service chargé du management du risque au sein de l’organisme. La réponse à
apporter aux risques objet de l’appréciation entre dans le cadre du programme global de management
du risque de l’organisme. Le professionnel de la gestion documentaire attribue une priorité aux risques
objet de l’appréciation pour étayer les décisions de l’organisme relatives au management de ces risques.
Figure 1 — Processus de management du risque
NOTE Figure 1 tirée de l’ISO 31000:2009. La numérotation renvoie au texte de l’ISO 31000.
vi © ISO 2014 – Tous droits réservés
RAPPORT TECHNIQUE ISO/TR 18128:2014(F)
Information et documentation — Evaluation du risque
pour les processus et systèmes d’enregistrement
1 Domaine d’application
Le présent Rapport technique a pour objet d’aider les organismes à apprécier les risques liés aux
processus et aux systèmes documentaires de manière qu’ils puissent s’assurer que les documents
d’activité répondent aux besoins de gestion identifiés aussi longtemps que nécessaire.
Ce rapport
a) établit une méthode d’analyse pour l’identification des risques liés aux processus et aux systèmes
documentaires,
b) fournit une méthode d’analyse des effets potentiels des événements indésirables sur les processus
et les systèmes documentaires,
c) fournit des lignes directrices pour mener une appréciation des risques liés aux processus et aux
systèmes documentaires, et
d) fournit des lignes directrices pour la documentation des risques identifiés et appréciés pour
préparer des mesures d’atténuation.
Le présent Rapport technique ne traite pas des risques généraux liés aux opérations d’un organisme
pouvant être atténués par la création de documents d’activité.
Le présent Rapport technique peut être utilisé par tous les organismes, quelles que soient leur taille, la
nature de leurs activités ou la complexité de leurs fonctions et de leur structure. Ces facteurs, ainsi que
le régime réglementaire dans lequel l’organisme évolue et qui prescrit la création et le contrôle de ces
documents d’activité, sont pris en compte au moment de l’identification et de l’appréciation des risques
liés aux documents d’activité et aux systèmes documentaires.
Il convient que la définition d’un organisme ou l’identification de son périmètre tiennent compte des
structures complexes, des partenariats et des dispositions contractuelles concernant les services
externalisés et les chaînes logistiques, qui constituent, de nos jours, une caractéristique commune
aux entités publiques et privées. L’identification du périmètre de l’organisme est la première étape de
la définition du domaine d’application du projet d’appréciation des risques en matière de documents
d’activité.
Le présent Rapport technique ne traite pas directement de l’atténuation des risques, les méthodes en la
matière différant d’un organisme à l’autre.
Le présent Rapport technique peut être utilisé par des professionnels de la gestion documentaire ou par
des personnes responsables des documents d’activité de leur organisme, ainsi que par des auditeurs ou
des dirigeants responsables des programmes de management du risque de leur organisme.
2 Références normatives
Les documents ci-après, dans leur intégralité ou non, sont des références normatives indispensables à
l’application du présent document. Pour les références datées, seule l’édition citée s’applique. Pour les
références non datées, la dernière édition du document de référence s’applique (y compris les éventuels
amendements).
ISO 30300:2011, Information and documentation — Management systems for records — Fundamentals
and vocabulary
Guide ISO 73:2009, Management du risque — Vocabulaire
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions donnés dans l’ISO 30300, le Guide ISO 73,
ainsi que les suivants s’appliquent.
3.1 Termes spécifiques au risque
3.1.1
risque
effet de l’incertitude
Note 1 à l’article: Un effet est un écart, positif et/ou négatif, par rapport à une attente.
Note 2 à l’article: L’incertitude est l’état, même partiel, de défaut d’information concernant la compréhension ou la
connaissance d’un événement, de ses conséquences ou de sa vraisemblance.
Note 3 à l’article: Un risque est souvent caractérisé en référence à des événements (Guide ISO 73, 3.5.1.3) et des
conséquences potentiels (Guide ISO 73, 3.6.1.3) ou à une combinaison des deux.
Note 4 à l’article: Un risque est souvent exprimé en termes de combinaison des conséquences d’un événement
(incluant des changements de circonstances) et de sa vraisemblance (Guide ISO 73, 3.6.1.1).
[SOURCE: Guide ISO 73:2009, définition 1.1]
3.2 Termes spécifiques aux documents d’activité
3.2.1
système documentaire
système d’information qui intègre, organise, gère et rend accessibles les documents d’activité dans le
temps
Note 1 à l’article: Ceci peut inclure les applications métiers ou les systèmes qui créent et préservent les documents
d’activité.
[SOURCE: ISO 30300:2011, définition 3.4.4]
3.2.2
processus documentaire
ensemble d’activités permettant à un organisme de créer, maîtriser, utiliser, conserver et éliminer des
documents d’activité
4 Critère d’appréciation du risque de l’organisme
4.1 Appréciation du risque
Il convient d’inclure l’appréciation du risque pour les processus et les systèmes documentaires dans
le processus général de management du risque de l’organisme, lorsqu’il en existe un. Dans ce cas, il
convient que les professionnels de la gestion documentaire tiennent compte du contexte externe et du
contexte interne de l’organisme, ainsi que du contexte propre au processus de management du risque,
y compris:
a) les rôles et responsabilités: il convient de spécifier le rôle des professionnels de la gestion
documentaire dans l’appréciation du risque lié aux processus et aux systèmes documentaires;
b) l’étendue et le domaine d’application des activités d’appréciation du risque: afin d’éviter redondance
et conflits et de permettre une approche intégrée de l’appréciation du risque incluant les documents
2 © ISO 2014 – Tous droits réservés
d’activité, il convient de préciser les relations avec les autres domaines d’appréciation du risque,
comme la sécurité de l’information;
c) la méthodologie: il convient d’appliquer une méthodologie d’appréciation du risque normalisée en
utilisant les outils d’appréciation du risque existants et en communiquant les rapports au groupe de
personnes désignées;
d) les critères de risque: lorsque l’organisme dispose de critères de risques généraux, il convient que
les risques liés aux processus et aux systèmes documentaires soient évalués en utilisant ces critères.
Lorsque l’organisme ne dispose pas de processus général de management du risque, il est nécessaire
que les professionnels de la gestion documentaire déterminent des critères de risque s’appliquant aux
processus et aux systèmes documentaires préalablement au processus d’appréciation.
4.2 Critères de risque
Il convient que les critères s’appuient sur les exigences réglementaires en vigueur dans la juridiction de
l’organisme et qu’ils intègrent:
a) la nature et les types de conséquences à inclure, et la façon dont ils vont être mesurés;
b) le mode d’expression des probabilités;
c) la méthode de détermination du niveau de risque;
d) les critères permettant de déterminer le moment où un risque nécessite d’être traité;
e) les critères permettant de déterminer si un risque est acceptable et/ou tolérable;
f) les conditions et la méthode de prise en compte des combinaisons de risques.
En ce qui concerne la nature et les types de conséquences à inclure dans l’appréciation du risque
des processus et des systèmes documentaires, il existe un préalable général qui s’applique à tous les
organismes. Seuls les documents d’activité qui présentent les caractéristiques d’authenticité, de fiabilité,
d’intégrité et qui sont exploitables aussi longtemps que nécessaire répondront aux besoins de l’organisme.
L’identification des risques repose sur leur potentiel à compromettre ces caractéristiques générales des
documents d’activité, les rendant inaptes à remplir les objectifs ayant présidé à leur création.
En ce qui concerne l’analyse de la probabilité et de la fréquence des événements dans l’appréciation du
risque, voir 6.2.
Les critères d’évaluation du risque, y compris les critères permettant de déterminer si un risque est
acceptable ou nécessite un traitement, incluent la taille et l’ampleur des systèmes documentaires de
l’organisme, le nombre d’utilisateurs et l’utilisation qui est faite du système dans les opérations de
l’organisme.
De la même façon, il convient que les critères d’évaluation des risques ayant une incidence sur les
processus documentaires incluent la fréquence du processus, le nombre de systèmes dans lesquels il est
utilisé, son importance relative dans la création ou la gestion des documents d’activité, la traçabilité des
processus et son potentiel à inverser les effets indésirables ou à y remédier.
4.3 Attribution des priorités
De manière générale, l’organisme doit déterminer quels sont les documents d’activité qui constituent
des documents essentiels pour son exploitation et le niveau d’importance qui s’y rattache. Il s’agit de
décisions de gestion reposant sur les conseils des professionnels de la gestion documentaire et des
dirigeants de l’activité.
La priorité attribuée aux documents d’activité pris isolément, leurs agrégations, les processus liés aux
documents d’activité ou les systèmes documentaires spécifiques peuvent également faire l’objet d’une
appréciation en fonction des réponses à apporter aux catastrophes majeures affectant tout ou partie des
opérations de l’organisme. Par exemple, dans un premier temps, il est nécessaire de disposer de certains
documents d’activité immédiatement après une catastrophe naturelle, par exemple les adresses et les
numéros de téléphone des contacts sécurité, les enregistrements des entrées dans l’usine/le bâtiment,
les coordonnées des équipes d’intervention du plan catastrophe, les contacts des assurances et les
détails des polices. Dans un deuxième temps, il convient que la planification de la continuité de l’activité
de l’organisme identifie les fonctions qui doivent être restaurées en priorité et les documents d’activité
permettant de le faire.
Il convient de porter une attention particulière aux situations dans lesquelles une combinaison de risques
concerne des documents d’activité identifiés comme étant essentiels à l’exploitation de l’organisme.
5 Identification du risque
5.1 Généralités
L’identification des risques est structurée selon les catégories suivantes: contexte, systèmes et processus
impliqués dans la création et le contrôle des documents d’activité de l’organisme.
Le contexte externe de l’organisme renvoie aux facteurs politiques et sociétaux, macro-économiques
et technologiques, physiques et environnementaux échappant à son contrôle, mais qui ont des
conséquences sur ses opérations et qui sont pris en compte lors de la détermination de ses exigences en
matière de documents d’activité. Le contexte externe inclut les parties prenantes externes qui ont un
intérêt particulier dans les opérations de l’organisme.
L’organisme possède également un contexte interne, à savoir les facteurs internes échappant au contrôle
du (des) professionnel(s) de la gestion documentaire(s) responsable(s) des processus et des systèmes
documentaires. Le contexte interne comprend des facteurs tels que la structure et les finances de
l’organisme, la technologie qu’il déploie, ses ressources (humaines et budgétaires), ainsi que la culture
de l’organisme, tous ces facteurs influençant les politiques et les pratiques de gestion des documents
d’activité.
Les événements potentiels aux effets incertains peuvent être externes ou internes à l’organisme.
Les effets incertains provoqués par un changement dans le contexte externe peuvent diverger en
fonction du point de vue des différents niveaux de l’organisme (voir Figure 2). Il est également reconnu
que tout changement implique des perspectives pouvant avoir un effet positif.
4 © ISO 2014 – Tous droits réservés
Figure 2 — Multiples éléments de contexte influant sur les documents d’activité et les processus
documentaires d’un organisme
L’objectif de l’identification du risque consiste à identifier ce qui peut se produire ou le type de situation
pouvant survenir, susceptible d’avoir une incidence sur la capacité des documents d’activité à répondre
aux besoins de l’organisme.
Le processus d’identification du risque englobe l’identification des causes et de la source du risque,
des évènements, des situations ou des circonstances pouvant avoir des conséquences matérielles
sur les objectifs de l’organisme, ainsi que la nature de ces conséquences. Il existe de nombreuses
méthodes d’identification du risque. Pour une comparaison des principales méthodes, se reporter à
l’IEC 31010:2009, Annexe B.
Il convient de documenter les risques identifiés, soit dans un registre des risques spécifique aux
documents d’activité, soit dans le registre des risques de l’organisme. Voir l’exemple fourni en Annexe A.
NOTE L’Annexe B constitue un exemple de liste de contrôle, basée sur la structure de l’Article 5, qu’un
organisme peut utiliser pour identifier de façon systématique les risques liés aux processus et aux systèmes
documentaires.
5.2 Contexte: Facteurs externes
5.2.1 Zones d’incertitude: Changements dans le contexte politique et social
Des changements intervenant dans le climat politique et social, au niveau national ou international,
peuvent avoir une incidence sur l’évolution des mentalités vis-à-vis du gouvernement et sur le
comportement de l’entreprise. Ceci peut provoquer des réformes juridiques et réglementaires, qui ont
une incidence sur les opérations de l’organisme et, par conséquent, sur ses exigences liées aux documents
d’activité.
La sécurité nationale, l’accès aux informations d’un gouvernement ou d’une entreprise, la protection
des données personnelles, les droits de propriété intellectuelle et les responsabilités de remontées
d’informations d’une entreprise constituent des exemples de zones de changement des mentalités
pouvant avoir une incidence sur les exigences liées aux documents d’activité. De façon plus générale,
parmi les exemples de zones d’incertitude figurent:
a) les changements juridiques et réglementaires ayant une incidence sur les exigences liées aux
documents d’activité de l’organisme;
b) les changements dans les politiques gouvernementales ayant une incidence sur les documents
d’activité, sur les processus et les systèmes documentaires de l’organisme;
c) les nouvelles normes ou les codes de pratique ayant une incidence sur les documents d’activité, les
processus et les systèmes documentaires de l’organisme;
d) un changement au niveau de la demande en services documentaires;
e) un changement dans les attentes des parties prenantes;
f) des changements affectant la réputation ou la confiance placée dans l’aptitude d’un organisme à
délivrer ses prestations.
5.2.2 Zones d’incertitude: Environnement macro-économique et technologique
Des changements dans l’environnement macro-économique, commercial et industriel, ainsi que dans le
secteur de la technologie informatique, ont de grandes conséquences sur la concurrence et l’attente des
clients. Les changements peuvent s’opérer de façon progressive et continue ou ponctuellement, en raison
de crises, mais ils constituent une zone d’incertitude qui peut présenter des perspectives positives.
Parmi les exemples de zones d’incertitude résultant de changements dans l’environnement macro-
économique et commercial, figurent:
a) les changements intervenant dans la propriété et/ou les ressources financières de l’organisme ayant
une incidence sur les priorités de gestion, notamment sur la gestion des documents d’activité;
b) les changements intervenant dans les objectifs, les fonctions et les opérations de l’organisme,
entraînant des changements au niveau des exigences liées aux documents d’activité;
c) une augmentation de l’activité des organismes de régulation, entraînant une augmentation des
demandes extérieures en documents d’activité;
d) une augmentation des litiges, entraînant une augmentation des demandes de documents d’activité;
e) l’introduction et l’adoption de nouvelles technologies au sein de la société;
EXEMPLES L’expansion des médias sociaux à des fins commerciales; l’utilisation de dispositifs
informatiques mobiles pour les entreprises.
f) les évolutions du marché ou du portefeuille client de l’organisme.
À ces changements répondront des changements organisationnels examinés ci-après (voir 5.3.1).
5.2.3 Zones d’incertitude: Environnement physique et infrastructure
L’éventualité de catastrophes, naturelles ou d’origine humaine, à grande échelle ayant une incidence sur
les opérations générales de l’organisme est une zone d’incertitude majeure exigeant une identification et
une appréciation. Parmi les dommages potentiels de tels sinistres, certains ont une incidence directe sur
les documents d’activité et leur stockage, ainsi qu’une incidence moins directe en raison de la suspension
de services dont l’organisme dépend, par exemple l’eau, l’électricité et autres services essentiels. Parmi
les zones d’incertitude figurent:
a) les phénomènes environnementaux régionaux ou locaux, destructeurs ou perturbateurs, tels que
les tremblements de terre, les ouragans, les cyclones, les tsunamis, les inondations, les incendies, les
grosses tempêtes ou les sécheresses prolongées;
6 © ISO 2014 – Tous droits réservés
b) l’éventualité que des actes de guerre ou de terrorisme causent des dommages majeurs aux structures
ou perturbent les services délivrés aux installations de l’organisme ou dans son voisinage;
c) les autres perturbations subies par les services de transport, informatiques, de gestion des déchets,
d’alimentation en eau et en électricité de l’organisme ou par d’autres services essentiels, publics ou
non.
5.2.4 Zones d’incertitude: Menaces extérieures contre la sécurité
L’identification du risque doit inclure les menaces extérieures résultant d’une hostilité et ayant une
incidence sur la sécurité, qui présentent des conséquences potentielles allant des dommages causés
aux installations ou aux réseaux jusqu’à l’accès non autorisé aux systèmes, y compris aux systèmes
documentaires. Parmi les exemples de menaces extérieures contre la sécurité figurent:
a) l’intrusion/l’accès extérieur non autorisé aux systèmes documentaires et les modifications non
autorisées apportées aux documents d’activité;
b) une compromission de la sécurité non identifiée ou l’exploitation d’une vulnérabilité ne faisant pas
l’objet d’une surveillance et entraînant une dégradation de l’information;
EXEMPLE L’utilisation de logiciels espions ou de maliciels; une vulnérabilité découlant de failles ou de
faiblesses non corrigées dans la sécurité d’un logiciel.
c) une intrusion physique dans le stockage des documents d’archivage ou dans l’espace informatique;
d) un déni de service ou autre attaque intentionnelle via les services Internet;
e) des actes de vandalisme;
f) la perte de services tiers dont dépendent les systèmes documentaires.
NOTE L’appréciation du risque fait partie intégrante de la mise en œuvre de la série de normes internationales
sur la sécurité de l’information ISO/IEC 27000 Elles s’appliquent à un vaste éventail de zones d’incertitude liées à
la sécurité de l’information.
5.3 Contexte: Facteurs internes
5.3.1 Zones d’incertitude: Changements organisationnels
Les décisions de management ayant une incidence sur l’organisme, telles que les fusions, les absorptions
et autres acquisitions, restructurations, rationalisations, externalisations ou, à l’inverse, délocalisations
des services, constituent une zone d’incertitude liée au contexte interne de l’organisme. Ces décisions
auront une incidence sur les processus et les systèmes documentaires, par exemple:
a) un changement de propriété des documents d’activité et des systèmes documentaires, et le transfert
des documents qui en résulte, vers et à partir de l’organisme;
b) un changement de propriété des documents d’activité et des systèmes documentaires entraînant la
migration forcée des documents d’activité ou la fusion des systèmes;
c) des dispositions en matière d’accès aux systèmes documentaires pour perpétuer le droit d’accès aux
documents d’activité, suite aux transferts et aux migrations;
d) une transmission de la responsabilité des documents d’activité et des systèmes documentaires sans
documentation adaptée;
e) le départ du personnel ou la perte de la mémoire de l’entreprise ayant une incidence sur la
connaissance des documents d’activité et des systèmes utilisés, notamment la connaissance des
procédures permettant de les récupérer et de les utiliser, et des documents d’activité plus anciens
transmis dans le cadre du changement organisationnel;
f) un abandon des documents d’activité et des systèmes documentaires, en particulier des anciens
systèmes, pour lesquels aucune responsabilité n’a été attribuée;
g) des changements dans les termes des contrats de service conclus avec des tiers;
h) de nouvelles politiques internes ou la modification des politiques existantes de l’organisme ayant
une incidence sur les systèmes et les processus documentaires;
i) des politiques et des procédures n’ayant pas fait l’objet de revues et d’actualisations et qui ne
sont plus applicables ou qui sont devenues incohérentes ou contradictoires suite au changement
organisationnel;
j) des changements dans les ressources humaines de l’organisme qui peuvent avoir une incidence sur
la responsabilité des documents d’activité;
k) des changements dans la politique de ressources humaines, dans les budgets de formation et dans
les opportunités professionnelles ayant une incidence sur la capacité des employés responsables
des documents d’activité; et
l) le plan de reprise d’activité après un sinistre qui n’est pas actualisé, ce qui peut avoir une incidence
sur les documents d’activité en cas de sinistre.
5.3.2 Zones d’incertitude: Changements technologiques
L’introduction de nouvelles technologies et de nouveaux systèmes présente des perspectives
d’amélioration, mais provoque également des zones d’incertitude pouvant entraîner des effets
indésirables. Parmi les zones d’incertitude figurent:
a) les changements technologiques ayant une incidence sur l’interopérabilité entre les systèmes qui
créent ou contrôlent des documents d’activité;
b) la compatibilité avec les plateformes et les systèmes existants;
c) la planification et la mise en œuvre de la migration des documents d’activité;
d) la reconfiguration des responsabilités et des contrôles liés aux processus documentaires;
e) l’efficacité de la mise en œuvre du changement;
EXEMPLE La pertinence de la planification et du management de projet pour mettre en œuvre une
nouvelle plateforme ou un nouveau logiciel.
f) la mesure dans laquelle les politiques existantes s’appliquent aux nouvelles technologies que
l’organisme a adoptées;
EXEMPLE L’utilisation de services nuagiques, médias sociaux, RFID, GPS.
g) la capacité des administrateurs et des développeurs de systèmes déployant de nouvelles technologies
à comprendre les implications de ces technologies en ce qui concerne les exigences liées aux
documents d’activité, à l’étape du projet et lors de sa mise en œuvre;
EXEMPLE L’utilisation de logiciels collaboratifs ou d’environnements wiki pour le développement
de nouveaux systèmes qui ne peuvent capturer correctement les documents d’activité liés au projet et la
documentation du système.
h) la capacité de l’infrastructure technique existante à répondre aux nouvelles exigences découlant du
développement technologique de l’organisme ou des systèmes documentaires.
5.3.3 Zones d’incertitude: Ressources — Personnel et compétences
L’organisme est tributaire de la compétence de son personnel à assurer toutes ses opérations, y compris
celles concernant les systèmes et processus documentaires. Le professionnel de la gestion documentaire
8 © ISO 2014 – Tous droits réservés
ou les employés qui sont responsables de la gestion documentaire évaluent les zones d’incertitude,
notamment:
a) le nombre d’employés chargés de créer et de contrôler les documents d’activité, ainsi que de
concevoir et d’actualiser les systèmes documentaires;
b) la sensibilisation aux politiques et aux processus documentaires;
c) l’engagement de la direction en faveur de la gestion des documents d’activité;
d) la sensibilisation aux risques liés au processus et aux systèmes documentaires, et l’aptitude de la
direction à prendre des décisions concernant les mesures d’atténuation appropriées;
e) la gestion de la relation entre les responsabilités administratives liées aux systèmes documentaires
et le point de vue des utilisateurs chargés des opérations;
f) la pertinence des compétences des employés pour créer et contrôler les documents d’activité;
g) le départ d’employés clés possédant des compétences essentielles et une connaissance approfondie
de l’organisme et de son historique;
h) la détérioration des niveaux de compétence du personnel;
i) l’adéquation des moyens permettant d’évaluer l’efficacité ou l’aptitude du personnel.
5.3.4 Zones d’incertitude: Ressources — Finances et matériels
Les ressources financières et matérielles mises à disposition pour gérer correctement les processus
et les systèmes documentaires sont conditionnées à la fois par l’environnement externe, économique
et professionnel et par l’importance du soutien témoigné à la gestion des documents d’activité dans
l’organisme. Parmi les zones d’incertitude figurent:
a) la suffisance des ressources financières allouées afin de respecter les engagements et les objectifs
de la gestion documentaire;
b) la suffisance des ressources financières allouées afin d’acquérir, d’actualiser ou de préserver des
systèmes adéquats.
5.4 Systèmes documentaires
Lors de l’appréciation des conséquences du risque sur les systèmes qui créent ou contrôlent des
documents d’activité, il convient de prendre en compte la conception de ces systèmes et les questions
de maintenance, de durabilité, de continuité, d’interopérabilité et de sécurité. Les systèmes utilisés
par l’organisme évoluent au fil du temps, en fonction des circonstances économiques, des changements
intervenant dans ses activités et dans son personnel, ainsi que des changements dans sa taille et sa
structure. Il est essentiel que la direction soit correctement informée des risques liés aux systèmes
documentaires et qu’elle assume la responsabilité de la réponse que l’organisme doit leur apporter.
NOTE 1 Toutes les références aux systèmes faites dans la présente section peuvent être interprétées comme
références aux systèmes documentaires tels que définis en 3.2.1.
NOTE 2 Lors de l’identification des risques liés aux systèmes dans les organismes mettant en œuvre les
mesures de l’ISO/IEC 27001, il convient que les professionnels de la gestion documentaire tiennent compte de la
façon dont ces mesures peuvent atténuer les risques de certaines zones d’incertitude. Dans les organismes n’ayant
pas mis en œuvre l’ISO/IEC 27001, ces mesures peuvent être considérées comme source d’actions d’atténuation.
L’Annexe C se compose d’un tableau qui met en relation les exemples de zones d’incertitude relatives aux systèmes
documentaires et les mesures de l’ISO/IEC 27001.
5.4.1 Zones d’incertitude: Conception des systèmes
La conception et la configuration des systèmes sont essentielles à la création et à la longévité des
documents d’activité. Elles rejoignent l’identification du risque pour les processus documentaires. Une
documentation pertinente de la configuration des systèmes constitue le socle permettant de traiter les
autres zones de risque au niveau de ces systèmes, mais également au niveau de leurs processus.
NOTE Voir 5.5 pour les processus documentaires intégrés aux systèmes.
En s’appuyant sur l’expérience actuelle, l’identification des risques liés à la conception des systèmes,
notamment dans un contexte numérique, inclut les éléments suivants:
a) définition des documents d’activité, de sorte que le système crée et gère des documents d’activité
adaptés à ses objectifs;
EXEMPLE Tous les éléments relatifs aux documents d’activité figurant dans une base de données
transactionnelle sont identifiés et gérés de sorte à pouvoir récupérer ou recréer les transactions.
b) identification correcte des exigences de conservation;
EXEMPLE Les périodes de conservation et les « déclencheurs » des actions liées au sort final sont
spécifiés dans les éléments relatifs aux documents d’activité.
c) identification et documentation de tous les processus documentaires nécessaires que le système
doit gérer;
d) efficacité de la conception du système documentaire adaptée aux employés et à la technologie de
l’organisme;
e) négociation de la dépendance à l’assistance technique du fournisseur;
f) accès à la documentation du fournisseur.
5.4.2 Zones d’incertitude: Maintenance
La maintenance des systèmes documentaires renvoie essentiellement aux aspects liés à l’assistance des
systèmes et de la plateforme technologique qui subissent les conséquences d’un changement structurel
de l’organisme, de la mise en œuvre de nouveaux systèmes, de changements technologiques, ainsi que de
la compétence et de la fiabilité de l’assistance technique.
Parmi les zones d’incertitude figurent:
a) les changements apportés à l’activité et aux systèmes d’exploitation ayant une incidence sur les
systèmes documentaires;
b) le niveau de qualification des administrateurs système et la compréhension qu’ils ont des exigences
liées à la gestion documentaire dans les systèmes;
c) la fiabilité des fournisseurs des systèmes et leur aptitude à en assurer la maintenance et l’actualisation
technologique;
d) la pertinence de la documentation des procédures de maintenance opérationnelle;
e) la pertinence de la documentation technique des systèmes;
f) la pertinence des procédures de sauvegarde documentées des systèmes documentaires;
g) la pertinence des restaurations réalisées à partir des sauvegardes.
10 © ISO 2014 – Tous droits réservés
5.4.3 Zones d’incertitude: Durabilité et continuité
La durabilité des systèmes documentaires dépend de la veille exercée au niveau des contextes interne
et externe de l’organisme, les systèmes documentaires étant actualisés pour répondre à l’évolution des
besoins.
La planification de la continuité en ce qui concerne les systèmes documentaires tient compte de la
planification de l’organisme en matière de continuité de l’activité. En l’absence de plan de continuité de
l’activité de l’organisme, le professionnel de la gestion documentaire évalue les systèmes documentaires
pour déterminer les priorités et les procédures de restauration à la suite de toute perturbation du
service.
Parmi l
...
Die Norm SIST-TP ISO/TR 18128:2018 bietet eine umfassende Grundlage für die Risikoanalyse von Aufzeichnungsprozessen und -systemen. Ihr klar definierter Anwendungsbereich ermöglicht es Organisationen, Risiken in Bezug auf ihre Dokumentationsprozesse systematisch zu bewerten. Besonders hervorzuheben ist, dass die Norm eine Methodik bereitstellt, um potenzielle Risiken zu identifizieren und deren Auswirkungen auf die Aufzeichnungsprozesse präzise zu analysieren. Dies stellt sicher, dass die Aufzeichnungen auch weiterhin den festgestellten geschäftlichen Anforderungen entsprechen, solange dies erforderlich ist. Die Stärken der Norm liegen in ihrer Flexibilität und Anwendbarkeit auf jegliche Organisationen, unabhängig von deren Größe oder Komplexität. Sie berücksichtigt die spezifischen regulatorischen Rahmenbedingungen, denen die Organisation unterliegt, was die Relevanz der Norm in unterschiedlichen Branchen erhöht. Dies ist besonders wichtig in einer Zeit, in der der Umgang mit Daten und Dokumenten zunehmend unter regulatorischen Druck gerät. Darüber hinaus bietet die Norm nicht nur Richtlinien für die Durchführung von Risikoanalysen, sondern auch für die Dokumentation der identifizierten Risiken. Diese Vorgaben sind entscheidend für die Vorbereitung von Maßnahmen zur Risikominderung. Die Anwendbarkeit für Fachkräfte im Bereich Dokumentation sowie für Auditoren und Manager, die Verantwortung für Risikomanagementprogramme tragen, unterstreicht die umfassende Relevanz der Norm. Insgesamt ist die SIST-TP ISO/TR 18128:2018 eine essentielle Ressource für Organisationen, die ihre Aufzeichnungsprozesse und -systeme sicher und effektiv steuern möchten. Sie bietet eine systematische Herangehensweise zur Risikoidentifizierung und -bewertung, die sich als unverzichtbar erweist, um die Integrität und Verfügbarkeit von Dokumenten in einem sich ständig verändernden regulatorischen Umfeld zu gewährleisten.
SIST-TP ISO/TR 18128:2018 표준은 정보 및 문서 관리 분야에서 기록 프로세스 및 시스템에 대한 위험 평가를 위한 지침을 제공합니다. 이 표준은 조직이 기록 프로세스와 시스템의 위험을 평가할 수 있도록 돕고, 이를 통해 조직의 비즈니스 요구에 지속적으로 부합하는 기록을 유지할 수 있도록 하는 데 중점을 두고 있습니다. 이 표준의 주요 강점 중 하나는 위험 분석을 위한 구체적인 방법론을 제시한다는 점입니다. 이를 통해 조직은 기록 관리와 관련된 다양한 위험 요소를 식별하고 분석할 수 있으며, 불리한 사건의 잠재적 영향을 평가하는 방법도 제공합니다. 이러한 방법론은 조직이 직면할 수 있는 위험을 구조적으로 분석할 수 있게 하여, 보다 효과적인 위험 관리를 가능하게 합니다. SIST-TP ISO/TR 18128:2018는 모든 조직에 적용 가능하다는 점에서 매우 유용합니다. 기업의 규모, 활동의 성격, 기능 및 구조의 복잡성에 관계없이 이 표준을 활용하여 기록 프로세스 및 시스템의 위험을 평가할 수 있습니다. 특히, 조직이 운영하는 규제 체계에 따라 기록의 생성과 통제를 고려하여 위험을 식별하는 것이 중요합니다. 또한, 이 표준은 기록 관리에 책임이 있는 전문가뿐만 아니라, 조직의 위험 관리 프로그램을 담당하는 감사인이나 관리자들에게도 실질적인 가이드를 제공합니다. 이는 조직 내 모든 관련 주체가 위험을 문서화하고 완화 준비를 하는 데 필요한 절차를 수립하는 데 직접적인 도움을 줍니다. 결론적으로, SIST-TP ISO/TR 18128:2018 표준은 기록 프로세스 및 시스템의 위험 평가에 필요한 체계적인 접근 방식을 제공하여, 조직이 지속 가능하고 효과적인 기록 관리를 실현하는 데 필요한 기초를 마련해 줍니다. 이러한 표준의 적용은 장기적으로 조직의 비즈니스 성과에 긍정적인 영향을 미칠 것입니다.
The SIST-TP ISO/TR 18128:2018 standard provides a comprehensive framework for organizations to assess risks related to records processes and systems. Its primary scope revolves around assisting entities in ensuring that their records continue to meet identified business needs throughout their lifecycle. This standard stands out due to several strengths. Firstly, it establishes a robust method of analysis for identifying risks, addressing various types of vulnerabilities that may affect records processes and systems. This proactive approach allows organizations to recognize potential threats before they escalate into significant issues. Secondly, the document offers a thorough method for analyzing the potential effects of adverse events on records. By evaluating these impacts, organizations can prioritize their risk management efforts effectively, ensuring resources are allocated to the most critical areas. Furthermore, the guidelines for conducting risk assessments are particularly valuable, as they provide a structured approach that can be readily adopted by organizations of all sizes and complexities. The inclusive nature of the standard means that it can be beneficial for any organization, whether large or small, and regardless of the nature of their activities. This versatility enhances its relevance in today's diverse business environment. Additionally, the standard emphasizes the importance of documenting identified and assessed risks, which serves as a crucial preparatory step for mitigation. By formalizing these processes, organizations can create a more resilient record management framework that can withstand potential disruptions. SIST-TP ISO/TR 18128:2018 is also significantly relevant for professionals tasked with record management and auditors overseeing risk management programs. The guidelines are designed to be user-friendly, empowering records professionals to engage in effective risk assessment, and helping organizations uphold compliance with regulatory requirements. Lastly, the consideration of the regulatory regime within which organizations operate provides an essential layer of context, ensuring that risks are not only assessed in isolation but also in alignment with legal and operational obligations. This comprehensive approach reinforces the standard's applicability across various sectors, making it a critical tool for effective records management and risk mitigation. Overall, SIST-TP ISO/TR 18128:2018 demonstrates a forward-thinking approach to risk assessment in records processes and systems, promoting best practices that support organizational resilience and compliance.
SIST-TP ISO/TR 18128:2018は、情報および文書管理の分野における重要な標準であり、記録プロセスおよびシステムのリスク評価に関する指針を提供します。この標準の主な目的は、組織が記録プロセスとシステムに関連するリスクを特定し、評価するための方法論を確立することです。 この標準の範囲は広く、すべての組織が利用できるように設計されています。組織の規模や活動の性質、機能の複雑さに関わらず、ISO/TR 18128:2014はリスク評価の手法を示し、記録がビジネスニーズに長期間応えるための要件を満たすことを目指しています。 標準の強みは、リスク関連の問題に対する体系的なアプローチを提供する点にあります。具体的には、次の4つの主要ポイントに基づいています。 a) 記録プロセスおよびシステムに関連するリスクを特定するための分析方法を整備しています。 b) 不測の事態が記録プロセスおよびシステムに与える可能性のある影響を分析する方法を提供します。 c) リスク評価を実施するための指針を提供することで、組織が現実的かつ効果的にリスクを管理できるようにします。 d) 特定及び評価されたリスクの文書化に関するガイドラインを提示し、リスクの軽減策を準備するプロセスを支援します。 SIST-TP ISO/TR 18128:2018は、記録専門家や組織内で記録に関連する責任を有する人々、さらにはリスク管理プログラムの責任を持つ監査人やマネージャーにも利用可能です。これにより、標準は多様な業種や組織に適用可能であり、効果的かつ包括的なリスク管理を促進します。 この標準は、組織が直面するリスクをより深く理解し、実用的な対策を講じるための基盤を提供するため、現代の文書管理において極めて重要な役割を果たしています。リスク管理におけるこの標準の活用は、記録プロセスの健全性と持続可能性を確保するために不可欠です。
La norme SIST-TP ISO/TR 18128:2018 constitue un outil précieux pour les organisations cherchant à évaluer les risques liés aux processus et systèmes d'archives. Son champ d'application est particulièrement pertinent, car il s'adresse à une gamme variée d'organisations, indépendamment de leur taille ou de la nature de leurs activités, ce qui en amplifie la portée et l'utilisation. L'un des points forts de cette norme est sa méthode d'analyse rigoureuse, qui permet d'identifier les risques associés aux processus d'archives et aux systèmes. En plus, elle propose une évaluation des effets potentiels des événements défavorables, fournissant ainsi une approche proactive pour la gestion des risques. Les lignes directrices fournies pour la conduite d'évaluations de risques sont claires et pratiques, ce qui facilite leur mise en œuvre dans différents contextes organisationnels. Un autre aspect remarquable de la norme SIST-TP ISO/TR 18128:2018 est sa capacité à intégrer le cadre réglementaire dans lequel les organisations fonctionnent. Cela garantit que l'évaluation des risques tient compte non seulement des spécificités internes, mais aussi des exigences externes qui peuvent influencer la création et le contrôle des archives. Cette approche holistique renforce la pertinence de la norme dans un environnement d'affaires de plus en plus complexe. Enfin, la norme offre des orientations sur la documentation des risques identifiés et évalués, contribuant ainsi à la préparation pour les mesures de mitigation. Cela est essentiel pour les professionnels des archives et les gestionnaires de risques, car cela leur fournit un cadre clair pour la communication et la gestion des risques au sein de leurs organisations. En somme, la norme SIST-TP ISO/TR 18128:2018 se positionne comme une ressource indispensable pour les professionnels de l'information, facilitant l'évaluation des risques en matière de processus et systèmes d'archives. Sa méthodologie, sa prise en compte des contextes variés et ses recommandations pratiques en font une norme incontournable dans le domaine de la gestion des risques liés aux archives.
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...