Information and documentation -- Appraisal for managing records

This document provides guidance on how to carry out appraisal for managing records. It describes some of the products and outcomes that can be delivered using the results of appraisal. As such, this document describes a practical application of the concept of appraisal outlined in ISO 15489-1.
This document:
a) lists some of the main purposes for appraisal;
b) describes the importance of establishing scope for appraisal;
c) explains how to analyse business functions and develop an understanding of their context;
d) explains how to identify records requirements;
e) describes the relationships between records requirements, business functions and work processes;
f) explains how to use risk assessment for making decisions related to records;
g) lists options for documenting the results of appraisal;
h) describes possible uses for the results of appraisal; and
i) explains the importance of monitoring and review of the execution of appraisal decisions.
This document can be used by all organizations regardless of size, nature of their business activities, or the complexity of their functions and structure.

Information et documentation -- Evaluation dans le cadre de (pour) la gestion des documents d'activité

Le pr�sent document fournit des recommandations concernant la mani�re de r�aliser une �valuation dans le cadre de la gestion des documents d'activit�. Il d�crit certains des produits et r�sultats qu'il est possible de mettre en œuvre dans le sillage de l'�valuation. Ainsi, le pr�sent document d�crit une application pratique du concept d'�valuation d�crit dans l'ISO 15489‑1.
Le pr�sent document:
a) �tablit une liste des principaux objectifs de l'�valuation;
b) d�crit l'importance de l'�tablissement du p�rim�tre de l'�valuation;
c) explique comment analyser les fonctions de chaque activit� et comprendre leur contexte;
d) explique comment identifier les exigences relatives aux documents d'activit�;
e) d�crit les relations entre les exigences relatives aux documents d'activit�, les fonctions et les processus de travail;
f) explique comment utiliser l'appr�ciation des risques pour prendre des d�cisions li�es aux documents d'activit�;
g) �tablit la liste des options de documentation des r�sultats de l'�valuation;
h) d�crit les utilisations possibles des r�sultats de l'�valuation; et
i) explique l'importance de la surveillance et de la revue de la mise en pratique des d�cisions suite � l'�valuation.
Le pr�sent document peut �tre utilis� par tous les organismes, ind�pendamment de leur taille, de la nature de leurs activit�s ou de la complexit� de leurs fonctions et de leur structure.

Informatika in dokumentacija - Ocenjevanje upravljanja zapisov

General Information

Status
Published
Publication Date
14-Jan-2021
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
08-Dec-2020
Due Date
12-Feb-2021
Completion Date
15-Jan-2021

Buy Standard

Technical report
SIST-TP ISO/TR 21946:2021 - BARVE na PDF-str 10
English language
23 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day
Technical report
ISO/TR 21946:2018 - Information and documentation -- Appraisal for managing records
English language
18 pages
sale 15% off
Preview
sale 15% off
Preview
Technical report
ISO/TR 21946:2018 - Information et documentation -- Evaluation dans le cadre de la gestion des documents d'activité
French language
22 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

SLOVENSKI STANDARD
SIST-TP ISO/TR 21946:2021
01-februar-2021
Informatika in dokumentacija - Ocenjevanje upravljanja zapisov
Information and documentation -- Appraisal for managing records

Information et documentation -- Evaluation dans le cadre de (pour) la gestion des

documents d'activité
Ta slovenski standard je istoveten z: ISO/TR 21946:2018
ICS:
01.140.20 Informacijske vede Information sciences
SIST-TP ISO/TR 21946:2021 en,fr

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST-TP ISO/TR 21946:2021
---------------------- Page: 2 ----------------------
SIST-TP ISO/TR 21946:2021
TECHNICAL ISO/TR
REPORT 21946
First edition
2018-11
Information and documentation —
Appraisal for managing records
Information et documentation — Evaluation dans le cadre de (pour)
la gestion des documents d'activité
Reference number
ISO/TR 21946:2018(E)
ISO 2018
---------------------- Page: 3 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2018

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved
---------------------- Page: 4 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Appraisal process ................................................................................................................................................................................................ 2

5 Information gathering and analysis ................................................................................................................................................. 3

5.1 General ........................................................................................................................................................................................................... 3

5.2 Determining the scope of appraisal ...................................................................................................................................... 4

5.3 Determining who to involve in the appraisal process ........................................................................................... 4

5.4 Information gathering ...................................................................................................................................................................... 5

5.5 Analysis of the business context .............................................................................................................................................. 6

5.6 Analysis of the technological context .................................................................................................................................. 6

5.7 Functional analysis .............................................................................................................................................................................. 7

5.8 Sequential analysis .............................................................................................................................................................................. 7

5.9 Identification of agents .................................................................................................................................................................... 7

5.10 Identification of business critical areas ............................................................................................................................. 8

5.11 Determining records requirements ...................................................................................................................................... 9

5.11.1 General...................................................................................................................................................................................... 9

5.11.2 Business needs for records ..................................................................................................................................... 9

5.11.3 Legal and regulatory requirements for records .................................................................................10

5.11.4 Community or societal expectations for records ..............................................................................10

6 Assessment and implementation .....................................................................................................................................................11

6.1 General ........................................................................................................................................................................................................11

6.2 Linking records requirements to business functions and work processes .....................................11

6.3 Assessment and treatment of risks associated with the implementation of records

requirements .........................................................................................................................................................................................13

6.4 Documentation of the appraisal process .......................................................................................................................15

6.5 Using the results of the appraisal process ....................................................................................................................16

7 Monitoring ...............................................................................................................................................................................................................17

8 Review and corrective action ...............................................................................................................................................................17

Bibliography .............................................................................................................................................................................................................................18

© ISO 2018 – All rights reserved iii
---------------------- Page: 5 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso

.org/iso/foreword .html.

This document was prepared by Technical Committee ISO/TC 46, Information and documentation,

Subcommittee SC 11, Archives/records management.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO 2018 – All rights reserved
---------------------- Page: 6 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
Introduction

Appraisal for managing records is the recurrent process of evaluating business activities to determine

which records need to be created and captured as well as how and how long the records need to be

kept. It combines an understanding of business activities and their contexts with

— the identification of business needs, regulatory requirements and societal expectations relating to

records, and

— the assessment of opportunities and risks associated with the creation and management records.

Regular, systematic appraisal for managing records has a range of benefits, including:

— compliance with legal/regulatory requirements for records;

— satisfaction of business needs in managing records, and providing for timely disposition of records;

— identification of requirements for continuing retention of records as archives;

— implementation of measures to protect and manage records according to their level of criticality for

the organization and/or their retention requirements;
— improvement of organizational efficiency through proper use of resources;
— the effective management of risk related to records;

— greater accountability for decisions about the creation, capture and management of records.

In some records and archives management traditions, appraisal for managing records is solely used as

an instrument to identify retention requirements for records or to create a disposition authority. The

concept of appraisal as described in ISO 15489-1 is, however, meant to be used in a broader way. It can

be used to identify different types of requirements related to creating, capturing and managing records

over time and to implement them in ways that are suited to changing contexts. In this way, appraisal

can support accountability and more efficient business.

The results of appraisal can be used in the development of policies, systems and processes, as well as to

develop a range of records controls. These controls include metadata schemas, business classification

schemes, access and permissions rules and disposition authorities. In some jurisdictions, appraisal for

managing records, or parts of it, can be required by law or regulation as a precursor to the development

of such tools.

Appraisal is a strategic and proactive approach to the creation, capture and management of records,

rather than a reactive one.

Appraisal is accountable and consultative, and, in certain cases, should be conducted in partnership

with stakeholders with interests in the creation, capture and management of particular classes of

records.

The advice on appraisal for managing records in this document can be used if an organization is

implementing a management system for records (MSR) following ISO 30301. In the management

system standards approach, appraisal can help to meet requirements related to the “Context of the

organization” and “Operational planning”.
© ISO 2018 – All rights reserved v
---------------------- Page: 7 ----------------------
SIST-TP ISO/TR 21946:2021
---------------------- Page: 8 ----------------------
SIST-TP ISO/TR 21946:2021
TECHNICAL REPORT ISO/TR 21946:2018(E)
Information and documentation — Appraisal for
managing records
1 Scope

This document provides guidance on how to carry out appraisal for managing records. It describes

some of the products and outcomes that can be delivered using the results of appraisal. As such, this

document describes a practical application of the concept of appraisal outlined in ISO 15489-1.

This document:
a) lists some of the main purposes for appraisal;
b) describes the importance of establishing scope for appraisal;

c) explains how to analyse business functions and develop an understanding of their context;

d) explains how to identify records requirements;

e) describes the relationships between records requirements, business functions and work processes;

f) explains how to use risk assessment for making decisions related to records;
g) lists options for documenting the results of appraisal;
h) describes possible uses for the results of appraisal; and

i) explains the importance of monitoring and review of the execution of appraisal decisions.

This document can be used by all organizations regardless of size, nature of their business activities, or

the complexity of their functions and structure.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 15489-1, Information and documentation — Part 1: Concepts and principles
3 Terms and definitions

For the purposes of this document, terms and definitions given in ISO 15489-1 apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
© ISO 2018 – All rights reserved 1
---------------------- Page: 9 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
4 Appraisal process

Appraisal for managing records involves analysis of context(s) in which business activities occur, in

order to
— determine records requirements,

— understand which areas of business are regarded, by stakeholders, as critical to achieving agreed

goals in an organizations, and
— identify and assess risks related to records.

The results of the appraisal process should be used to proactively design records controls and processes

to best support business activities and technologies in order to ensure agreed records requirements

are met over time.

Appraisal for managing records considers the needs of the agents directly involved in the business

activities, but also related internal and external stakeholders and wider societal needs. In this way,

management of records for both business and other purposes can be designed cohesively.

The context in which business is conducted, the business activities themselves as well as their records

requirements, and risk identification will change over time. As a result, appraisal for managing records

is a necessarily recurrent activity.

The representation of appraisal activities shown in Figure 1 reflects the continuous cycle of this work, as

needs and circumstances affecting the creation, capture and management of records change over time.

NOTE Appraisal for managing records is a continuous improvement cycle.
Figure 1 — Recurrent appraisal for managing records

The results of the appraisal process can be used to achieve benefits in a variety of areas, such as in

legal compliance, risk management, information security, protection of privacy, reuse of information

or the protection of archival records. It could also be used as a means to determine which records can

be made available to the public, in support of the implementation of public information disclosure laws

and regulations.
2 © ISO 2018 – All rights reserved
---------------------- Page: 10 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
Certain events could trigger appraisal for managing records.
For example, when there are new
— entities being established,

— legal and regulatory requirements, changes in legal practice and law enforcement, or contractual

obligations,
— technologies and systems, or

— arrangements for managing records such as cross jurisdictional collaborations on shared projects.

Or, changes such as
— organizational structures or mergers,
— new or altered regulatory requirements,
— new or altered business functions or activities, or

— changes in public expectations regarding the management of records of the organization concerned,

including new expectations regarding access and usability.

Issues relating to the creation and management of records, such as missing records (which should

have been created), unauthorized access to records, or unauthorized disposal of records could also be

triggers for a process of appraisal.

The frequency and scale in which appraisal for managing records is carried out will vary from one case

to the next. For example, an organization with a very stable regulatory framework and business that

rarely change could conduct appraisal less frequently than one that is subject to frequent change. The

appraisal process can be modified in scale or scope, depending on the desired outcome (see 5.2).

Appraisal for managing records is conducted in a consistent and accountable way. This means:

— conducting appraisal with a clear mandate and authorization;

— keeping documentation of the research, analysis and consultation with stakeholders done as part of

the process, as records;
— being consistent in decisions, and using past decisions to check precedents;
— justifying decisions made and keeping documentation of such justifications.
5 Information gathering and analysis
5.1 General

The appraisal process comprises a number of types of analysis, which can be carried out consecutively

or simultaneously. They include the following:

— achieving an understanding of the context in which the appraisal work is being conducted, including

organizational, technological and business-related features;
— analysis of the business functions themselves;

— analysis of requirements for records from a business, legal and societal point of view;

— identification and analysis of risks that are associated with the creation, capture and management

of records.
© ISO 2018 – All rights reserved 3
---------------------- Page: 11 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)

Some types of analysis, such as an analysis of the business context, may already have been carried

out by other disciplines in the organization, such as information security. It is recommended to check

whether the required analysis has been carried out already and whether the results obtained can be

reused for the purpose of appraisal.

It is important to note that the identification of risk occurs throughout the appraisal process in three

different ways:

— when looking at the organizational context in which the process is occurring, internal and external

risks affecting the organization and its stakeholders can be identified;

— during the analysis of business activity in relation to particular functions, activities or work

processes during the analysis of business activity. For example, the risks associated with poor

management of records of citizen-centric public services or with personally identifiable information

could be greater than those associated with other administrative activities;

— during the identification of the risks that could be managed through meeting identified records

requirements.

After the identification of risks, an analysis and evaluation should be done (in accordance with risk

management practices of the organization, if these exist). This assists in making decisions about how

requirements should be met, and the appropriate investment of resources to do so. This aspect of the

assessment and treatment of risk is further described in 6.3.

The results of analysis conducted in appraisal for managing records can be used to develop other tools

and resources that are valuable in the creation, capture and management of records (see 6.5).

5.2 Determining the scope of appraisal

Each time an appraisal process is commenced, its scope needs to be clearly defined. The events

triggering appraisal and the role and responsibility of the person(s) doing the appraisal will directly

influence its scope. In turn, the scope of appraisal will influence the kind of agents involved in the

process. For instance, a scope with a strong societal focus will require a larger involvement of external

agents in comparison to a scope with a strong business focus alone, which would require expanded

involvement of business representatives. The scope of appraisal may change in terms of the business

functions and activities it covers, or the parts of the analysis that receive the greatest attention.

EXAMPLE 1 An appraisal process could be carried out by a manager responsible for a business system that is

being replaced. The system supports a single function but one that is performed by a number of organizational

entities, working collaboratively online. Here, the scope is limited to the one function but considers the contexts

of each of the participating organizational entities, their risks and requirements.

EXAMPLE 2 In the process of a merger, an organization’s functions are analysed in order to make decisions

regarding migration of records to new systems and other matters such as the integration of disposition

authorities. The scope of the appraisal process here would need to cover the business functions of both entities.

EXAMPLE 3 An appraisal process that is being carried out with a view to defining records requirements for

inclusion in the specifications of a new business system would involve a greater emphasis on the analysis of the

business functions supported by the system, as opposed to appraisal that is done with a view to developing a

disposition authority that covers all of an organization’s business.

EXAMPLE 4 An appraisal process that is carried out in order to develop disposition rules across an entire

jurisdiction, with a view to the identification of classes of records to be retained as archives, will have a broad

scope encompassing a high level analysis of business context, functions and activities, requirements and risk

across the entire jurisdiction. This is to ensure consistency in decisions made. In some cases, such appraisal is

carried out in one stage covering the entire jurisdiction, and in others in multiple stages, in conjunction with

organizations within the jurisdiction.
5.3 Determining who to involve in the appraisal process

Appraisal for managing records is fundamental to the work of records professionals, making them the

most appropriate group to plan and lead appraisal activities.
4 © ISO 2018 – All rights reserved
---------------------- Page: 12 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)

Other individuals or groups should be involved in one or more steps of the appraisal process. The

involvement of others will depend on the purpose and scope of the appraisal process, and the focus of

the analysis. These will include internal agents and stakeholders, such as
— business representatives,
— legal representatives,
— senior/top management,
— governance bodies such as boards of directors or audit boards,

— allied information management professionals such as privacy officers, librarians, preservation

specialists or those responsible for data and transparency,
— communications professionals, and/or
— information technology specialists.

External agents and stakeholders should also be consulted or involved as appropriate. These may

include people and groups such as
— shareholders,
— customers or clients,
— external audit or regulatory authorities,
— subject matter experts, members of professional associations or academics,
— representatives of archival institutions,
— transparency advocates,
— privacy experts,
— information security experts,
— people or groups affected by government or corporate activities, and/or

— individuals who are the subjects of records, such as individuals who have been under the care of the

state when they were children, or individuals who have received aid and services from governments.

5.4 Information gathering

Appraisal for managing records relies on the identification of stakeholders and other sources of

information which contain information on the business and technological context, business functions,

risks and requirements. Such sources and stakeholders should be recorded as they are identified, as

part of an accountable, well-documented appraisal process.

Documentary sources relating to, as well as stakeholders in the business functions should be identified,

as these are sources of information for the analysis. Such sources and stakeholders should be used

for various types of analysis conducted throughout an appraisal process. Examples of documentary

sources include
— structural charts,
— risk registers,
— enterprise architecture documents,
— reports to governing authorities or stakeholders,
— systems documentation,
© ISO 2018 – All rights reserved 5
---------------------- Page: 13 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
— audit reports,
— records of interviews with business representatives or other stakeholders,
— media reporting, and/or
— inventories of existing systems used for managing records.
Examples of stakeholders could include:

— the groups and individuals identified as needing to be involved in the appraisal for managing records

process (see 5.3),

— managers, information technology professionals and organizational staff directly involved in the

business that is in scope, or
— customers/clients affected by the business that is in scope.
5.5 Analysis of the business context

In appraisal for managing records, analysis is done to gain understanding of the business context in

which business activity takes place. Documentary sources and interviews with the stakeholders that

have been identified as part of the information gathering should be used as the basis for the analysis.

Specific subjects of analysis should be the internal and external factors affecting the operations of the

organization, and could include:
— the behaviour and strategic directions of the business entity;
— the operational, legal and other requirements which apply to it;
— its resourcing;
— stakeholder requirements;
— broad risks that it should manage;
— at a high level, the functions and work processes that it performs.

The outcomes of the analysis of the business context should be documented and reviewed periodically

to ensure that changes in the environment are identified and assessed. Source documents for the

analysis and any authorizations should be retained as records, as such documentation supports and

provides justification for appraisal decision-making.
5.6 Analysis of the technological context

An analysis of existing technologies in use provides a view of the opportunities and constraints

for future methods and tools for creating and managing records, and should assist in making

implementable appraisal decisions. It can also inform design and implementation choices for the tools

and resources developed using the results of appraisal (see 6.5). Using the documentary sources and

stakeholders identified to be relevant for this purpose, the following factors could be taken into account

to understand the existing technological environment:

— technologies that are maintained solely by the organization, as well as technologies used for

collaboration with other parties;
— use of existing (legacy) systems;
— use of outsourced services, such as cloud-based technologies;
— technical standards required to be implemented, or preferred;
6 © ISO 2018 – All rights reserved
---------------------- Page: 14 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)

— the range of formats that information, including records, is processed and retained in;

— available knowledge of existing technologies, systems and standards, used both within the

organization and out
...

TECHNICAL ISO/TR
REPORT 21946
First edition
2018-11
Information and documentation —
Appraisal for managing records
Information et documentation — Evaluation dans le cadre de (pour)
la gestion des documents d'activité
Reference number
ISO/TR 21946:2018(E)
ISO 2018
---------------------- Page: 1 ----------------------
ISO/TR 21946:2018(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2018

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/TR 21946:2018(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Appraisal process ................................................................................................................................................................................................ 2

5 Information gathering and analysis ................................................................................................................................................. 3

5.1 General ........................................................................................................................................................................................................... 3

5.2 Determining the scope of appraisal ...................................................................................................................................... 4

5.3 Determining who to involve in the appraisal process ........................................................................................... 4

5.4 Information gathering ...................................................................................................................................................................... 5

5.5 Analysis of the business context .............................................................................................................................................. 6

5.6 Analysis of the technological context .................................................................................................................................. 6

5.7 Functional analysis .............................................................................................................................................................................. 7

5.8 Sequential analysis .............................................................................................................................................................................. 7

5.9 Identification of agents .................................................................................................................................................................... 7

5.10 Identification of business critical areas ............................................................................................................................. 8

5.11 Determining records requirements ...................................................................................................................................... 9

5.11.1 General...................................................................................................................................................................................... 9

5.11.2 Business needs for records ..................................................................................................................................... 9

5.11.3 Legal and regulatory requirements for records .................................................................................10

5.11.4 Community or societal expectations for records ..............................................................................10

6 Assessment and implementation .....................................................................................................................................................11

6.1 General ........................................................................................................................................................................................................11

6.2 Linking records requirements to business functions and work processes .....................................11

6.3 Assessment and treatment of risks associated with the implementation of records

requirements .........................................................................................................................................................................................13

6.4 Documentation of the appraisal process .......................................................................................................................15

6.5 Using the results of the appraisal process ....................................................................................................................16

7 Monitoring ...............................................................................................................................................................................................................17

8 Review and corrective action ...............................................................................................................................................................17

Bibliography .............................................................................................................................................................................................................................18

© ISO 2018 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/TR 21946:2018(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso

.org/iso/foreword .html.

This document was prepared by Technical Committee ISO/TC 46, Information and documentation,

Subcommittee SC 11, Archives/records management.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO 2018 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/TR 21946:2018(E)
Introduction

Appraisal for managing records is the recurrent process of evaluating business activities to determine

which records need to be created and captured as well as how and how long the records need to be

kept. It combines an understanding of business activities and their contexts with

— the identification of business needs, regulatory requirements and societal expectations relating to

records, and

— the assessment of opportunities and risks associated with the creation and management records.

Regular, systematic appraisal for managing records has a range of benefits, including:

— compliance with legal/regulatory requirements for records;

— satisfaction of business needs in managing records, and providing for timely disposition of records;

— identification of requirements for continuing retention of records as archives;

— implementation of measures to protect and manage records according to their level of criticality for

the organization and/or their retention requirements;
— improvement of organizational efficiency through proper use of resources;
— the effective management of risk related to records;

— greater accountability for decisions about the creation, capture and management of records.

In some records and archives management traditions, appraisal for managing records is solely used as

an instrument to identify retention requirements for records or to create a disposition authority. The

concept of appraisal as described in ISO 15489-1 is, however, meant to be used in a broader way. It can

be used to identify different types of requirements related to creating, capturing and managing records

over time and to implement them in ways that are suited to changing contexts. In this way, appraisal

can support accountability and more efficient business.

The results of appraisal can be used in the development of policies, systems and processes, as well as to

develop a range of records controls. These controls include metadata schemas, business classification

schemes, access and permissions rules and disposition authorities. In some jurisdictions, appraisal for

managing records, or parts of it, can be required by law or regulation as a precursor to the development

of such tools.

Appraisal is a strategic and proactive approach to the creation, capture and management of records,

rather than a reactive one.

Appraisal is accountable and consultative, and, in certain cases, should be conducted in partnership

with stakeholders with interests in the creation, capture and management of particular classes of

records.

The advice on appraisal for managing records in this document can be used if an organization is

implementing a management system for records (MSR) following ISO 30301. In the management

system standards approach, appraisal can help to meet requirements related to the “Context of the

organization” and “Operational planning”.
© ISO 2018 – All rights reserved v
---------------------- Page: 5 ----------------------
TECHNICAL REPORT ISO/TR 21946:2018(E)
Information and documentation — Appraisal for
managing records
1 Scope

This document provides guidance on how to carry out appraisal for managing records. It describes

some of the products and outcomes that can be delivered using the results of appraisal. As such, this

document describes a practical application of the concept of appraisal outlined in ISO 15489-1.

This document:
a) lists some of the main purposes for appraisal;
b) describes the importance of establishing scope for appraisal;

c) explains how to analyse business functions and develop an understanding of their context;

d) explains how to identify records requirements;

e) describes the relationships between records requirements, business functions and work processes;

f) explains how to use risk assessment for making decisions related to records;
g) lists options for documenting the results of appraisal;
h) describes possible uses for the results of appraisal; and

i) explains the importance of monitoring and review of the execution of appraisal decisions.

This document can be used by all organizations regardless of size, nature of their business activities, or

the complexity of their functions and structure.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 15489-1, Information and documentation — Part 1: Concepts and principles
3 Terms and definitions

For the purposes of this document, terms and definitions given in ISO 15489-1 apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
© ISO 2018 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/TR 21946:2018(E)
4 Appraisal process

Appraisal for managing records involves analysis of context(s) in which business activities occur, in

order to
— determine records requirements,

— understand which areas of business are regarded, by stakeholders, as critical to achieving agreed

goals in an organizations, and
— identify and assess risks related to records.

The results of the appraisal process should be used to proactively design records controls and processes

to best support business activities and technologies in order to ensure agreed records requirements

are met over time.

Appraisal for managing records considers the needs of the agents directly involved in the business

activities, but also related internal and external stakeholders and wider societal needs. In this way,

management of records for both business and other purposes can be designed cohesively.

The context in which business is conducted, the business activities themselves as well as their records

requirements, and risk identification will change over time. As a result, appraisal for managing records

is a necessarily recurrent activity.

The representation of appraisal activities shown in Figure 1 reflects the continuous cycle of this work, as

needs and circumstances affecting the creation, capture and management of records change over time.

NOTE Appraisal for managing records is a continuous improvement cycle.
Figure 1 — Recurrent appraisal for managing records

The results of the appraisal process can be used to achieve benefits in a variety of areas, such as in

legal compliance, risk management, information security, protection of privacy, reuse of information

or the protection of archival records. It could also be used as a means to determine which records can

be made available to the public, in support of the implementation of public information disclosure laws

and regulations.
2 © ISO 2018 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/TR 21946:2018(E)
Certain events could trigger appraisal for managing records.
For example, when there are new
— entities being established,

— legal and regulatory requirements, changes in legal practice and law enforcement, or contractual

obligations,
— technologies and systems, or

— arrangements for managing records such as cross jurisdictional collaborations on shared projects.

Or, changes such as
— organizational structures or mergers,
— new or altered regulatory requirements,
— new or altered business functions or activities, or

— changes in public expectations regarding the management of records of the organization concerned,

including new expectations regarding access and usability.

Issues relating to the creation and management of records, such as missing records (which should

have been created), unauthorized access to records, or unauthorized disposal of records could also be

triggers for a process of appraisal.

The frequency and scale in which appraisal for managing records is carried out will vary from one case

to the next. For example, an organization with a very stable regulatory framework and business that

rarely change could conduct appraisal less frequently than one that is subject to frequent change. The

appraisal process can be modified in scale or scope, depending on the desired outcome (see 5.2).

Appraisal for managing records is conducted in a consistent and accountable way. This means:

— conducting appraisal with a clear mandate and authorization;

— keeping documentation of the research, analysis and consultation with stakeholders done as part of

the process, as records;
— being consistent in decisions, and using past decisions to check precedents;
— justifying decisions made and keeping documentation of such justifications.
5 Information gathering and analysis
5.1 General

The appraisal process comprises a number of types of analysis, which can be carried out consecutively

or simultaneously. They include the following:

— achieving an understanding of the context in which the appraisal work is being conducted, including

organizational, technological and business-related features;
— analysis of the business functions themselves;

— analysis of requirements for records from a business, legal and societal point of view;

— identification and analysis of risks that are associated with the creation, capture and management

of records.
© ISO 2018 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/TR 21946:2018(E)

Some types of analysis, such as an analysis of the business context, may already have been carried

out by other disciplines in the organization, such as information security. It is recommended to check

whether the required analysis has been carried out already and whether the results obtained can be

reused for the purpose of appraisal.

It is important to note that the identification of risk occurs throughout the appraisal process in three

different ways:

— when looking at the organizational context in which the process is occurring, internal and external

risks affecting the organization and its stakeholders can be identified;

— during the analysis of business activity in relation to particular functions, activities or work

processes during the analysis of business activity. For example, the risks associated with poor

management of records of citizen-centric public services or with personally identifiable information

could be greater than those associated with other administrative activities;

— during the identification of the risks that could be managed through meeting identified records

requirements.

After the identification of risks, an analysis and evaluation should be done (in accordance with risk

management practices of the organization, if these exist). This assists in making decisions about how

requirements should be met, and the appropriate investment of resources to do so. This aspect of the

assessment and treatment of risk is further described in 6.3.

The results of analysis conducted in appraisal for managing records can be used to develop other tools

and resources that are valuable in the creation, capture and management of records (see 6.5).

5.2 Determining the scope of appraisal

Each time an appraisal process is commenced, its scope needs to be clearly defined. The events

triggering appraisal and the role and responsibility of the person(s) doing the appraisal will directly

influence its scope. In turn, the scope of appraisal will influence the kind of agents involved in the

process. For instance, a scope with a strong societal focus will require a larger involvement of external

agents in comparison to a scope with a strong business focus alone, which would require expanded

involvement of business representatives. The scope of appraisal may change in terms of the business

functions and activities it covers, or the parts of the analysis that receive the greatest attention.

EXAMPLE 1 An appraisal process could be carried out by a manager responsible for a business system that is

being replaced. The system supports a single function but one that is performed by a number of organizational

entities, working collaboratively online. Here, the scope is limited to the one function but considers the contexts

of each of the participating organizational entities, their risks and requirements.

EXAMPLE 2 In the process of a merger, an organization’s functions are analysed in order to make decisions

regarding migration of records to new systems and other matters such as the integration of disposition

authorities. The scope of the appraisal process here would need to cover the business functions of both entities.

EXAMPLE 3 An appraisal process that is being carried out with a view to defining records requirements for

inclusion in the specifications of a new business system would involve a greater emphasis on the analysis of the

business functions supported by the system, as opposed to appraisal that is done with a view to developing a

disposition authority that covers all of an organization’s business.

EXAMPLE 4 An appraisal process that is carried out in order to develop disposition rules across an entire

jurisdiction, with a view to the identification of classes of records to be retained as archives, will have a broad

scope encompassing a high level analysis of business context, functions and activities, requirements and risk

across the entire jurisdiction. This is to ensure consistency in decisions made. In some cases, such appraisal is

carried out in one stage covering the entire jurisdiction, and in others in multiple stages, in conjunction with

organizations within the jurisdiction.
5.3 Determining who to involve in the appraisal process

Appraisal for managing records is fundamental to the work of records professionals, making them the

most appropriate group to plan and lead appraisal activities.
4 © ISO 2018 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/TR 21946:2018(E)

Other individuals or groups should be involved in one or more steps of the appraisal process. The

involvement of others will depend on the purpose and scope of the appraisal process, and the focus of

the analysis. These will include internal agents and stakeholders, such as
— business representatives,
— legal representatives,
— senior/top management,
— governance bodies such as boards of directors or audit boards,

— allied information management professionals such as privacy officers, librarians, preservation

specialists or those responsible for data and transparency,
— communications professionals, and/or
— information technology specialists.

External agents and stakeholders should also be consulted or involved as appropriate. These may

include people and groups such as
— shareholders,
— customers or clients,
— external audit or regulatory authorities,
— subject matter experts, members of professional associations or academics,
— representatives of archival institutions,
— transparency advocates,
— privacy experts,
— information security experts,
— people or groups affected by government or corporate activities, and/or

— individuals who are the subjects of records, such as individuals who have been under the care of the

state when they were children, or individuals who have received aid and services from governments.

5.4 Information gathering

Appraisal for managing records relies on the identification of stakeholders and other sources of

information which contain information on the business and technological context, business functions,

risks and requirements. Such sources and stakeholders should be recorded as they are identified, as

part of an accountable, well-documented appraisal process.

Documentary sources relating to, as well as stakeholders in the business functions should be identified,

as these are sources of information for the analysis. Such sources and stakeholders should be used

for various types of analysis conducted throughout an appraisal process. Examples of documentary

sources include
— structural charts,
— risk registers,
— enterprise architecture documents,
— reports to governing authorities or stakeholders,
— systems documentation,
© ISO 2018 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/TR 21946:2018(E)
— audit reports,
— records of interviews with business representatives or other stakeholders,
— media reporting, and/or
— inventories of existing systems used for managing records.
Examples of stakeholders could include:

— the groups and individuals identified as needing to be involved in the appraisal for managing records

process (see 5.3),

— managers, information technology professionals and organizational staff directly involved in the

business that is in scope, or
— customers/clients affected by the business that is in scope.
5.5 Analysis of the business context

In appraisal for managing records, analysis is done to gain understanding of the business context in

which business activity takes place. Documentary sources and interviews with the stakeholders that

have been identified as part of the information gathering should be used as the basis for the analysis.

Specific subjects of analysis should be the internal and external factors affecting the operations of the

organization, and could include:
— the behaviour and strategic directions of the business entity;
— the operational, legal and other requirements which apply to it;
— its resourcing;
— stakeholder requirements;
— broad risks that it should manage;
— at a high level, the functions and work processes that it performs.

The outcomes of the analysis of the business context should be documented and reviewed periodically

to ensure that changes in the environment are identified and assessed. Source documents for the

analysis and any authorizations should be retained as records, as such documentation supports and

provides justification for appraisal decision-making.
5.6 Analysis of the technological context

An analysis of existing technologies in use provides a view of the opportunities and constraints

for future methods and tools for creating and managing records, and should assist in making

implementable appraisal decisions. It can also inform design and implementation choices for the tools

and resources developed using the results of appraisal (see 6.5). Using the documentary sources and

stakeholders identified to be relevant for this purpose, the following factors could be taken into account

to understand the existing technological environment:

— technologies that are maintained solely by the organization, as well as technologies used for

collaboration with other parties;
— use of existing (legacy) systems;
— use of outsourced services, such as cloud-based technologies;
— technical standards required to be implemented, or preferred;
6 © ISO 2018 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/TR 21946:2018(E)

— the range of formats that information, including records, is processed and retained in;

— available knowledge of existing technologies, systems and standards, used both within the

organization and outside its perimeter.

The outcomes of the analysis of the technological context should be documented and reviewed

periodically to ensure that changes in the environment are identified and assessed. Source documents

for the analysis and any authorizations should be retained as records, as such documentation supports

and provides justification for appraisal decision-making.
5.7 Functional analysis

Functional analysis is a top-down hierarchical analysis starting with strategic goals and purpose,

and then identifying the functions and activities which support them. At its lowest level, a functional

analysis identifies transactions, which are the smallest parts of work processes.

NOTE Basic steps for undertaking functional analysis are described in ISO TR 26122.

The purpose of this type of analysis is to create a picture of a function through groupings of business

activities and transactions that could be linked to their business context, in order to identify relevant

risks and records requirements.
The outcomes of a functional analysis should be verified in consultati
...

RAPPORT ISO/TR
TECHNIQUE 21946
Première édition
2018-11
Information et documentation —
Evaluation dans le cadre de la gestion
des documents d'activité
Information and documentation — Appraisal for managing records
Numéro de référence
ISO/TR 21946:2018(F)
ISO 2018
---------------------- Page: 1 ----------------------
ISO/TR 21946:2018(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2018

Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en œuvre, aucune partie de cette

publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,

y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut

être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.

ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève
Tél.: +41 22 749 01 11
Fax: +41 22 749 09 47
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
ii © ISO 2018 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO/TR 21946:2018(F)
Sommaire Page

Avant-propos ..............................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Domaine d'application ................................................................................................................................................................................... 1

2 Références normatives ................................................................................................................................................................................... 1

3 Termes et définitions ....................................................................................................................................................................................... 1

4 Processus d'évaluation .................................................................................................................................................................................. 2

5 Collecte et analyse d'informations ..................................................................................................................................................... 4

5.1 Généralités .................................................................................................................................................................................................. 4

5.2 Détermination du périmètre de l'évaluation ................................................................................................................ 5

5.3 Choix des personnes à impliquer dans le processus d'évaluation ............................................................. 6

5.4 Collecte d'informations .................................................................................................................................................................... 6

5.5 Analyse du contexte de l'activité ............................................................................................................................................. 7

5.6 Analyse du contexte technologique....................................................................................................................................... 7

5.7 Analyse fonctionnelle ........................................................................................................................................................................ 8

5.8 Analyse séquentielle........................................................................................................................................................................... 8

5.9 Identification des agents ................................................................................................................................................................ 8

5.10 Identification des secteurs d'activité critiques ........................................................................................................... 9

5.11 Détermination des exigences relatives aux documents d'activité ...........................................................10

5.11.1 Généralités .........................................................................................................................................................................10

5.11.2 Besoins de l'activité en documents d'activité ......................................................................................10

5.11.3 Exigences juridiques et règlementaires relatives aux documents d'activité ............11

5.11.4 Attentes de la société ou de la communauté concernant les documents

d'activité ...............................................................................................................................................................................12

6 Évaluation et mise en œuvre .................................................................................................................................................................13

6.1 Généralités ...............................................................................................................................................................................................13

6.2 Liens entre les exigences relatives aux documents d'activité et les fonctions et

processus de travail .........................................................................................................................................................................13

6.3 Évaluation et traitement des risques associés à la mise en œuvre d'exigences

relatives aux documents d'activité .....................................................................................................................................15

6.4 Documentation du processus d'évaluation .................................................................................................................18

6.5 Utilisation des résultats du processus d'évaluation ............................................................................................19

7 Surveillance ............................................................................................................................................................................................................20

8 Revue et action corrective .......................................................................................................................................................................20

Bibliographie ...........................................................................................................................................................................................................................22

© ISO 2018 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO/TR 21946:2018(F)
Avant-propos

L'ISO (Organisation internationale de normalisation) est une fédération mondiale d'organismes

nationaux de normalisation (comités membres de l'ISO). L'élaboration des Normes internationales est

en général confiée aux comités techniques de l'ISO. Chaque comité membre intéressé par une étude

a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,

gouvernementales et non gouvernementales, en liaison avec l'ISO participent également aux travaux.

L'ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui

concerne la normalisation électrotechnique.

Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont

décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier de prendre note des différents

critères d'approbation requis pour les différents types de documents ISO. Le présent document a été

rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir www

.iso .org/directives).

L'attention est attirée sur le fait que certains des éléments du présent document peuvent faire l'objet de

droits de propriété intellectuelle ou de droits analogues. L'ISO ne saurait être tenue pour responsable

de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant

les références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de

l'élaboration du document sont indiqués dans l'Introduction et/ou dans la liste des déclarations de

brevets reçues par l'ISO (voir www .iso .org/brevets).

Les appellations commerciales éventuellement mentionnées dans le présent document sont données

pour information, par souci de commodité, à l'intention des utilisateurs et ne sauraient constituer un

engagement.

Pour une explication de la nature volontaire des normes, la signification des termes et expressions

spécifiques de l'ISO liés à l'évaluation de la conformité, ou pour toute information au sujet de l'adhésion

de l'ISO aux principes de l'Organisation mondiale du commerce (OMC) concernant les obstacles

techniques au commerce (OTC), voir le lien suivant: www .iso .org/iso/foreword .html.

Le présent document a été élaboré par le comité technique ISO/TC 46, Information et documentation,

sous-comité SC 11, Archives/Gestion des documents d'activité.

Il convient que l'utilisateur adresse tout retour d'information ou toute question concernant le présent

document à l'organisme national de normalisation de son pays. Une liste exhaustive desdits organismes

se trouve à l'adresse www .iso .org/members .html.
iv © ISO 2018 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO/TR 21946:2018(F)
Introduction

L'évaluation dans le cadre de la gestion des documents d'activité est le processus récurrent qui consiste

à évaluer les activités professionnelles afin de déterminer les documents d'activité qu'il est nécessaire

de créer et de capturer, et de définir la méthode et la durée de conservation desdits documents. Elle

associe la compréhension des activités professionnelles et de leur contexte

— à l'identification des besoins de l'activité, des exigences règlementaires ainsi que des attentes de la

société par rapport aux documents d'activité, et

— à l'analyse des perspectives et à l’appréciation des risques liés à la création et à la gestion de

documents d'activité.

L'évaluation régulière et systématique de la gestion des documents d'activité présente un certain

nombre d'avantages, notamment:

— assurer la conformité des documents d'activité aux exigences juridiques/réglementaires;

— répondre aux besoins de l'activité dans le cadre de la gestion des documents d'activité et décider du

sort final des documents d'activité en temps voulu;

— identifier les exigences en matière de conservation permanente des documents d'activité en tant

qu'archives;

— mettre en place des mesures afin de protéger et de gérer les documents d'activité selon leur niveau

de criticité pour l'organisme et/ou selon les exigences de conservation auxquelles ils sont soumis;

— améliorer l'efficacité organisationnelle grâce à la bonne utilisation des ressources;

— gérer efficacement les risques liés aux documents d'activité;

— accroître la capacité à rendre compte de décisions concernant la création, la capture et la gestion

des documents d'activité.

Selon certaines pratiques classiques de gestion des documents d'activité et des archives, l'évaluation

dans le cadre de la gestion des documents d'activité est uniquement utilisée en tant qu'instrument pour

identifier les exigences de conservation des documents d'activité ou créer un référentiel de gestion

des documents. Le concept d'évaluation tel que décrit dans l'ISO 15489-1 a cependant vocation à être

utilisé de façon plus large. Il peut servir à identifier différents types d'exigences relatives à la création,

la capture et la gestion des documents d'activité dans le temps et à les mettre en œuvre de façon

appropriée à des contextes évolutifs. Ainsi, l'évaluation peut renforcer la capacité à rendre compte et

rendre l'activité plus efficace.

Les résultats de l'évaluation peuvent servir à l'élaboration de politiques, de systèmes et de processus,

ainsi qu'au développement d’une série de contrôles des documents d'activité. Ces contrôles comprennent

des référentiels de métadonnées, des plans de classement fonctionnel, des règles d'accès et d'habilitation

et des référentiels de gestion des documents. Dans certaines juridictions, l'évaluation dans le cadre de

la gestion des documents d'activité, ou d'une partie de ces derniers, peut être exigée par la loi ou un

règlement avant le développement de tels outils.

L'évaluation est une approche stratégique et proactive de la création, de la capture et de la gestion des

documents d'activité, et non une approche réactive.

L'évaluation est affaire de responsabilité et de consultation et, dans certains cas, il convient qu'elle soit

menée en collaboration avec les parties prenantes intéressées par la création, la capture et la gestion de

classes particulières de documents d'activité.

Les recommandations relatives à l'évaluation dans le cadre de la gestion des documents d'activité dans

le présent document peuvent être utilisées si un organisme met en place un système de gestion des

documents d'activité (SGDA) conforme aux dispositions de l'ISO 30301. Selon l'approche normalisée

© ISO 2018 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO/TR 21946:2018(F)

relative aux systèmes de gestion, l'évaluation peut aider à respecter les exigences liées au «contexte de

l'organisme» et à la «planification opérationnelle».
vi © ISO 2018 – Tous droits réservés
---------------------- Page: 6 ----------------------
RAPPORT TECHNIQUE ISO/TR 21946:2018(F)
Information et documentation — Evaluation dans le cadre
de la gestion des documents d'activité
1 Domaine d'application

Le présent document fournit des recommandations concernant la manière de réaliser une évaluation

dans le cadre de la gestion des documents d'activité. Il décrit certains des produits et résultats qu'il

est possible de mettre en œuvre dans le sillage de l'évaluation. Ainsi, le présent document décrit une

application pratique du concept d’évaluation décrit dans l'ISO 15489-1.
Le présent document:
a) établit une liste des principaux objectifs de l'évaluation;
b) décrit l'importance de l’établissement du périmètre de l'évaluation;

c) explique comment analyser les fonctions de chaque activité et comprendre leur contexte;

d) explique comment identifier les exigences relatives aux documents d'activité;

e) décrit les relations entre les exigences relatives aux documents d'activité, les fonctions et les

processus de travail;

f) explique comment utiliser l'appréciation des risques pour prendre des décisions liées aux

documents d'activité;
g) établit la liste des options de documentation des résultats de l'évaluation;
h) décrit les utilisations possibles des résultats de l'évaluation; et

i) explique l'importance de la surveillance et de la revue de la mise en pratique des décisions suite à

l'évaluation.

Le présent document peut être utilisé par tous les organismes, indépendamment de leur taille, de la

nature de leurs activités ou de la complexité de leurs fonctions et de leur structure.

2 Références normatives

Les documents suivants cités dans le texte constituent, pour tout ou partie de leur contenu, des

exigences du présent document. Pour les références datées, seule l'édition citée s'applique. Pour les

références non datées, la dernière édition du document de référence s'applique (y compris les éventuels

amendements).

ISO 15489-1, Information et documentation — Gestion des documents d’activité — Partie 1: Concepts et

principes
3 Termes et définitions

Pour les besoins du présent document, les termes et définitions de l'ISO 15489-1 s'appliquent.

L'ISO et l'IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en

normalisation, consultables aux adresses suivantes:

— ISO Online browsing platform: disponible à l'adresse https: //www .iso .org/obp

— IEC Electropedia: disponible à l'adresse http: //www .electropedia .org/
© ISO 2018 – Tous droits réservés 1
---------------------- Page: 7 ----------------------
ISO/TR 21946:2018(F)
4 Processus d'évaluation

L'évaluation dans le cadre de la gestion des documents d'activité implique l'analyse du ou des contextes

au sein desquels les activités sont menées, afin:
— de déterminer les exigences relatives aux documents d'activité;

— de comprendre quels domaines d'activité sont considérés, par les parties prenantes, comme critiques

pour atteindre les objectifs fixés par un organisme; et
— d'identifier et d’apprécier les risques liés aux documents d'activité.

Il convient que les résultats du processus d'évaluation soient utilisés pour concevoir de façon proactive

des contrôles et processus liés aux documents d'activité pour soutenir au mieux les activités et les

technologies afin de garantir le respect des exigences convenues relatives aux documents d'activité

dans le temps.

L'évaluation dans le cadre de la gestion des documents d'activité prend en compte les besoins des agents

directement impliqués dans les activités, mais aussi les besoins des parties prenantes internes et

externes concernées et les besoins plus larges de la société. De cette manière, la gestion des documents

d'activité à des fins organisationnelles ou autres peut être élaborée de façon cohérente.

Le contexte dans lequel l'activité est menée, les opérations en elles-mêmes, les exigences relatives aux

documents d'activité et l'identification des risques évolueront avec le temps. Par conséquent, l'évaluation

dans le cadre de la gestion des documents d'activité est une activité nécessairement récurrente.

La représentation des activités d'évaluation à la Figure 1 reflète le cycle continu de cette tâche, à mesure

que les besoins et les circonstances qui influent sur la création, la capture et la gestion des documents

d'activité changent au fil du temps.
2 © ISO 2018 – Tous droits réservés
---------------------- Page: 8 ----------------------
ISO/TR 21946:2018(F)

NOTE L'évaluation dans le cadre de la gestion des documents d'activité constitue un cycle d'amélioration

continue.

Figure 1 — Évaluation récurrente dans le cadre de la gestion des documents d'activité

Les résultats du processus d'évaluation peuvent être synonymes d'améliorations dans plusieurs

domaines, tels que la conformité règlementaire, la gestion des risques, la sécurité des informations,

la protection de la confidentialité, la réutilisation des informations ou la protection des documents

d'activité archivés. Ils peuvent également être utilisés pour déterminer quels documents d'activité

peuvent être rendus publics, dans le cadre de l'application des lois et règlements sur la divulgation

d'informations au grand public.

Certains événements peuvent donner lieu à une évaluation dans le cadre de la gestion des documents

d'activité.
Par exemple, lorsque:
— la mise en place de nouvelles entités;

— l’introduction de nouvelles exigences juridiques et règlementaires, des modifications dans la

pratique juridique et le respect des lois ou des obligations contractuelles;
— l’apparition de nouveaux systèmes et technologies; ou
© ISO 2018 – Tous droits réservés 3
---------------------- Page: 9 ----------------------
ISO/TR 21946:2018(F)

— l’élaboration de nouvelles dispositions pour la gestion des documents d'activité, comme lors de

collaborations entre juridictions sur des projets communs, l’imposent.
Ou, lorsque des changements surviennent concernant:
— des structures organisationnelles ou des fusions;
— de nouvelles exigences réglementaires ou des modifications de ces dernières;
— de nouvelles activités ou fonctions ou des modifications de ces dernières; ou

— des modifications au niveau des attentes du grand public en matière de gestion des documents

d'activité de l'organisme concerné, y compris de nouvelles attentes liées à l'accès et l'utilisabilité.

Les problèmes liés à la création et à la gestion des documents d'activité, comme des documents

d'activité manquants (qu'il aurait convenu de créer), des accès non autorisés aux documents d'activité

ou la suppression non autorisée de documents d'activité, pourraient également justifier une évaluation.

La fréquence d'évaluation dans le cadre de la gestion des documents d'activité et l’échelle à laquelle

cette dernière est réalisée varieront d'un cas à un autre. Par exemple, un organisme possédant un

cadre règlementaire très stable et une activité relativement constante pourrait réaliser des évaluations

de manière moins fréquente qu'un organisme connaissant des changements fréquents. Le processus

d'évaluation peut être modifié au niveau de son étendue ou de son périmètre, selon les résultats

attendus (voir 5.2).

L'évaluation dans le cadre de la gestion des documents d'activité est réalisée de manière cohérente et

responsable. Cela signifie:

— mener à bien une évaluation dans le cadre d'un mandat et d'une autorisation clairs;

— conserver, sous la forme de documents d'activité, la documentation relative à la recherche, à l'analyse

et à la consultation des parties prenantes qui ont été effectuées dans le cadre du processus;

— prendre des décisions cohérentes et utiliser les décisions passées afin de vérifier tout précédent;

— justifier les décisions prises et conserver les documents correspondants.
5 Collecte et analyse d'informations
5.1 Généralités

Le processus d'évaluation comporte un certain nombre de types d'analyses, qui peuvent être réalisées

successivement ou simultanément. Ces analyses comprennent les étapes suivantes:

— compréhension du contexte dans lequel l'évaluation est menée à bien, y compris les caractéristiques

relatives à l'organisme, aux technologies et à l'activité;
— analyse des fonctions de l'activité en elles-mêmes;

— analyse des exigences relatives aux documents d'activité d'un point de vue organisationnel, juridique

et sociétal;

— identification et appréciation des risques associés à la création, la capture et la gestion des documents

d'activité.

Certains types d'analyses, telles que l'analyse du contexte de l'activité, peuvent déjà avoir été effectués

à d'autres fins au sein de l'organisme, par exemple dans le cadre de la sécurité des informations. Il est

recommandé de vérifier si l'analyse requise a déjà été effectuée et si les résultats obtenus peuvent être

réutilisés pour l'évaluation.
4 © ISO 2018 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO/TR 21946:2018(F)

Il est important de noter que l'identification des risques a lieu tout au long du processus d'évaluation

sous trois formes différentes:

— lors de l'examen du contexte organisationnel au sein duquel le processus se déroule, les risques

internes et externes affectant l'organisme et ses parties prenantes peuvent être identifiés;

— lors de l'analyse de l'activité par rapport à des fonctions, activités ou processus de travail particuliers

pendant l'analyse de l'activité. Par exemple, les risques associés à une mauvaise gestion des

documents d'activité des services publics axés sur les citoyens ou à des informations d'identification

personnelle pourraient être supérieurs à ceux relatifs à d'autres activités administratives;

— lors de l'identification des risques susceptibles d’être gérés en respectant les exigences relatives aux

documents d'activité identifiées.

Après l'identification des risques, il convient d'effectuer une analyse et une évaluation (conformément

aux pratiques de gestion des risques de l'organisme, le cas échéant). Cela permet de faciliter la prise

de décisions quant à la manière de respecter les exigences et à l'investissement approprié en matière

de ressources pour ce faire. Cet aspect de l'évaluation et du traitement des risques est détaillé plus

avant en 6.3.

Les résultats de l'analyse menée pour l'évaluation dans le cadre de la gestion des documents d'activité

peuvent être utilisés pour développer d'autres outils et ressources pouvant servir à la création, la

capture et la gestion des documents d'activité (voir 6.5).
5.2 Détermination du périmètre de l'évaluation

Le périmètre d'une évaluation doit être clairement défini dès le début de tout processus d'évaluation. Les

événements qui déclenchent l'évaluation, ainsi que le rôle et les responsabilités de la ou des personne(s)

chargée(s) de l'évaluation, influenceront directement son périmètre. Le périmètre de l'évaluation

influencera à son tour le type d'agents impliqués dans le processus. Par exemple, un périmètre portant

plus particulièrement sur l’aspect sociétal exigera une plus grande implication d'agents externes par

rapport à un périmètre dont l'accent sera uniquement mis sur l'activité, qui exigerait une implication

étendue des représentants commerciaux. Le périmètre de l'évaluation peut évoluer selon les fonctions

et activités couvertes, ou les parties de l'analyse concentrant toute l'attention.

EXEMPLE 1 Un processus d'évaluation pourrait être mené par le responsable d'un système de gestion en cours

de remplacement. Le système ne prend en charge qu'une seule fonction, mais celle-ci est exécutée par plusieurs

entités de l'organisme, qui travaillent de façon collaborative en ligne. Dans ce cas, le périmètre est limité à cette

seule fonction mais prend en compte les contextes de chacune des entités de l'organisme qui y contribuent, avec

leurs risques et leurs exigences.

EXEMPLE 2 Lors d'une fusion, les fonctions d'un organisme sont analysées afin de prendre des décisions

concernant la migration des documents d'activité vers de nouveaux systèmes et d'autres sujets comme

l'intégration de référentiels de gestion des documents. Le périmètre du processus d'évaluation devrait, dans cet

exemple, couvrir les fonctions des deux entités.

EXEMPLE 3 Un processus d'évaluation mené dans l'optique de définir des exigences relatives aux documents

d'activité pour les intégrer aux spécifications d'un nouveau système de gestion impliquerait d'accorder une plus

grande importance à l'analyse des fonctions prises en charge par le système, contrairement à une évaluation

réalisée dans le but de développer un référentiel de gestion des documents concernant l'intégralité de l'activité

d'un organisme.

EXEMPLE 4 Un processus d'évaluation mené à bien afin de définir des règles de sort final pour toute une

juridiction, dans l'optique d'identifier les classes de documents d'activité à conserver en tant qu'archives, aura un

large périmètre englobant une analyse de haut niveau du contexte, des fonctions et des activités, des exigences et

des risques pour toute la juridiction. Cela permet d'assurer la cohérence des décisions prises. Dans certains cas,

une telle évaluation est réalisée en une étape pour toute la juridiction. D'autres évaluations sont effectuées en

plusieurs étapes, en collaboration avec les organismes dans la juridiction.
© ISO 2018 – Tous droits réservés 5
---------------------- Page: 11 ----------------------
ISO/TR 21946:2018(F)
5.3 Choix des personnes à impliquer dans le processus d'évaluation

L'évaluation dans le cadre de la gestion des documents d'activité est fondamentale pour le travail des

professionnels de la documentation, ce qui fait d'eux les personnes idéales pour planifier et mener les

activités d'évaluation.

Il convient que d'autres personnes ou groupes soient impliqués dans une ou plusieurs étapes du

processus d'évaluation. L'implication d'autres personnes dépendra du but et du périmètre du processus

d'évaluation et de l'objet principal de l'analyse. Ces personnes incluront des agents internes et des

parties prenantes, comme
— des représentants commerciaux;
— des représentants juridiques;
— la direction;

— des instances dirigeantes, telles que des conseils d'administration ou des comités d'audit;

— des professionnels associés de la gestion d'informations, comme des responsables de la protection

de la vie privée, des documentalistes, des spécialistes de la conservation ou les responsables des

données et de la transparence;
— des professionnels des communications; et/ou
— des spécialistes des technologies de l'information.

Il convient que les agents externes et les parties prenantes soient également consultés ou impliqués de

manière appropriée. Ces derniers peuvent comprendre des personnes et des groupes comme

— des parties prenantes;
— des clients;
— des cabinets d'audit externe ou des autorités règlementaires;

— des experts sur le sujet, des membres d'associations professionnelles ou des universitaires;

— des représentants d'institutions chargées des archives;
— des promoteurs de la transparence;
— des experts en confidentialité;
— des experts en sécurité des informations;

— des personnes ou groupes affectés par les activités du gouvernement ou de l'organisme; et/ou

— des personnes mentionnées dans les documents d'activité, telles que des pupilles de l'État durant

leur enfance ou des personnes ayant bénéficié d'une aide ou de services de la part du gouvernement.

5.4 Collecte d'informations

L'évaluation dans le cadre de la gestion des documents d'activité repose sur l'identification des parties

prenantes et d'autres sources d'informations renseignant sur le contexte de l'activité et technologique,

les fonctions, les risques et les exigences. Il convi
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.