1、BSI Standards Publication PD ISO/TR 18128:2014 Information and documentation Risk assessment for records processes and systemsPD ISO/TR 18128:2014 PUBLISHED DOCUMENT National foreword This Published Document is the UK implementation of ISO/TR 18128:2014. The UK participation in its preparation was e
2、ntrusted to Technical Committee IDT/2/17, Archives/records management. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct app
3、lication. The British Standards Institution 2014. Published by BSI Standards Limited 2014 ISBN 978 0 580 78296 1 ICS 01.140.20 Compliance with a British Standard cannot confer immunity from legal obligations. This Published Document was published under the authority of the Standards Policy and Strat
4、egy Committee on 31 March 2014. Amendments issued since publication Date Text affectedPD ISO/TR 18128:2014 ISO 2014 Information and documentation Risk assessment for records processes and systems Information et documentation Evaluation du risque pour les processus et systmes denregistrement TECHNICA
5、L REPORT ISO/TR 18128 First edition 2014-03-15 Reference number ISO/TR 18128:2014(E)PD ISO/TR 18128:2014ISO/TR 18128:2014(E)ii ISO 2014 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO 2014 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized
6、 otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright o
7、ffice Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in SwitzerlandPD ISO/TR 18128:2014ISO/TR 18128:2014(E) ISO 2014 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references 1
8、 3 T erms and definitions . 2 3.1 Terms specific to risk . 2 3.2 Terms specific to records . 2 4 Risk assessment criteria for the organization . 2 4.1 Assessment of risk . 2 4.2 Risk criteria 3 4.3 Assignment of priority . 3 5 Risk identification . 3 5.1 General . 3 5.2 Context: External factors 5 5
9、3 Context: Internal factors . 6 5.4 Records systems 8 5.5 Records processes .11 6 Anal y sing identified risks 12 6.1 General 12 6.2 Likelihood analysis and probability estimation 13 7 Evaluating risks 15 7.1 General 15 7.2 Evaluating impact of adverse events .16 7.3 Evaluating the risk 16 8 C ommu
10、nicating the identified risks 17 Annex A (informative) Example of a documented risk entry in a risk register 19 Annex B (informative) Example: checklists for identifying areas of uncertainty .20 Annex C (informative) Guide to using controls from ISO/IEC 27001, Annex A 27 Bibliography .37PD ISO/TR 18
11、128:2014ISO/TR 18128:2014(E) Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interest
12、ed in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Co
13、mmission (IEC) on all matters of electrotechnical standardization. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO document
14、s should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible
15、for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for th
16、e convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: F
17、oreword - Supplementary information The committee responsible for this document is ISO/TC 46, Information and documentation, Subcommittee SC 11, Archives/records management.iv ISO 2014 All rights reservedPD ISO/TR 18128:2014ISO/TR 18128:2014(E) Introduction All organizations identify and manage the
18、risks to their functioning successfully. Identifying and managing the risks to records processes and systems is the responsibility of the organizations records professional. This Technical Report is intended to help records professionals and people who have responsibility for records in their organi
19、zation to assess the risks related to records processes and systems. NOTE System means any business application which creates and stores records. This is distinct from the task of identifying and assessing the organizations business risks to which creating and keeping adequate records is one strateg
20、ic response. The decisions to create or not create records in response to general business risk are business decisions which should be informed by the analysis of the organizations records requirements undertaken by records professionals together with business managers. The premise of this Technical
21、 Report is that the organization has created records of its business activities to meet operational and other purposes and has established at least minimal mechanisms for the systematic management and control of the records. The consequence of risk events to records processes and systems is the loss
22、 of, or damage to, records which are therefore no longer useable, reliable, authentic, complete, or unaltered, and therefore can fail to meet the organizations purposes. The Technical Report provides guidance and examples based on the general risk management process established in ISO 31000 (see Fig
23、ure 1) to apply to risks related to records processes and systems. It covers a) risk identification, b) risk analysis, and c) risk evaluation. The results of the analysis of risk to records processes and systems should be incorporated into the organizations general risk management framework. As a re
24、sult, the organization will have better control of its records and their quality for business purposes. Clause 5 provides a comprehensive list of areas of uncertainty related to records processes and systems as a guide for risk identification. Clause 6 provides guidance to determining the consequenc
25、es and probabilities of identified risk events, taking into account the presence (or not) and the effectiveness of any existing controls. Clause 7 provides guidance to determining the significance of the level and type of risks identified. The report does not deal with risk treatment. Once the asses
26、sment of risks related to records processes and systems has been completed, the assessed risks are documented and communicated to the organizations risk management section. Response to the assessed risks is undertaken as part of the organizations overall risk management program. The priority assigne
27、d by the records professional to the assessed risks is provided to inform the organizations decisions about managing those risks. ISO 2014 All rights reserved vPD ISO/TR 18128:2014ISO/TR 18128:2014(E) Figure 1 Risk Management process NOTE Figure 1 from ISO 31000:2009. Numbering refers to text of ISO
28、 31000.vi ISO 2014 All rights reservedPD ISO/TR 18128:2014TECHNICAL REPORT ISO/TR 18128:2014(E) Information and documentation Risk assessment for records processes and systems 1 Scope This Technical Report intends to assist organizations in assessing risks to records processes and systems so they ca
29、n ensure records continue to meet identified business needs as long as required. The report a) establishes a method of analysis for identifying risks related to records processes and systems, b) provides a method of analysing the potential effects of adverse events on records processes and systems,
30、c) provides guidelines for conducting an assessment of risks related to records processes and systems, and d) provides guidelines for documenting identified and assessed risks in preparation for mitigation. This Technical Report does not address the general risks to an organizations operations which
31、 can be mitigated by creating records. This Technical Report can be used by all organizations regardless of size, nature of their activities, or complexity of their functions and structure. These factors, and the regulatory regime in which the organization operates which prescribes the creation and
32、control of its records, are taken into account when identifying and assessing risk related to records and records systems. Defining an organization or identifying its boundaries should take into account the complex structures and partnerships and contractual arrangements for outsourcing services and
33、 supply chains which are a common feature of contemporary government and corporate entities. Identifying the boundaries of the organization is the initial step in defining the scope of the project of risk assessment related to records. This Technical Report does not address directly the mitigation o
34、f risks as methods for these will vary from organization to organization. The Technical Report can be used by records professionals or people who have responsibility for records in their organizations and by auditors or managers who have responsibility for risk management programs in their organizat
35、ions. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any
36、 amendments) applies. ISO 30300:2011, Information and documentation Management systems for records Fundamentals and vocabulary ISO Guide 73:2009, Risk management Vocabulary ISO 2014 All rights reserved 1PD ISO/TR 18128:2014ISO/TR 18128:2014(E) 3 T erms a nd definiti ons For the purposes of this docu
37、ment, the terms and definitions given in ISO 30300, ISO Guide 73 and the following apply. 3.1 T erms specific t o r isk 3.1.1 risk effect of uncertainty Note 1 to entry: An effect is a deviation from the expected positive or negative. Note 2 to entry: Uncertainty is the state, even partial, of defic
38、iency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. Note 3 to entry: Risk is often characterized by reference to potential events (ISO Guide 73:2009, 3.5.1.3) and consequences (ISO Guide 73:2009, 3.6.1.3) or a combination of these. Note 4 to entr
39、y: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (ISO Guide 73, 3.6.1.1) of occurrence. SOURCE: ISO Guide 73:2009, definition 1.1 3.2 T erms specific t o r ec or ds 3.2.1 records system information
40、 system which captures, manages, and provides access to records through time Note 1 to entry: This can include business applications or systems which create and maintain records. SOURCE: ISO 30300:2011, definition 3.4.4 3.2.2 records processes sets of activities by which records are created, control
41、led, used, kept and disposed of by the organization 4 Risk assessment criteria for the organization 4.1 Assessment of risk Assessing risks for records processes and systems should be included, where it exists, in the organizations general risk management process. In this case, records professionals
42、should take into account the organizations external and internal context and the context of the risk management process itself, including the following: a) Roles and responsibilities: The role of records professionals in the assessment of risk related to records processes and systems should be speci
43、fied. b) Extent and scope of the risk assessment activities: Relationships with other risk assessment areas, such as information security, should be made explicit to avoid redundancy and conflicts and enable an integrated approach to risk assessment which includes records. c) Methodology: The standa
44、rd risk assessment methodology should be applied using the available risk assessment tools and reporting to the designated area or person. d) Risk criteria: Where general risk criteria for the organization are established, risks related to records processes and systems should be assessed using these
45、 criteria.2 ISO 2014 All rights reservedPD ISO/TR 18128:2014ISO/TR 18128:2014(E) Where the organization has not established a general risk management process, records professionals need to establish the risk criteria applying to records processes and systems prior to the assessment process. 4.2 Risk
46、 criteria Criteria should be based on the legal requirements for the organizations jurisdiction and should include the following: a) the nature and types of consequences to be included and how they will be measured; b) the way in which probabilities are to be expressed; c) how a level of risk will b
47、e determined; d) the criteria by which it will be decided when a risk needs treatment; e) the criteria for deciding when a risk is acceptable and/or tolerable; f) whether and how combinations of risks will be taken into account. Regarding the nature and types of consequences to be included in the ri
48、sk assessment of records processes and systems, there is a general starting point which applies to all organizations. Records which are authentic, reliable, have integrity, and are useable for as long as they are required will support the needs of the organization. Risks are identified based on thei
49、r potential to undermine those general characteristics of records which would make them fail to meet the purposes for which they are created. For discussion of probability and frequency of events in risk assessment, see 6.2. Criteria for evaluating risks, including the criteria by which it will be decided when a risk is acceptable or needs treatment, include the size and reach of the records systems in the organization, the number of users, and the use made of the system in the operations of the organization. Similarly, c
