BS ISO 18829-2017 Document management Assessing ECM EDRM implementations Trustworthiness《文件管理 评定ECM EDRM实现 可信度》.pdf

1、Document management Assessing ECM/EDRM implementations TrustworthinessBS ISO 18829:2017BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06 ISO 2017Document management Assessing ECM/EDRM implementations TrustworthinessGestion de documents valuation de la mise en oeuvre d

2、es ECM/EDRM FiabilitINTERNATIONAL STANDARDISO18829First edition2017-06Reference numberISO 18829:2017(E)National forewordThis British Standard is the UK implementation of ISO 18829:2017.The UK participation in its preparation was entrusted to Technical Committee IDT/1, Document Management Application

3、s.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2017 Published by BSI Stan

4、dards Limited 2017ISBN 978 0 580 83156 0ICS 01.140.20Compliance with a British Standard cannot confer immunity from legal obligations.This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 June 2017.Amendments/corrigenda issued since publicationD

5、ate Text affectedBRITISH STANDARDBS ISO 18829:2017 ISO 2017Document management Assessing ECM/EDRM implementations TrustworthinessGestion de documents valuation de la mise en oeuvre des ECM/EDRM FiabilitINTERNATIONAL STANDARDISO18829First edition2017-06Reference numberISO 18829:2017(E)BS ISO 18829:20

6、17ISO 18829:2017(E)ii ISO 2017 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO 2017, Published in SwitzerlandAll rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photo

7、copying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCh. de Blandonnet 8 CP 401CH-1214 Vernier, Geneva, SwitzerlandTel. +41 22 749

8、 01 11Fax +41 22 749 09 47copyrightiso.orgwww.iso.orgBS ISO 18829:2017ISO 18829:2017(E)ii ISO 2017 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO 2017, Published in SwitzerlandAll rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in

9、 any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCh. de Bl

10、andonnet 8 CP 401CH-1214 Vernier, Geneva, SwitzerlandTel. +41 22 749 01 11Fax +41 22 749 09 47copyrightiso.orgwww.iso.orgISO 18829:2017(E)Foreword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Trustworthy ECM system assessment 24.1 General . 24.1.1 Assessment output

11、 . 24.1.2 Process review . 34.1.3 Fulfilling legal, government and regulatory requirements . 44.2 Assessment activities 44.2.1 Review of existing business practice and other organizational documentation 44.2.2 Evaluating information ingested into the system 44.2.3 Readability 54.3 Evaluating informa

12、tion retention, preservation and destruction . 64.3.1 Application interoperability 64.3.2 Data migration between electronic storage media 64.3.3 Data format conversion 64.3.4 Media monitoring program 64.3.5 Data expunging/deletion 64.4 System security . 64.4.1 Security-related information to be coll

13、ected/reviewed 64.4.2 Securing the information to prevent unauthorized modification or deletion of ESI 74.5 Evaluating information access . 74.5.1 General 74.5.2 Managing authorized modification 84.6 Evaluating history and audit trail information 84.6.1 General 84.6.2 Retrieval of previous document

14、version required to be maintained 84.6.3 Management of notes and annotations as part of a business record . 94.6.4 Management of ESI containing macros and/or external links . 94.7 Evaluating technical and data storage environments 104.7.1 Information security models 104.7.2 Storage technologies asse

15、ssment .104.7.3 Technology standards being followed by organization .104.7.4 Primary and secondary storage . 10Bibliography .12 ISO 2017 All rights reserved iiiContents PageBS ISO 18829:2017ISO 18829:2017(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of

16、 national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. Int

17、ernational organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to develop this document and those in

18、tended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see w

19、ww .iso .org/ directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the docum

20、ent will be in the Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the voluntary nature of standards, t

21、he meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www .iso .org/ iso/ foreword .html.This document was prepare

22、d by Technical Committee ISO/TC 171, Document management applications, Subcommittee SC 1, Quality, preservation and integrity of information.iv ISO 2017 All rights reservedBS ISO 18829:2017ISO 18829:2017(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of

23、national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. Inte

24、rnational organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to develop this document and those int

25、ended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see ww

26、w .iso .org/ directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the docume

27、nt will be in the Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the voluntary nature of standards, th

28、e meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www .iso .org/ iso/ foreword .html.This document was prepared

29、 by Technical Committee ISO/TC 171, Document management applications, Subcommittee SC 1, Quality, preservation and integrity of information.iv ISO 2017 All rights reserved ISO 18829:2017(E)IntroductionThis document provides a methodology for organizations seeking to assess whether their ECM environm

30、ent complies with key concepts of trustworthiness and information reliability as identified in ISO/TR 15801 and ISO/TR 22957.Many organizations are now required to ensure their business-related electronically stored information (ESI) is securely created, stored and eventually destroyed in order to e

31、stablish the authenticity and accuracy of the ESI and the security and trustworthiness of the organization.This document identifies activities and operations an organization needs to follow in order to ensure that any electronically stored information (ESI) is created and maintained in a reliable an

32、d trustworthy manner through the entire ESI lifecycle, and evaluate existing enterprise content management (ECM) systems or electronic document and records management (EDRM) systems for compliance with applicable ISO standards.ISO 15489, ISO/TR 15801 and ISO/TR 22957 provide organizations with guida

33、nce for the design of their enterprise content management (ECM) systems; however, organizations may also be required to provide auditable proof that these systems provide a secure environment for ESI that meets any legal, technical and policy obligations of the organization and comply with applicabl

34、e ISO standards.Any trustworthy ECM/EDRM solution needs to be capable of being audited, with reproducible results. There also needs to be a method of independently verifying the claims of the software and hardware vendors that the information is safe and secure and being stored in a trustworthy fash

35、ion. Organizations will need to ensure that their supporting documentation reflects these requirements.Although standardized ECM solutions are likely to be auditable and can be easily verified, non-standardized or proprietary storage solutions may not provide a full audit trail and claims for the se

36、curity of the ECM/EDRM solution made by vendors are difficult to independently verify. Regardless of whether the storage technology is standardized or proprietary, the organization faces the same need to be able to verify that the ECM/EDRM solution complies with all applicable requirements. ISO 2017

37、 All rights reserved vBS ISO 18829:2017BS ISO 18829:2017Document management Assessing ECM/EDRM implementations Trustworthiness1 ScopeThis document identifies activities and operations that an organization needs to perform, or have performed, to evaluate whether the electronically stored information

38、ESI) is or was maintained in a reliable and trustworthy environment(s). These environments utilize content or records management technologies commonly referred to as either enterprise content management (ECM) or electronic document and records management (EDRM) enforcing organizational records mana

39、gement policies and schedules.ISO/TR 15801 and ISO 15489 (all parts) established the standards and best practices associated with implementing trustworthy records/document management environments. However, a standard is necessary to define the methodology used to evaluate these types of records/docu

40、ment management environments regardless of what technologies are currently employed by the organization. This document establishes the assessment methodology to be followed to identify the level of organizational compliance with these standards as related to trustworthiness and reliability of inform

41、ation stored in these environments.This document is applicable to existing or planned ECM systems. Establishing the existence of a trustworthy system is an important step in documenting the reliability of ESI maintained within that system or environment. This document is designed for use by organiza

42、tions evaluating the trustworthiness of existing record/document management environments. This document identifies all of the mandatory activities and areas that need to be examined by a resource, or resources, with a thorough technical and operational knowledge of the specific technologies and meth

43、odologies being examined, along with understanding record management processes and activities.2 Normative referencesThe following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition ci

44、ted applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO 12651-1, Electronic document management Vocabulary Part 1: Electronic document imagingISO 15489-1, Information and documentation Records management Part 1: Concepts and principle

45、s3 Terms and definitionsFor the purposes of this document, the following terms and definitions given in ISO 12651-1, ISO 15489-1 and the following apply.ISO and IEC maintain terminological databases for use in standardization at the following addresses: IEC Electropedia: available at h t t p :/ www

46、electropedia .org/ ISO Online browsing platform: available at h t t p :/ www .iso .org/ obp3.1authentic recordrecord that can be provena) to be what it purports to be,INTERNATIONAL STANDARD ISO 18829:2017(E) ISO 2017 All rights reserved 1BS ISO 18829:2017ISO 18829:2017(E)b) to have been created or

47、sent by the person purported to have created or sent it, andc) to have been created or sent at the time purported3.2business practice documentationBPDdetailed business process document identifying how information is received, stored and managed along with the processes, policies and procedures follo

48、wed by the organizationNote 1 to entry: The BPD contains sufficient information allowing the organization to authenticate or certify that electronically stored information contained within the electronic document/record management system is accurate, reliable and trustworthy.Note 2 to entry: In some

49、 areas, this document is referred to as a master procedure manual.3.3electronically stored informationESIinformation created, used and stored in digital form, and requiring a computer or other device for accessNote 1 to entry: For the purposes of this document, ESI includes documents and records created and/or managed by the organization in the course of business. Electronic data contained within relational databases or specialized application data sets are not considered to be part of the ESI examined when ex