SIST-TP ISO/TR 18128:2018

TECHNICAL ISO/TR
REPORT 18128
First edition
2014-03-15
Information and documentation —
Risk assessment for records processes
and systems
Information et documentation — Evaluation du risque pour les
processus et systèmes d’enregistrement
Reference number
ISO/TR 18128:2014(E)
©
ISO 2014

---------------------- Page: 1 ----------------------
ISO/TR 18128:2014(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TR 18128:2014(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
3.1 Terms specific to risk . 2
3.2 Terms specific to records . 2
4 Risk assessment criteria for the organization . 2
4.1 Assessment of risk . 2
4.2 Risk criteria . 3
4.3 Assignment of priority . 3
5 Risk identification . 3
5.1 General . 3
5.2 Context: External factors . 5
5.3 Context: Internal factors . 6
5.4 Records systems . 8
5.5 Records processes .11
6 Analysing identified risks .12
6.1 General .12
6.2 Likelihood analysis and probability estimation .13
7 Evaluating risks .15
7.1 General .15
7.2 Evaluating impact of adverse events .16
7.3 Evaluating the risk .16
8 Communicating the identified risks .17
Annex A (informative) Example of a documented risk entry in a risk register .19
Annex B (informative) Example: checklists for identifying areas of uncertainty .20
Annex C (informative) Guide to using controls from ISO/IEC 27001, Annex A .27
Bibliography .37
© ISO 2014 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/TR 18128:2014(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 46, Information and documentation, Subcommittee
SC 11, Archives/records management.
iv © ISO 2014 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/TR 18128:2014(E)

Introduction
All organizations identify and manage the risks to their functioning successfully. Identifying and
managing the risks to records processes and systems is the responsibility of the organization’s records
professional.
This Technical Report is intended to help records professionals and people who have responsibility for
records in their organization to assess the risks related to records processes and systems.
NOTE System means any business application which creates and stores records.
This is distinct from the task of identifying and assessing the organization’s business risks to which
creating and keeping adequate records is one strategic response. The decisions to create or not create
records in response to general business risk are business decisions which should be informed by the
analysis of the organization’s records requirements undertaken by records professionals together with
business managers. The premise of this Technical Report is that the organization has created records
of its business activities to meet operational and other purposes and has established at least minimal
mechanisms for the systematic management and control of the records.
The consequence of risk events to records processes and systems is the loss of, or damage to, records
which are therefore no longer useable, reliable, authentic, complete, or unaltered, and therefore can fail
to meet the organization’s purposes.
The Technical Report provides guidance and examples based on the general risk management process
established in ISO 31000 (see Figure 1) to apply to risks related to records processes and systems. It
covers
a) risk identification,
b) risk analysis, and
c) risk evaluation.
The results of the analysis of risk to records processes and systems should be incorporated into the
organization’s general risk management framework. As a result, the organization will have better
control of its records and their quality for business purposes.
Clause 5 provides a comprehensive list of areas of uncertainty related to records processes and systems
as a guide for risk identification.
Clause 6 provides guidance to determining the consequences and probabilities of identified risk events,
taking into account the presence (or not) and the effectiveness of any existing controls.
Clause 7 provides guidance to determining the significance of the level and type of risks identified.
The report does not deal with risk treatment. Once the assessment of risks related to records processes
and systems has been completed, the assessed risks are documented and communicated to the
organization’s risk management section. Response to the assessed risks is undertaken as part of the
organization’s overall risk management program. The priority assigned by the records professional to
the assessed risks is provided to inform the organization’s decisions about managing those risks.
© ISO 2014 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/TR 18128:2014(E)

Figure 1 — Risk Management process
NOTE Figure 1 from ISO 31000:2009. Numbering refers to text of ISO 31000.
vi © ISO 2014 – All rights reserved

---------------------- Page: 6 ----------------------
TECHNICAL REPORT ISO/TR 18128:2014(E)
Information and documentation — Risk assessment for
records processes and systems
1 Scope
This Technical Report intends to assist organizations in assessing risks to records processes and systems
so they can ensure records continue to meet identified business needs as long as required.
The report
a) establishes a method of analysis for identifying risks related to records processes and systems,
b) provides a method of analysing the potential effects of adverse events on records processes and
systems,
c) provides guidelines for conducting an assessment of risks related to records processes and systems,
and
d) provides guidelines for documenting identified and assessed risks in preparation for mitigation.
This Technical Report does not address the general risks to an organization’s operations which can be
mitigated by creating records.
This Technical Report can be used by all organizations regardless of size, nature of their activities,
or complexity of their functions and structure. These factors, and the regulatory regime in which the
organization operates which prescribes the creation and control of its records, are taken into account
when identifying and assessing risk related to records and records systems.
Defining an organization or identifying its boundaries should take into account the complex structures
and partnerships and contractual arrangements for outsourcing services and supply chains which are a
common feature of contemporary government and corporate entities. Identifying the boundaries of the
organization is the initial step in defining the scope of the project of risk assessment related to records.
This Technical Report does not address directly the mitigation of risks as methods for these will vary
from organization to organization.
The Technical Report can be used by records professionals or people who have responsibility for records
in their organizations and by auditors or managers who have responsibility for risk management
programs in their organizations.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 30300:2011, Information and documentation — Management systems for records — Fundamentals
and vocabulary
ISO Guide 73:2009, Risk management — Vocabulary
© ISO 2014 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/TR 18128:2014(E)

3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 30300, ISO Guide 73 and the
following apply.
3.1 Terms specific to risk
3.1.1
risk
effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events (ISO Guide 73:2009, 3.5.1.3) and
consequences (ISO Guide 73:2009, 3.6.1.3) or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated likelihood (ISO Guide 73, 3.6.1.1) of occurrence.
[SOURCE: ISO Guide 73:2009, definition 1.1]
3.2 Terms specific to records
3.2.1
records system
information system which captures, manages, and provides access to records through time
Note 1 to entry: This can include business applications or systems which create and maintain records.
[SOURCE: ISO 30300:2011, definition 3.4.4]
3.2.2
records processes
sets of activities by which records are created, controlled, used, kept and disposed of by the organization
4 Risk assessment criteria for the organization
4.1 Assessment of risk
Assessing risks for records processes and systems should be included, where it exists, in the
organization’s general risk management process. In this case, records professionals should take into
account the organization’s external and internal context and the context of the risk management process
itself, including the following:
a) Roles and responsibilities: The role of records professionals in the assessment of risk related to
records processes and systems should be specified.
b) Extent and scope of the risk assessment activities: Relationships with other risk assessment areas,
such as information security, should be made explicit to avoid redundancy and conflicts and enable
an integrated approach to risk assessment which includes records.
c) Methodology: The standard risk assessment methodology should be applied using the available risk
assessment tools and reporting to the designated area or person.
d) Risk criteria: Where general risk criteria for the organization are established, risks related to
records processes and systems should be assessed using these criteria.
2 © ISO 2014 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/TR 18128:2014(E)

Where the organization has not established a general risk management process, records professionals
need to establish the risk criteria applying to records processes and systems prior to the assessment
process.
4.2 Risk criteria
Criteria should be based on the legal requirements for the organization’s jurisdiction and should include
the following:
a) the nature and types of consequences to be included and how they will be measured;
b) the way in which probabilities are to be expressed;
c) how a level of risk will be determined;
d) the criteria by which it will be decided when a risk needs treatment;
e) the criteria for deciding when a risk is acceptable and/or tolerable;
f) whether and how combinations of risks will be taken into account.
Regarding the nature and types of consequences to be included in the risk assessment of records
processes and systems, there is a general starting point which applies to all organizations. Records
which are authentic, reliable, have integrity, and are useable for as long as they are required will support
the needs of the organization. Risks are identified based on their potential to undermine those general
characteristics of records which would make them fail to meet the purposes for which they are created.
For discussion of probability and frequency of events in risk assessment, see 6.2.
Criteria for evaluating risks, including the criteria by which it will be decided when a risk is acceptable
or needs treatment, include the size and reach of the records systems in the organization, the number of
users, and the use made of the system in the operations of the organization.
Similarly, criteria for evaluating risks affecting records processes should include the frequency of the
process, how many systems it is used in, its relative importance in creating or managing records, the
tracking of processes, and the potential for reversing or remedying adverse effects.
4.3 Assignment of priority
Generally, the organization shall determine which records are the core records of its operations and the
level of significance attached to them. These are business decisions based on the advice of both records
professionals and the business managers.
The priority assigned to individual records, their aggregations, records processes, or specific records
systems can also be assessed in relation to responses to major disasters affecting all or many business
operations. For example, first, certain records are needed in the immediate aftermath of a natural
disaster, such as security contacts’ addresses and phone numbers, building/facility entry records,
contact details of disaster plan response teams, and insurance contacts and policy details. Second, the
organization’s business continuity planning should identify the functions which need to be restored
first and the records needed to do so.
Special attention should be paid to where a combination of risks applies to records identified as core
operational.
5 Risk identification
5.1 General
Identification of risks is structured under the following categories: context, systems, and processes
involved in creating and controlling the records of the organization.
© ISO 2014 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/TR 18128:2014(E)

The external context of the organization refers to the political and societal, the macro-economic and
technological, and the physical and environmental factors beyond its control, which have an impact
on its operations and are taken into account when determining its records requirements. The external
context includes the external stakeholders, who or which have a particular interest in the organization’s
operations.
The organization also has an internal context which is the internal factors not controlled by the records
professional(s) responsible for the records processes and systems. The internal context includes factors
such as the structure and finances of the organization, the technology it deploys, the resourcing of
activities (people and budgets), and the organization’s culture, all of which influence the policies and
practices for managing records.
Potential events with uncertain effects can be external or internal to the organization.
Uncertain effects caused by change in the external context can differ according to the perspective of
the different levels of the organization (see Figure 2). It is also recognized that all change presents
opportunities which can be positive in effect.
Figure 2 — The multiple layers of context of an organization’s records and records processes
The purpose of risk identification is to identify what can happen or what situations can exist that could
affect the capacity of records to support the needs of the organization.
The risk identification process includes identifying the causes and source of the risk, events, situations,
or circumstances which could have a material impact upon the organization’s objectives and the
nature of that impact. There are numerous methods for risk identification. See IEC 31010, Annex B for a
comparison of major methods.
Identified risks should be documented in a risk register, either in one specific to records or in the
organization’s risk register. See the example given in Annex A.
NOTE Annex B is an example of a checklist based on the structure of Clause 5 which can be used in an
organization to identify risks to records processes and systems systematically.
4 © ISO 2014 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/TR 18128:2014(E)

5.2 Context: External factors
5.2.1 Areas of uncertainty: Changes in political-societal context
Changes in the political and societal climate, nationally and internationally, can affect public attitudes to
governments’ and corporate behaviour. This can bring about legal and regulatory change, which impacts
the organization’s operations and, consequently, its records requirements.
Examples of areas of changing public attitudes which can affect records requirements are national
security, access to government and corporate information, privacy, intellectual property rights, and
corporate reporting responsibilities. More generally, examples of areas of uncertainty include the
following:
a) legal and regulatory changes affecting the organization’s records requirements;
a) changes in government policies affecting the organization’s records, records processes, and systems;
b) new standards or codes of practice that affect the organization’s records, records processes, and
systems;
c) changing demand for records services;
d) changing stakeholders’ expectations;
e) changes to reputation of, or trust in, the organization’s ability to deliver its services.
5.2.2 Areas of uncertainty: Macro-economic and technological environment
Changes in the macro-economic, business, and industrial environment and in information technology
have high impact on competition and customer demand. Change can be gradual and continuous, or
punctuated by crises, but also constitutes an area of uncertainty which can offer positive opportunities.
Examples of areas of uncertainty arising from such changes to the macro-economic and business
environment include the following:
a) changes in ownership and/or revenues of the organization which affect management priorities
including managing records;
b) changes in the objectives, functions, and operations of the organization, changing records
requirements;
c) increased activity from regulators, increasing external demands for records;
d) increased litigation, increasing demands for records;
e) introduction and adoption of new technologies across society;
EXAMPLES Spread of social media to business use; use of mobile computing devices for business.
f) changes in the market or client base of the organization.
These changes will be reflected in organizational changes which are discussed below (see 5.3.1).
5.2.3 Areas of uncertainty: Physical environment and infrastructure
The possibility of large-scale, natural or man-made disasters affecting the general operations of the
organization is a major area of uncertainty requiring identification and assessment. The potential
damage of such disasters include direct impact on the records and their storage and the less direct
© ISO 2014 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO/TR 18128:2014(E)

impact of loss of services upon which the organization depends, for example, water and power supply
and other services. Areas of uncertainty include the following:
a) regional or local destructive or disruptive environmental phenomena such as earthquake,
hurricane/cyclone, tsunami, flood, fire, major storms, or prolonged drought;
b) the potential for acts of war or terrorism to cause major structural damage or disruption to service
supply to premises or vicinity of the organization;
c) other disruption to the organization’s power, water, waste management, information technology,
transport services, or other core utilities and services.
5.2.4 Areas of uncertainty: External security threats
Risk identification shall include hostile external security threats with the potential impacts ranging
from damage to premises or service supply to unauthorised access to systems including records systems.
Examples of external security threats include the following:
a) unauthorised external intrusion/access into records systems and unauthorised changes to records;
b) unidentified security compromise or exploitation of vulnerability that is not monitored and leads to
information degradation;
EXAMPLE Use of spyware or malware and vulnerability from unpatched software security breaches or
weaknesses.
c) physical intrusion into records storage or IT hardware space;
d) denial of services or other intentional attack on Internet services;
e) physical vandalism;
f) loss of third-party services on which the records systems are dependent.
NOTE Risk assessment is an integral element of the implementation of ISO/IEC 27000 series of International
Standards for information security. They provide extensive coverage of areas of uncertainty related to information
security.
5.3 Context: Internal factors
5.3.1 Areas of uncertainty: Organizational change
Management decisions affecting the organization such as amalgamations, take-overs, and other
acquisitions, restructuring, downsizing, outsourcing, or the reverse, off-shoring of services constitute a
significant area of uncertainty in the internal context of the organization. These decisions will affect the
records processes and systems, for example,
a) change of ownership of records and records systems and consequent transfer of records to and
from the organization,
b) change of ownership of records and records systems resulting in forced migration of records or
amalgamations of systems,
c) access arrangements to records systems for continuing right of access to records, following transfers
and migrations,
d) inheritance of responsibility for records and records systems without adequate documentation,
e) loss of personnel or corporate memory affecting knowledge, of current records and systems,
including knowledge of procedures to retrieve and use them, and of older records inherited through
organizational change,
6 © ISO 2014 – All rights reserved

---------------------- Page: 12 ----------------------
ISO/TR 18128:2014(E)

f) abandonment of records and records systems, especially legacy systems, where no responsibility is
assigned,
g) change of terms within third-party service contracts,
h) new internal policies or modified existing ones within the organization that affect the records
systems and processes,
i) policies and procedures which have not been reviewed and updated, and are no longer applicable,
or are inconsistent or contradictory following organizational change,
j) changes in organization’s personnel that can affect responsibility for records,
k) changes in personnel policy, training budget, and opportunities that affect the capacity of people
who are responsible for records, and
l) disaster recovery plan is not updated which can affect records in the event of a disaster.
5.3.2 Areas of uncertainty: Technological change
Introduction of new technologies and systems are opportunities for improvement but also constitute
areas of uncertainty with potential for adverse effects. The areas of unc
...

RAPPORT ISO/TR
TECHNIQUE 18128
Première édition
2014-03-15
Information et documentation —
Evaluation du risque pour
les processus et systèmes
d’enregistrement
Information and documentation — Risk assessment for records
processes and systems
Numéro de référence
ISO/TR 18128:2014(F)
©
ISO 2014

---------------------- Page: 1 ----------------------
ISO/TR 18128:2014(F)

DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2014
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni utilisée
sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie, l’affichage sur
l’internet ou sur un Intranet, sans autorisation écrite préalable. Les demandes d’autorisation peuvent être adressées à l’ISO à
l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Publié en Suisse
ii © ISO 2014 – Tous droits réservés

---------------------- Page: 2 ----------------------
ISO/TR 18128:2014(F)

Sommaire Page
Avant-propos .iv
Introduction .v
1 Domaine d’application . 1
2 Références normatives . 1
3 Termes et définitions . 2
3.1 Termes spécifiques au risque . 2
3.2 Termes spécifiques aux documents d’activité . 2
4 Critère d’appréciation du risque de l’organisme . 2
4.1 Appréciation du risque . 2
4.2 Critères de risque. 3
4.3 Attribution des priorités . 3
5 Identification du risque . 4
5.1 Généralités . 4
5.2 Contexte: Facteurs externes. 5
5.3 Contexte: Facteurs internes . 7
5.4 Systèmes documentaires . 9
5.5 Processus documentaires .12
6 Analyse des risques identifiés .14
6.1 Généralités .14
6.2 Analyse de la vraisemblance et estimation des probabilités .14
7 Évaluation du risque .17
7.1 Généralités .17
7.2 Évaluation des conséquences des événements indésirables .18
7.3 Évaluation du risque .19
8 Communication des risques identifiés .21
Annexe A (informative) Exemple d’une entrée de risque documentée dans un registre
des risques .22
Annexe B (informative) Exemple: listes de contrôle visant à identifier les zones d’incertitude .23
Annexe C (informative) Guide d’utilisation des mesures de l’Annexe A de l’ISO/IEC 27001 .31
Bibliographie .43
© ISO 2014 – Tous droits réservés iii

---------------------- Page: 3 ----------------------
ISO/TR 18128:2014(F)

Avant-propos
L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes
nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est
en général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude
a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,
gouvernementales et non gouvernementales, en liaison avec l’ISO participent également aux travaux.
L’ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui concerne
la normalisation électrotechnique.
Les procédures utilisées pour l’élaboration du présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/CEI, Partie 1. Il convient, en particulier, de prendre note des différents
critères d’approbation requis pour les différents types de documents ISO. Le présent document a été
rédigé conformément aux règles de rédaction données dans les Directives ISO/CEI, Partie 2 (voir www.
iso.org/directives).
L’attention est appelée sur le fait que certains des éléments du présent document peuvent faire l’objet de
droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable
de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant les
références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de l’élaboration
du document sont indiqués dans l’Introduction et/ou sur la liste ISO des déclarations de brevets reçues
(voir www.iso.org/patents).
Les éventuelles appellations commerciales utilisées dans le présent document sont données pour
information à l’attention des utilisateurs et ne constituent pas une approbation ou une recommandation.
Pour une explication de la signification des termes et expressions spécifiques de l’ISO liés à l’évaluation de
la conformité et pour toute information au sujet de l’adhésion de l’ISO aux principes de l’OMC concernant
les obstacles techniques au commerce (OTC), voir le lien suivant: Avant-propos — Informations
supplémentaires Foreword - Supplementary information
Le Comité responsable du présent document est le Comité technique ISO/TC 46, Information et
documentation, Sous-comité SC 11, Archives/Gestion des documents d’activité.
iv © ISO 2014 – Tous droits réservés

---------------------- Page: 4 ----------------------
ISO/TR 18128:2014(F)

Introduction
Tous les organismes identifient et gèrent les risques pouvant avoir une incidence sur leur bon
fonctionnement. L’identification et le management des risques liés aux processus et aux systèmes
documentaires relèvent de la responsabilité du professionnel de la gestion documentaire.
Le présent Rapport technique est destiné à aider les professionnels de la gestion documentaire et les
personnes responsables, au sein de leur organisme, des documents d’activité à apprécier les risques liés
aux processus et aux systèmes documentaires.
NOTE «Système» désigne toute application professionnelle qui crée et stocke des documents d’activité.
Il s’agit d’une activité distincte de la tâche consistant à identifier et apprécier les risques professionnels
de l’organisme, pour lequel la création et la tenue des documents d’activité appropriés constituent
une réponse stratégique. Les décisions relatives à la création ou non des documents d’activité pour
répondre au risque général de l’activité sont des décisions de gestion qu’il convient d’éclairer par
l’analyse des exigences de l’organisme en matière de documents d’activité; cette analyse est assurée par
des professionnels de la gestion documentaire conjointement avec les dirigeants. Le présent Rapport
technique repose sur le principe que l’organisme a créé des documents d’activité concernant ses activités
professionnelles pour répondre à des objectifs opérationnels ou autres, et qu’il a mis en place au moins
les mécanismes minimaux de gestion et de contrôle systématiques de ces documents d’activité.
Pour les processus et les systèmes documentaires, les conséquences des événements porteurs de
risques se traduisent par la perte ou l’altération des documents d’activité qui, par conséquent, ne sont
plus exploitables, fiables, authentiques, complets ou inaltérés et qui, donc, peuvent ne plus répondre aux
objectifs de l’organisme.
Le présent Rapport technique prodigue des conseils et fournit des exemples en se basant sur le processus
général de management du risque défini dans l’ISO 31000 (voir Figure 1) à appliquer aux risques liés aux
processus et aux systèmes documentaires. Il traite de
a) l’identification des risques,
b) l’analyse des risques et
c) l’évaluation des risques.
Il convient d’intégrer au cadre organisationnel général de management du risque de l’organisme les
résultats de l’analyse des risques liés aux processus et aux systèmes documentaires. En procédant ainsi,
l’organisme aura un meilleur contrôle de ses documents d’activité et de leur qualité pour répondre aux
besoins de son activité.
L’Article 5 présente une liste exhaustive des zones d’incertitude liées aux processus et aux systèmes
documentaires, servant de guide d’identification des risques.
L’Article 6 dispense des conseils permettant de déterminer les conséquences et les probabilités des
événements porteurs de risques qui ont été identifiés, en tenant compte de la présence (ou de l’absence)
et de l’efficacité des contrôles existants.
L’Article 7 dispense des conseils permettant de déterminer l’importance du niveau de risque et du type
de risque identifiés.
Le présent rapport n’aborde pas le traitement des risques. Une fois l’appréciation des risques liés aux
processus et aux systèmes documentaires achevée, les risques objets de l’appréciation sont documentés
et communiqués au service chargé du management du risque au sein de l’organisme. La réponse à
apporter aux risques objet de l’appréciation entre dans le cadre du programme global de management
du risque de l’organisme. Le professionnel de la gestion documentaire attribue une priorité aux risques
objet de l’appréciation pour étayer les décisions de l’organisme relatives au management de ces risques.
© ISO 2014 – Tous droits réservés v

---------------------- Page: 5 ----------------------
ISO/TR 18128:2014(F)

Figure 1 — Processus de management du risque
NOTE Figure 1 tirée de l’ISO 31000:2009. La numérotation renvoie au texte de l’ISO 31000.
vi © ISO 2014 – Tous droits réservés

---------------------- Page: 6 ----------------------
RAPPORT TECHNIQUE ISO/TR 18128:2014(F)
Information et documentation — Evaluation du risque
pour les processus et systèmes d’enregistrement
1 Domaine d’application
Le présent Rapport technique a pour objet d’aider les organismes à apprécier les risques liés aux
processus et aux systèmes documentaires de manière qu’ils puissent s’assurer que les documents
d’activité répondent aux besoins de gestion identifiés aussi longtemps que nécessaire.
Ce rapport
a) établit une méthode d’analyse pour l’identification des risques liés aux processus et aux systèmes
documentaires,
b) fournit une méthode d’analyse des effets potentiels des événements indésirables sur les processus
et les systèmes documentaires,
c) fournit des lignes directrices pour mener une appréciation des risques liés aux processus et aux
systèmes documentaires, et
d) fournit des lignes directrices pour la documentation des risques identifiés et appréciés pour
préparer des mesures d’atténuation.
Le présent Rapport technique ne traite pas des risques généraux liés aux opérations d’un organisme
pouvant être atténués par la création de documents d’activité.
Le présent Rapport technique peut être utilisé par tous les organismes, quelles que soient leur taille, la
nature de leurs activités ou la complexité de leurs fonctions et de leur structure. Ces facteurs, ainsi que
le régime réglementaire dans lequel l’organisme évolue et qui prescrit la création et le contrôle de ces
documents d’activité, sont pris en compte au moment de l’identification et de l’appréciation des risques
liés aux documents d’activité et aux systèmes documentaires.
Il convient que la définition d’un organisme ou l’identification de son périmètre tiennent compte des
structures complexes, des partenariats et des dispositions contractuelles concernant les services
externalisés et les chaînes logistiques, qui constituent, de nos jours, une caractéristique commune
aux entités publiques et privées. L’identification du périmètre de l’organisme est la première étape de
la définition du domaine d’application du projet d’appréciation des risques en matière de documents
d’activité.
Le présent Rapport technique ne traite pas directement de l’atténuation des risques, les méthodes en la
matière différant d’un organisme à l’autre.
Le présent Rapport technique peut être utilisé par des professionnels de la gestion documentaire ou par
des personnes responsables des documents d’activité de leur organisme, ainsi que par des auditeurs ou
des dirigeants responsables des programmes de management du risque de leur organisme.
2 Références normatives
Les documents ci-après, dans leur intégralité ou non, sont des références normatives indispensables à
l’application du présent document. Pour les références datées, seule l’édition citée s’applique. Pour les
références non datées, la dernière édition du document de référence s’applique (y compris les éventuels
amendements).
ISO 30300:2011, Information and documentation — Management systems for records — Fundamentals
and vocabulary
© ISO 2014 – Tous droits réservés 1

---------------------- Page: 7 ----------------------
ISO/TR 18128:2014(F)

Guide ISO 73:2009, Management du risque — Vocabulaire
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions donnés dans l’ISO 30300, le Guide ISO 73,
ainsi que les suivants s’appliquent.
3.1 Termes spécifiques au risque
3.1.1
risque
effet de l’incertitude
Note 1 à l’article: Un effet est un écart, positif et/ou négatif, par rapport à une attente.
Note 2 à l’article: L’incertitude est l’état, même partiel, de défaut d’information concernant la compréhension ou la
connaissance d’un événement, de ses conséquences ou de sa vraisemblance.
Note 3 à l’article: Un risque est souvent caractérisé en référence à des événements (Guide ISO 73, 3.5.1.3) et des
conséquences potentiels (Guide ISO 73, 3.6.1.3) ou à une combinaison des deux.
Note 4 à l’article: Un risque est souvent exprimé en termes de combinaison des conséquences d’un événement
(incluant des changements de circonstances) et de sa vraisemblance (Guide ISO 73, 3.6.1.1).
[SOURCE: Guide ISO 73:2009, définition 1.1]
3.2 Termes spécifiques aux documents d’activité
3.2.1
système documentaire
système d’information qui intègre, organise, gère et rend accessibles les documents d’activité dans le
temps
Note 1 à l’article: Ceci peut inclure les applications métiers ou les systèmes qui créent et préservent les documents
d’activité.
[SOURCE: ISO 30300:2011, définition 3.4.4]
3.2.2
processus documentaire
ensemble d’activités permettant à un organisme de créer, maîtriser, utiliser, conserver et éliminer des
documents d’activité
4 Critère d’appréciation du risque de l’organisme
4.1 Appréciation du risque
Il convient d’inclure l’appréciation du risque pour les processus et les systèmes documentaires dans
le processus général de management du risque de l’organisme, lorsqu’il en existe un. Dans ce cas, il
convient que les professionnels de la gestion documentaire tiennent compte du contexte externe et du
contexte interne de l’organisme, ainsi que du contexte propre au processus de management du risque,
y compris:
a) les rôles et responsabilités: il convient de spécifier le rôle des professionnels de la gestion
documentaire dans l’appréciation du risque lié aux processus et aux systèmes documentaires;
b) l’étendue et le domaine d’application des activités d’appréciation du risque: afin d’éviter redondance
et conflits et de permettre une approche intégrée de l’appréciation du risque incluant les documents
2 © ISO 2014 – Tous droits réservés

---------------------- Page: 8 ----------------------
ISO/TR 18128:2014(F)

d’activité, il convient de préciser les relations avec les autres domaines d’appréciation du risque,
comme la sécurité de l’information;
c) la méthodologie: il convient d’appliquer une méthodologie d’appréciation du risque normalisée en
utilisant les outils d’appréciation du risque existants et en communiquant les rapports au groupe de
personnes désignées;
d) les critères de risque: lorsque l’organisme dispose de critères de risques généraux, il convient que
les risques liés aux processus et aux systèmes documentaires soient évalués en utilisant ces critères.
Lorsque l’organisme ne dispose pas de processus général de management du risque, il est nécessaire
que les professionnels de la gestion documentaire déterminent des critères de risque s’appliquant aux
processus et aux systèmes documentaires préalablement au processus d’appréciation.
4.2 Critères de risque
Il convient que les critères s’appuient sur les exigences réglementaires en vigueur dans la juridiction de
l’organisme et qu’ils intègrent:
a) la nature et les types de conséquences à inclure, et la façon dont ils vont être mesurés;
b) le mode d’expression des probabilités;
c) la méthode de détermination du niveau de risque;
d) les critères permettant de déterminer le moment où un risque nécessite d’être traité;
e) les critères permettant de déterminer si un risque est acceptable et/ou tolérable;
f) les conditions et la méthode de prise en compte des combinaisons de risques.
En ce qui concerne la nature et les types de conséquences à inclure dans l’appréciation du risque
des processus et des systèmes documentaires, il existe un préalable général qui s’applique à tous les
organismes. Seuls les documents d’activité qui présentent les caractéristiques d’authenticité, de fiabilité,
d’intégrité et qui sont exploitables aussi longtemps que nécessaire répondront aux besoins de l’organisme.
L’identification des risques repose sur leur potentiel à compromettre ces caractéristiques générales des
documents d’activité, les rendant inaptes à remplir les objectifs ayant présidé à leur création.
En ce qui concerne l’analyse de la probabilité et de la fréquence des événements dans l’appréciation du
risque, voir 6.2.
Les critères d’évaluation du risque, y compris les critères permettant de déterminer si un risque est
acceptable ou nécessite un traitement, incluent la taille et l’ampleur des systèmes documentaires de
l’organisme, le nombre d’utilisateurs et l’utilisation qui est faite du système dans les opérations de
l’organisme.
De la même façon, il convient que les critères d’évaluation des risques ayant une incidence sur les
processus documentaires incluent la fréquence du processus, le nombre de systèmes dans lesquels il est
utilisé, son importance relative dans la création ou la gestion des documents d’activité, la traçabilité des
processus et son potentiel à inverser les effets indésirables ou à y remédier.
4.3 Attribution des priorités
De manière générale, l’organisme doit déterminer quels sont les documents d’activité qui constituent
des documents essentiels pour son exploitation et le niveau d’importance qui s’y rattache. Il s’agit de
décisions de gestion reposant sur les conseils des professionnels de la gestion documentaire et des
dirigeants de l’activité.
La priorité attribuée aux documents d’activité pris isolément, leurs agrégations, les processus liés aux
documents d’activité ou les systèmes documentaires spécifiques peuvent également faire l’objet d’une
appréciation en fonction des réponses à apporter aux catastrophes majeures affectant tout ou partie des
© ISO 2014 – Tous droits réservés 3

---------------------- Page: 9 ----------------------
ISO/TR 18128:2014(F)

opérations de l’organisme. Par exemple, dans un premier temps, il est nécessaire de disposer de certains
documents d’activité immédiatement après une catastrophe naturelle, par exemple les adresses et les
numéros de téléphone des contacts sécurité, les enregistrements des entrées dans l’usine/le bâtiment,
les coordonnées des équipes d’intervention du plan catastrophe, les contacts des assurances et les
détails des polices. Dans un deuxième temps, il convient que la planification de la continuité de l’activité
de l’organisme identifie les fonctions qui doivent être restaurées en priorité et les documents d’activité
permettant de le faire.
Il convient de porter une attention particulière aux situations dans lesquelles une combinaison de risques
concerne des documents d’activité identifiés comme étant essentiels à l’exploitation de l’organisme.
5 Identification du risque
5.1 Généralités
L’identification des risques est structurée selon les catégories suivantes: contexte, systèmes et processus
impliqués dans la création et le contrôle des documents d’activité de l’organisme.
Le contexte externe de l’organisme renvoie aux facteurs politiques et sociétaux, macro-économiques
et technologiques, physiques et environnementaux échappant à son contrôle, mais qui ont des
conséquences sur ses opérations et qui sont pris en compte lors de la détermination de ses exigences en
matière de documents d’activité. Le contexte externe inclut les parties prenantes externes qui ont un
intérêt particulier dans les opérations de l’organisme.
L’organisme possède également un contexte interne, à savoir les facteurs internes échappant au contrôle
du (des) professionnel(s) de la gestion documentaire(s) responsable(s) des processus et des systèmes
documentaires. Le contexte interne comprend des facteurs tels que la structure et les finances de
l’organisme, la technologie qu’il déploie, ses ressources (humaines et budgétaires), ainsi que la culture
de l’organisme, tous ces facteurs influençant les politiques et les pratiques de gestion des documents
d’activité.
Les événements potentiels aux effets incertains peuvent être externes ou internes à l’organisme.
Les effets incertains provoqués par un changement dans le contexte externe peuvent diverger en
fonction du point de vue des différents niveaux de l’organisme (voir Figure 2). Il est également reconnu
que tout changement implique des perspectives pouvant avoir un effet positif.
4 © ISO 2014 – Tous droits réservés

---------------------- Page: 10 ----------------------
ISO/TR 18128:2014(F)

Figure 2 — Multiples éléments de contexte influant sur les documents d’activité et les processus
documentaires d’un organisme
L’objectif de l’identification du risque consiste à identifier ce qui peut se produire ou le type de situation
pouvant survenir, susceptible d’avoir une incidence sur la capacité des documents d’activité à répondre
aux besoins de l’organisme.
Le processus d’identification du risque englobe l’identification des causes et de la source du risque,
des évènements, des situations ou des circonstances pouvant avoir des conséquences matérielles
sur les objectifs de l’organisme, ainsi que la nature de ces conséquences. Il existe de nombreuses
méthodes d’identification du risque. Pour une comparaison des principales méthodes, se reporter à
l’IEC 31010:2009, Annexe B.
Il convient de documenter les risques identifiés, soit dans un registre des risques spécifique aux
documents d’activité, soit dans le registre des risques de l’organisme. Voir l’exemple fourni en Annexe A.
NOTE L’Annexe B constitue un exemple de liste de contrôle, basée sur la structure de l’Article 5, qu’un
organisme peut utiliser pour identifier de façon systématique les risques liés aux processus et aux systèmes
documentaires.
5.2 Contexte: Facteurs externes
5.2.1 Zones d’incertitude: Changements dans le contexte politique et social
Des changements intervenant dans le climat politique et social, au niveau national ou international,
peuvent avoir une incidence sur l’évolution des mentalités vis-à-vis du gouvernement et sur le
comportement de l’entreprise. Ceci peut provoquer des réformes juridiques et réglementaires, qui ont
une incidence sur les opérations de l’organisme et, par conséquent, sur ses exigences liées aux documents
d’activité.
La sécurité nationale, l’accès aux informations d’un gouvernement ou d’une entreprise, la protection
des données personnelles, les droits de propriété intellectuelle et les responsabilités de remontées
d’informations d’une entreprise constituent des exemples de zones de changement des mentalités
© ISO 2014 – Tous droits réservés 5

---------------------- Page: 11 ----------------------
ISO/TR 18128:2014(F)

pouvant avoir une incidence sur les exigences liées aux documents d’activité. De façon plus générale,
parmi les exemples de zones d’incertitude figurent:
a) les changements juridiques et réglementaires ayant une incidence sur les exigences liées aux
documents d’activité de l’organisme;
b) les changements dans les politiques gouvernementales ayant une incidence sur les documents
d’activité, sur les processus et les systèmes documentaires de l’organisme;
c) les nouvelles normes ou les codes de pratique ayant une incidence sur les documents d’activité, les
processus et les systèmes documentaires de l’organisme;
d) un changement au niveau de la demande en services documentaires;
e) un changement dans les attentes des parties prenantes;
f) des changements affectant la réputation ou la confiance placée dans l’aptitude d’un organisme à
délivrer ses prestations.
5.2.2 Zones d’incertitude: Environnement macro-économique et technologique
Des changements dans l’environnement macro-économique, commercial et industriel, ainsi que dans le
secteur de la technologie informatique, ont de grandes conséquences sur la concurrence et l’attente des
clients. Les changements peuvent s’opérer de façon progressive et continue ou ponctuellement, en raison
de crises, mais ils constituent une zone d’incertitude qui peut présenter des perspectives positives.
Parmi les exemples de zones d’incertitude résultant de changements dans l’environnement macro-
économique et commercial, figurent:
a) les changements intervenant dans la propriété et/ou les ressources financières de l’organisme ayant
une incidence sur les priorités de gestion, notamment sur la gestion des documents d’activité;
b) les changements intervenant dans les objectifs, les fonctions et les opérations de l’organisme,
entraînant des changements au niveau des exigences liées aux documents d’activité;
c) une augmentation de l’activité des organismes de régulation, entraînant une augmentation des
demandes extérieures en documents d’activité;
d) une augmentation des litiges, entraînant une augmentation des demandes de documents d’activité;
e) l’introduction et l’adoption de nouvelles technologies au sein de la société;
EXEMPLES L’expansion des médias sociaux à des fins commerciales; l’utilisation de dispositifs
in
...

SLOVENSKI STANDARD
oSIST-TP ISO/TR 18128:2016
01-december-2016
Informatika in dokumentacija – Ocena tveganja za postopke procesov in sisteme
vodenja zapisov
Information and documentation -- Risk assessment for records processes and systems
Information et documentation -- Evaluation du risque pour les processus et systèmes
d'enregistrement
Ta slovenski standard je istoveten z: ISO/TR 18128:2014
ICS:
01.140.20 Informacijske vede Information sciences
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
oSIST-TP ISO/TR 18128:2016 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST-TP ISO/TR 18128:2016

---------------------- Page: 2 ----------------------
oSIST-TP ISO/TR 18128:2016
TECHNICAL ISO/TR
REPORT 18128
First edition
2014-03-15
Information and documentation —
Risk assessment for records processes
and systems
Information et documentation — Evaluation du risque pour les
processus et systèmes d’enregistrement
Reference number
ISO/TR 18128:2014(E)
©
ISO 2014

---------------------- Page: 3 ----------------------
oSIST-TP ISO/TR 18128:2016
ISO/TR 18128:2014(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved

---------------------- Page: 4 ----------------------
oSIST-TP ISO/TR 18128:2016
ISO/TR 18128:2014(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
3.1 Terms specific to risk . 2
3.2 Terms specific to records . 2
4 Risk assessment criteria for the organization . 2
4.1 Assessment of risk . 2
4.2 Risk criteria . 3
4.3 Assignment of priority . 3
5 Risk identification . 3
5.1 General . 3
5.2 Context: External factors . 5
5.3 Context: Internal factors . 6
5.4 Records systems . 8
5.5 Records processes .11
6 Analysing identified risks .12
6.1 General .12
6.2 Likelihood analysis and probability estimation .13
7 Evaluating risks .15
7.1 General .15
7.2 Evaluating impact of adverse events .16
7.3 Evaluating the risk .16
8 Communicating the identified risks .17
Annex A (informative) Example of a documented risk entry in a risk register .19
Annex B (informative) Example: checklists for identifying areas of uncertainty .20
Annex C (informative) Guide to using controls from ISO/IEC 27001, Annex A .27
Bibliography .37
© ISO 2014 – All rights reserved iii

---------------------- Page: 5 ----------------------
oSIST-TP ISO/TR 18128:2016
ISO/TR 18128:2014(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 46, Information and documentation, Subcommittee
SC 11, Archives/records management.
iv © ISO 2014 – All rights reserved

---------------------- Page: 6 ----------------------
oSIST-TP ISO/TR 18128:2016
ISO/TR 18128:2014(E)

Introduction
All organizations identify and manage the risks to their functioning successfully. Identifying and
managing the risks to records processes and systems is the responsibility of the organization’s records
professional.
This Technical Report is intended to help records professionals and people who have responsibility for
records in their organization to assess the risks related to records processes and systems.
NOTE System means any business application which creates and stores records.
This is distinct from the task of identifying and assessing the organization’s business risks to which
creating and keeping adequate records is one strategic response. The decisions to create or not create
records in response to general business risk are business decisions which should be informed by the
analysis of the organization’s records requirements undertaken by records professionals together with
business managers. The premise of this Technical Report is that the organization has created records
of its business activities to meet operational and other purposes and has established at least minimal
mechanisms for the systematic management and control of the records.
The consequence of risk events to records processes and systems is the loss of, or damage to, records
which are therefore no longer useable, reliable, authentic, complete, or unaltered, and therefore can fail
to meet the organization’s purposes.
The Technical Report provides guidance and examples based on the general risk management process
established in ISO 31000 (see Figure 1) to apply to risks related to records processes and systems. It
covers
a) risk identification,
b) risk analysis, and
c) risk evaluation.
The results of the analysis of risk to records processes and systems should be incorporated into the
organization’s general risk management framework. As a result, the organization will have better
control of its records and their quality for business purposes.
Clause 5 provides a comprehensive list of areas of uncertainty related to records processes and systems
as a guide for risk identification.
Clause 6 provides guidance to determining the consequences and probabilities of identified risk events,
taking into account the presence (or not) and the effectiveness of any existing controls.
Clause 7 provides guidance to determining the significance of the level and type of risks identified.
The report does not deal with risk treatment. Once the assessment of risks related to records processes
and systems has been completed, the assessed risks are documented and communicated to the
organization’s risk management section. Response to the assessed risks is undertaken as part of the
organization’s overall risk management program. The priority assigned by the records professional to
the assessed risks is provided to inform the organization’s decisions about managing those risks.
© ISO 2014 – All rights reserved v

---------------------- Page: 7 ----------------------
oSIST-TP ISO/TR 18128:2016
ISO/TR 18128:2014(E)

Figure 1 — Risk Management process
NOTE Figure 1 from ISO 31000:2009. Numbering refers to text of ISO 31000.
vi © ISO 2014 – All rights reserved

---------------------- Page: 8 ----------------------
oSIST-TP ISO/TR 18128:2016
TECHNICAL REPORT ISO/TR 18128:2014(E)
Information and documentation — Risk assessment for
records processes and systems
1 Scope
This Technical Report intends to assist organizations in assessing risks to records processes and systems
so they can ensure records continue to meet identified business needs as long as required.
The report
a) establishes a method of analysis for identifying risks related to records processes and systems,
b) provides a method of analysing the potential effects of adverse events on records processes and
systems,
c) provides guidelines for conducting an assessment of risks related to records processes and systems,
and
d) provides guidelines for documenting identified and assessed risks in preparation for mitigation.
This Technical Report does not address the general risks to an organization’s operations which can be
mitigated by creating records.
This Technical Report can be used by all organizations regardless of size, nature of their activities,
or complexity of their functions and structure. These factors, and the regulatory regime in which the
organization operates which prescribes the creation and control of its records, are taken into account
when identifying and assessing risk related to records and records systems.
Defining an organization or identifying its boundaries should take into account the complex structures
and partnerships and contractual arrangements for outsourcing services and supply chains which are a
common feature of contemporary government and corporate entities. Identifying the boundaries of the
organization is the initial step in defining the scope of the project of risk assessment related to records.
This Technical Report does not address directly the mitigation of risks as methods for these will vary
from organization to organization.
The Technical Report can be used by records professionals or people who have responsibility for records
in their organizations and by auditors or managers who have responsibility for risk management
programs in their organizations.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 30300:2011, Information and documentation — Management systems for records — Fundamentals
and vocabulary
ISO Guide 73:2009, Risk management — Vocabulary
© ISO 2014 – All rights reserved 1

---------------------- Page: 9 ----------------------
oSIST-TP ISO/TR 18128:2016
ISO/TR 18128:2014(E)

3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 30300, ISO Guide 73 and the
following apply.
3.1 Terms specific to risk
3.1.1
risk
effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events (ISO Guide 73:2009, 3.5.1.3) and
consequences (ISO Guide 73:2009, 3.6.1.3) or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated likelihood (ISO Guide 73, 3.6.1.1) of occurrence.
[SOURCE: ISO Guide 73:2009, definition 1.1]
3.2 Terms specific to records
3.2.1
records system
information system which captures, manages, and provides access to records through time
Note 1 to entry: This can include business applications or systems which create and maintain records.
[SOURCE: ISO 30300:2011, definition 3.4.4]
3.2.2
records processes
sets of activities by which records are created, controlled, used, kept and disposed of by the organization
4 Risk assessment criteria for the organization
4.1 Assessment of risk
Assessing risks for records processes and systems should be included, where it exists, in the
organization’s general risk management process. In this case, records professionals should take into
account the organization’s external and internal context and the context of the risk management process
itself, including the following:
a) Roles and responsibilities: The role of records professionals in the assessment of risk related to
records processes and systems should be specified.
b) Extent and scope of the risk assessment activities: Relationships with other risk assessment areas,
such as information security, should be made explicit to avoid redundancy and conflicts and enable
an integrated approach to risk assessment which includes records.
c) Methodology: The standard risk assessment methodology should be applied using the available risk
assessment tools and reporting to the designated area or person.
d) Risk criteria: Where general risk criteria for the organization are established, risks related to
records processes and systems should be assessed using these criteria.
2 © ISO 2014 – All rights reserved

---------------------- Page: 10 ----------------------
oSIST-TP ISO/TR 18128:2016
ISO/TR 18128:2014(E)

Where the organization has not established a general risk management process, records professionals
need to establish the risk criteria applying to records processes and systems prior to the assessment
process.
4.2 Risk criteria
Criteria should be based on the legal requirements for the organization’s jurisdiction and should include
the following:
a) the nature and types of consequences to be included and how they will be measured;
b) the way in which probabilities are to be expressed;
c) how a level of risk will be determined;
d) the criteria by which it will be decided when a risk needs treatment;
e) the criteria for deciding when a risk is acceptable and/or tolerable;
f) whether and how combinations of risks will be taken into account.
Regarding the nature and types of consequences to be included in the risk assessment of records
processes and systems, there is a general starting point which applies to all organizations. Records
which are authentic, reliable, have integrity, and are useable for as long as they are required will support
the needs of the organization. Risks are identified based on their potential to undermine those general
characteristics of records which would make them fail to meet the purposes for which they are created.
For discussion of probability and frequency of events in risk assessment, see 6.2.
Criteria for evaluating risks, including the criteria by which it will be decided when a risk is acceptable
or needs treatment, include the size and reach of the records systems in the organization, the number of
users, and the use made of the system in the operations of the organization.
Similarly, criteria for evaluating risks affecting records processes should include the frequency of the
process, how many systems it is used in, its relative importance in creating or managing records, the
tracking of processes, and the potential for reversing or remedying adverse effects.
4.3 Assignment of priority
Generally, the organization shall determine which records are the core records of its operations and the
level of significance attached to them. These are business decisions based on the advice of both records
professionals and the business managers.
The priority assigned to individual records, their aggregations, records processes, or specific records
systems can also be assessed in relation to responses to major disasters affecting all or many business
operations. For example, first, certain records are needed in the immediate aftermath of a natural
disaster, such as security contacts’ addresses and phone numbers, building/facility entry records,
contact details of disaster plan response teams, and insurance contacts and policy details. Second, the
organization’s business continuity planning should identify the functions which need to be restored
first and the records needed to do so.
Special attention should be paid to where a combination of risks applies to records identified as core
operational.
5 Risk identification
5.1 General
Identification of risks is structured under the following categories: context, systems, and processes
involved in creating and controlling the records of the organization.
© ISO 2014 – All rights reserved 3

---------------------- Page: 11 ----------------------
oSIST-TP ISO/TR 18128:2016
ISO/TR 18128:2014(E)

The external context of the organization refers to the political and societal, the macro-economic and
technological, and the physical and environmental factors beyond its control, which have an impact
on its operations and are taken into account when determining its records requirements. The external
context includes the external stakeholders, who or which have a particular interest in the organization’s
operations.
The organization also has an internal context which is the internal factors not controlled by the records
professional(s) responsible for the records processes and systems. The internal context includes factors
such as the structure and finances of the organization, the technology it deploys, the resourcing of
activities (people and budgets), and the organization’s culture, all of which influence the policies and
practices for managing records.
Potential events with uncertain effects can be external or internal to the organization.
Uncertain effects caused by change in the external context can differ according to the perspective of
the different levels of the organization (see Figure 2). It is also recognized that all change presents
opportunities which can be positive in effect.
Figure 2 — The multiple layers of context of an organization’s records and records processes
The purpose of risk identification is to identify what can happen or what situations can exist that could
affect the capacity of records to support the needs of the organization.
The risk identification process includes identifying the causes and source of the risk, events, situations,
or circumstances which could have a material impact upon the organization’s objectives and the
nature of that impact. There are numerous methods for risk identification. See IEC 31010, Annex B for a
comparison of major methods.
Identified risks should be documented in a risk register, either in one specific to records or in the
organization’s risk register. See the example given in Annex A.
NOTE Annex B is an example of a checklist based on the structure of Clause 5 which can be used in an
organization to identify risks to records processes and systems systematically.
4 © ISO 2014 – All rights reserved

---------------------- Page: 12 ----------------------
oSIST-TP ISO/TR 18128:2016
ISO/TR 18128:2014(E)

5.2 Context: External factors
5.2.1 Areas of uncertainty: Changes in political-societal context
Changes in the political and societal climate, nationally and internationally, can affect public attitudes to
governments’ and corporate behaviour. This can bring about legal and regulatory change, which impacts
the organization’s operations and, consequently, its records requirements.
Examples of areas of changing public attitudes which can affect records requirements are national
security, access to government and corporate information, privacy, intellectual property rights, and
corporate reporting responsibilities. More generally, examples of areas of uncertainty include the
following:
a) legal and regulatory changes affecting the organization’s records requirements;
a) changes in government policies affecting the organization’s records, records processes, and systems;
b) new standards or codes of practice that affect the organization’s records, records processes, and
systems;
c) changing demand for records services;
d) changing stakeholders’ expectations;
e) changes to reputation of, or trust in, the organization’s ability to deliver its services.
5.2.2 Areas of uncertainty: Macro-economic and technological environment
Changes in the macro-economic, business, and industrial environment and in information technology
have high impact on competition and customer demand. Change can be gradual and continuous, or
punctuated by crises, but also constitutes an area of uncertainty which can offer positive opportunities.
Examples of areas of uncertainty arising from such changes to the macro-economic and business
environment include the following:
a) changes in ownership and/or revenues of the organization which affect management priorities
including managing records;
b) changes in the objectives, functions, and operations of the organization, changing records
requirements;
c) increased activity from regulators, increasing external demands for records;
d) increased litigation, increasing demands for records;
e) introduction and adoption of new technologies across society;
EXAMPLES Spread of social media to business use; use of mobile computing devices for business.
f) changes in the market or client base of the organization.
These changes will be reflected in organizational changes which are discussed below (see 5.3.1).
5.2.3 Areas of uncertainty: Physical environment and infrastructure
The possibility of large-scale, natural or man-made disasters affecting the general operations of the
organization is a major area of uncertainty requiring identification and assessment. The potential
damage of such disasters include direct impact on the records and their storage and the less direct
© ISO 2014 – All rights reserved 5

---------------------- Page: 13 ----------------------
oSIST-TP ISO/TR 18128:2016
ISO/TR 18128:2014(E)

impact of loss of services upon which the organization depends, for example, water and power supply
and other services. Areas of uncertainty include the following:
a) regional or local destructive or disruptive environmental phenomena such as earthquake,
hurricane/cyclone, tsunami, flood, fire, major storms, or prolonged drought;
b) the potential for acts of war or terrorism to cause major structural damage or disruption to service
supply to premises or vicinity of the organization;
c) other disruption to the organization’s power, water, waste management, information technology,
transport services, or other core utilities and services.
5.2.4 Areas of uncertainty: External security threats
Risk identification shall include hostile external security threats with the potential impacts ranging
from damage to premises or service supply to unauthorised access to systems including records systems.
Examples of external security threats include the following:
a) unauthorised external intrusion/access into records systems and unauthorised changes to records;
b) unidentified security compromise or exploitation of vulnerability that is not monitored and leads to
information degradation;
EXAMPLE Use of spyware or malware and vulnerability from unpatched software security breaches or
weaknesses.
c) physical intrusion into records storage or IT hardware space;
d) denial of services or other intentional attack on Internet services;
e) physical vandalism;
f) loss of third-party services on which the records systems are dependent.
NOTE Risk assessment is an integral element of the implementation of ISO/IEC 27000 series of International
Standards for information security. They provide extensive coverage of areas of uncertainty related to information
security.
5.3 Context: Internal factors
5.3.1 Areas of uncertainty: Organizational change
Management decisions affecting the organization such as amalgamations, take-overs, and other
acquisitions, restructuring, downsizing, outsourcing, or the reverse, off-shoring of services constitute a
significant area of uncertainty in the internal context of the organization. These decisions will affect the
records processes and systems, for example,
a) change of ownership of records and records systems and consequent transfer of records to and
from the organization,
b) change of ownership of records and records systems resulting in forced migration of records or
amalgamations of systems,
c) access arrangements to records systems for continuing right of access to records, following transfers
and migrations,
d) inheritance of responsibility for records and records systems without adequate documentation,
e) loss of personnel or corporate memory affecting knowledge, of current records and systems,
including knowledge of procedures to retrieve and use them, and of older record
...