RIM Fundamentals

Standards for Establishing Records and Information Management Programs

A large variety of national and international standards, as well as technical reports and best practice guidelines, have been developed to aid records and information management (RIM) professionals in determining the best methods, rationale, components, and processes for managing the life cycle of records and information.

Virginia A. Jones, CRM, FAI


Bookmark and Share

Understanding and applying the guidance these publications provide are essential to developing the efficient procedures, tasks, and processes that are important to a RIM program’s success. However, wading through the list of available standards to find those that are most useful for establishing a good program can be time-consuming. This article identifies a number of key standards and best practices that have near-universal usefulness and can form a foundation for a comprehensive records management program.

Setting the Foundation

A good baseline for any RIM program is the adoption of the two publications recognized as the international records management standard and its accompanying technical report:

  • ISO 15489-1:2001 Information anddocumentation – Records management– Part I – General (ISO 15489-1)

  • ISO/TR 15489-2: 2001 Informationand documentation – Records management– Part II – Guidelines (ISO 15489-2).

ISO 15489-1

ISO 15489-1 is a standard developed by representatives of a number of participating countries using a consensus process. It applies to the management of records in any format or media, created or received by any public or private organization during the course of its activities and to “any individual with a duty to create and maintain records.”

Specifically, it provides guidance on determining RIM responsibilities, supporting a quality process framework, and designing and implementing a records system. It does not include the management of archival records within archival institutions.

ISO 15489-2

ISO/TR 15489-2 is a technical report, recommended for use with ISO 15489-1. It provides further explanation of the standard, including implementation options and some recommended procedures for achieving the requirements in ISO 15489-1. It provides one methodology to facilitate implementation and serves as a foundation for establishing a solid implementation plan based on pertinent jurisdictional laws and regulations. It gives an overview of the processes and factors to consider for organizations wishing to comply with ISO 15489-1.

Foundational Requirements

The requirements of ISO 15489-1, in particular, can be used to establish a foundation for a basic RIM program that satisfies the RIM needs of most organizations, especially when combined with the recommendations from ISO/TR15489-2.

It outlines the benefits of records management and sets requirements for:

  • Considering the needs of the organization’s regulatory environment

  • Developing, implementing, and maintaining policies and responsibilities

  • Establishing principles for records management requirements, including records creation, records form and structure, and the use of technologies; establishing authentic, reliable, and trustworthy records systems; business process analysis; creation and management of metadata; compliance with regulations and laws; determining how long to retain records; and the protection and preservation of records

  • Designing and implementing a records system

  • Creating records management processes and controls

  • Establishing and conducting monitoring and auditing of the program Launching and conducting training in all aspects of the program

Supporting the Foundation

Once the basic program is determined based on the requirements of ISO 15489-1, other key standards and guidelines can be applied to support it. A detailed matrix listing the requirements of ISO 15489-1 and the key standards that support them is on pages 40-41.

For example, ISO 15489-1 says in section 7.1 that to support the continuing conduct of business, comply with the regulatory environment, and provide necessary accountability, organizations should create and maintain authentic, reliable and useable records, and it should protect the integrity of those records for as long as required.To do this, organizations should institute and carry out a comprehensive records management program, which includes determining what records should be created in each business process and what information needs to be included in the records, thus ensuring that records are retained only for as long as needed or required.

The matrix shows seven standards, guidelines, and technical reports that support designing and implementing retention and disposition in a records program. 

Building out the Structure

The following is by no means a comprehensive list of all available standards that might pertain to a RIM program. But these key standards, technical reports, guidelines, and best practices form a nucleus of support for any RIM program.

be submitted to the government, or establish

the form of records.

ANSI/ARMA 5-2010 Vital Records

Programs: Identifying, Managing, and

Recovering Business-Critical Records

– sets the requirements for establishing

a vital records program including

requirements for: identifying and protecting

vital records, assessing and analyzing

their vulnerability, and

determining the impact of their loss on

the organization.

ANSI/ARMA 18-2011 Implications

of Web-Based, Collaborative Technologies

in Records Management – provides

requirements and best practice

recommendations related to policies,

procedures, and processes for an organization’s

use of internally facing or externally

directed (public or private),

web-based, collaborative technologies

such as wikis, blogs, mash-ups, and

classification (tagging) site.

Guideline for Evaluating and Mitigating

Records and Information Risks

(ARMA International) – provides a

framework for establishing systems to

evaluate information risks and describes

a process for framing a risk

management system using a risk

quadrant of administrative risks,

records control risks, legal/regulatory

risks, and technology risks.

Guideline for Outsourcing Electronic

Records Storage to the Cloud

(ARMA International) – addresses information

management issues related

to cloud-based records storage, including

benefits and risks of using cloudbased

records storage, how to mitigate

legal risks, issues related to retention,

disposition, privacy, and security,

standards and best practices, and vendor

selection.

ISO 11108:1996 Information and

documentation – Archival paper – Requirements

for permanence and durability

– contains requirements for

unprinted archival paper intended for

documents and publications required

for permanent retention and frequent

use.

ISO 19005-1:2005 Document management

– Electronic document file format

for long-term preservation – Part

1: Use of PDF 1.4 (PDF/A-1) – specifies

how to use the portable document

format (PDF) 1.4 for long-term preservation

of electronic documents.

ISO/IEC 27002: 2005 Information

Technology – Security techniques –

Code of Practice for Information Security

– establishes guidelines and

general principles for initiating,

implementing, maintaining, and

improving information security management

in an organization. It outlines

objectives that provide general

guidance on the commonly accepted

goals of information security management.

[Editor’s Note: This was formerly

numbered ISO 17799:2005.]

ISO/TR 15801:2009 Document

management – Information stored electronically

– Recommendations for

trustworthiness and reliability – describes

the implementation and operation

of document management

systems that can be considered to store

electronic information in a trustworthy

and reliable manner. (ISO)

NFPA 75 Standard for the Protection

of Electronic Computer/ Data Processing

Equipment – provides the

minimum requirements for the protection

of electronic computer/data

processing equipment and computer

areas from damage by fire or its associated

effects.

NFPA 232 Standard for the Protection

of Records – provides requirements

for records protection

equipment and facilities and recordshandling

techniques that provide protection

from the hazards of fire.

NIST SP 800-34 Contingency Planning

Guide for Information Technology

System – assists organizations in understanding

the purpose, process, and

format of an information system continuity

plan development through

practical, real-world guidelines. It provides

guidance to help personnel evaluate

information systems and

operations to determine contingency

planning requirements and priorities.

Records Management Responsibility

in Litigation Support (ARMA International)

– helps records managers

identify the steps of a typical litigation

and defines their roles in the process.

Website Records Management

(ARMA International) – explores how

information posted on websites may

constitute records. It offers records

and information management advice

and best practices recommendations

for managing website records.

Evaluating the RIM Program

Standards provide a benchmark for

evaluating RIM practices based on

proven best practices from a variety of

sources. They can create measurable

methods of accomplishing work

processes and tasks and allowing interoperability

and compatibility of

equipment and products.

Just as when developing or enhancing

a RIM program, when evaluating

the program, standards should

be considered a basic resource. Even if

not required by a regulatory body or

governing requirements, organizations

should consider adopting pertinent

standards, guidelines, and

technical reports as internal requirements

and as benchmarks against

which to assess their RIM programs.

END

Virginia A. Jones, CRM, FAI, can be

contacted at vjones@nngov.com. See

her bio on page 47.

General RIM Concepts

General RIM concept standards aid in establishing a RIM program. They include requirements and guidelines for basic RIM principles, such as records retention and disposition programs, inactive records management, active records management, and the care and handling of recordkeeping media.

Establishing Alphabetic, Numeric, and Subject Filing Systems – aids in the selection and application of a filing system that will enable users to retrieve information. It describes three principal systems: alphabetic filing, subject filing, and numeric filing and contains standard rules for indexing alphabetic data.

ARMA TR01-2011 Records Center Operations, 3rd Ed. – assists organizations with selecting an appropriate records center site and designing, equipping, staffing, operating, and managing a records center. Additional sections discuss vaults, security, records center software, and commercial records storage facilities.

Contracted Destruction for Records and Information Media (ARMA International) – identifies the critical components that must be addressed so no records or information in any format are compromised during any part of the destruction process. It is designed to guide organizations when contracting for destruction services.

Glossary of Records and Information Management Terms, 3rd Edition (ARMA International) – includes nearly 500 terms from numerous disciplines that have an impact on the profession. [Editor’s Note: The fourth edition of the glossary is set for publication this fall.]

Guideline for Evaluating Offsite Records Storage Facilities (ARMA International) – assists organizations with evaluating storage needs, determining whether business practices make outsourcing the best decision, and assessing the ability of vendors to meet storage requirements. Guideline for Outsourcing Electronic Records Storage and Disposition (ARMA International) – provides information to assist organizations in making decisions about outsourcing electronic records storage, retrieval, disposition to third-party providers and evaluating and selecting a service provider.

ISO 18923:2000 Imaging materials – Polyester Base Magnetic Tape – Storage Practices – provides recommendations concerning the storage conditions, storage facilities, enclosures, and inspection for recorded polyester base magnetic tapes in roll form. It covers analog and digital tape and includes tape made for audio, video, instrumentation, and computer use.

NIST SP 500-252 Care and Handling of CDs and DVDs  A Guide for Librarians and Archivists – provides guidance on how to maximize the lifetime and usefulness of optical discs, specifically CD and DVD media, by minimizing chances of information loss caused by environmental influences or physical handling.

NIST SP 800-88 Guidelines for Media Sanitization  assists in implementing a media sanitization program with proper and applicable techniques and controls for decision making when media require disposal, reuse, or when they will be leaving the effective control of an organization.

Retention Management for Records and Information (ARMA International) – provides guidance for establishing and operating a retention and disposition program. 

RIM Technical Issues

RIM technology standards are appropriate for managing the technical aspects of RIM programs. They include requirements and guidelines for electronic records issues, digitization programs, recordkeeping issues resulting from the use of Internet and intranet, and recordkeeping issues resulting from the use of new technologies.

ANSI/ARMA 19-2012 Policy Design for Managing Electronic Messages – sets forth the requirements for a policy guiding the management of text-based electronic messages or communications (including e-mail [and related attachments/metadata], instant messaging, and text messaging) as records throughout their life cycle.

ARMA TR-02-2007 Procedures and Issues for Managing Electronic Messages as Records – addresses concerns typically confronted during the implementation and management of any text-based electronic messaging system or communication, such as e-mail or instant messaging, not including voice mail. [Editor’s Note: This technical report is undergoing revision and is scheduled for publication during summer 2013.]

Controlled Language in Records and Information Management (ARMA International) – describes what controlled language is and how it benefits organizations by reducing search time and increasing the reliability of search results, improving organizational communication, avoiding duplication, and reducing corporate risk exposure in legal and other discovery processes.

ISO 10244:2010 Document management – Business process base lining and analysis – specifies the detailed information associated with the activities organizations perform when documenting existing work or business processes (business process base lining), defining the level of information required to be gathered, methods of documenting the work or business processes, and the procedures used when evaluating or analyzing the work or business processes.

ISO 23081-1:2006 Information and documentation – Records management processes – Metadata for recordsPart 1: Principles – covers the principles that underpin and govern records management metadata.

ISO 23081-2:2009 Information and documentation – Managing metadata for records – Part 2: Conceptual and implementation issues – establishes a framework for defining metadata elements consistent with the principles and implementation considerations outlined in ISO 23081-1:2006.

ISO 13008:2012 Information and documentation – Digital records conversion and migration process –provides guidance in understanding recordkeeping requirements, the organizational and business framework for conducting the conversion and migration process, technology planning issues, and monitoring/controls for the process. [Editor’s Note: This publicationssupersedes ANSI/ARMA 16-2007 The Digital Records ConversionProcess.]

ISO/TR 13028:2010 Information and documentation – Implementation guidelines for digitization of records –establishes guidelines for creating and maintaining records in digital format only and establishes best practice guidelines for digitization to ensure the trustworthiness and reliability of records.

ISO/TR 22957:2009 Document management – Analysis, selection and implementation of electronic document management systems (EDMS) – presents a recommended set of procedures and activities that are advisable when performing analysis, selection, and implementation of project phases associated with electronic document management systems technologies.

ISO/TR 26122:2008 Information and documentation – Work process analysis for records – provides guidance on work process analysis from the perspective of the creation, capture,and control of records.

Legal, Protection, and Preservation RIM Issues

These publications include requirements and guidelines for meeting legal and regulatory obligations, protecting records and information from loss or damage, and preserving records and information of historical value.

ANSI/AIIM TR31-2004 Legal Acceptance of Records Produced by Information Technology Systems – addresses laws that affect personal or business recordkeeping practices. In particular, it addresses laws containing recordkeeping provisions that require records to be kept available for government audit, require records to be submitted to the government, or establish the form of records.

ANSI/ARMA 5-2010 Vital Records Programs: Identifying, Managing, and Recovering Business-Critical Records – sets the requirements for establishing a vital records program including requirements for: identifying and protecting vital records, assessing and analyzing their vulnerability, and determining the impact of their loss on the organization.

ANSI/ARMA 18-2011 Implicationsof Web-Based, Collaborative Technologiesin Records Management – provides requirements and best practice recommendations related to policies, procedures, and processes for an organization’s use of internally facing or externally directed (public or private), web-based, collaborative technologies such as wikis, blogs, mash-ups, and classification (tagging) site.

Guideline for Evaluating and Mitigating Records and Information Risks (ARMA International) – provides a framework for establishing systems to evaluate information risks and describes a process for framing a risk management system using a risk quadrant of administrative risks, records control risks, legal/regulatoryrisks, and technology risks.

Guideline for Outsourcing Electronic Records Storage to the Cloud (ARMA International) – addresses information management issues related to cloud-based records storage, including benefits and risks of using cloud-based records storage, how to mitigate legal risks, issues related to retention, disposition, privacy, and security, standards and best practices, and vendor selection.

ISO 11108:1996 Information and documentation – Archival paper – Requirements for permanence and durability – contains requirements for unprinted archival paper intended for documents and publications required for permanent retention and frequent use.

ISO 19005-1:2005 Document management – Electronic document file format for long-term preservation – Part 1: Use of PDF 1.4 (PDF/A-1) – specifies how to use the portable document format (PDF) 1.4 for long-term preservation of electronic documents.

ISO/IEC 27002: 2005 Information Technology – Security techniques – Code of Practice for Information Security – establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. It outlines objectives that provide general guidance on the commonly accepted goals of information security management. [Editor’s Note: This was formerly numbered ISO 17799:2005.]

ISO/TR 15801:2009 Document management – Information stored electronically – Recommendations for trustworthiness and reliability – describes the implementation and operation of document management systems that can be considered to store electronic information in a trustworthy and reliable manner. (ISO)

NFPA 75 Standard for the Protection of Electronic Computer/Data Processing Equipment – provides the minimum requirements for the protection of electronic computer/data processing equipment and computer areas from damage by fire or its associated effects.

NFPA 232 Standard for the Protection of Records – provides requirements for records protection equipment and facilities and records-handling techniques that provide protection from the hazards of fire.

NIST SP 800-34 Contingency Planning Guide for Information Technology System – assists organizations in understanding the purpose, process, and format of an information system continuity plan development through practical, real-world guidelines. It provides guidance to help personnel evaluate information systems and operations to determine contingency planning requirements and priorities.

Records Management Responsibility in Litigation Support (ARMA International) – helps records managers identify the steps of a typical litigation and defines their roles in the process.

Website Records Management (ARMA International) – explores how information posted on websites may constitute records. It offers records and information management advice and best practices recommendations for managing website records.

Evaluating the RIM Program

Standards provide a benchmark for evaluating RIM practices based on proven best practices from a variety of sources. They can create measurable methods of accomplishing work processes and tasks and allowing interoperability and compatibility of equipment and products.

Just as when developing or enhancing a RIM program, when evaluating the program, standards should be considered a basic resource. Even if not required by a regulatory body or governing requirements, organizations should consider adopting pertinent standards, guidelines, and technical reports as internal requirements and as benchmarks against which to assess their RIM programs.

Download the complete PDF version here.

Virginia A. Jones, CRM, FAI, can be contacted at vjones@nngov.com.

From July - August 2012

sets forth the requirements for a policy

guiding the management of text-based

electronic messages or communications

(including e-mail [and related

attachments/metadata], instant messaging,

and text messaging) as records

throughout their life cycle.

ARMA TR-02-2007 Procedures and

Issues for Managing Electronic Messages

as Records – addresses concerns

typically confronted during the implementation

and management of any

text-based electronic messaging system

or communication, such as e-mail

or instant messaging, not including

voice mail. [Editor’s Note: This technical

report is undergoing revision and

is scheduled for publication during

summer 2013.]

Controlled Language in Records

and Information Management (ARMA

International) – describes what controlled

language is and how it benefits

organizations by reducing search time

and increasing the reliability of search

results, improving organizational communication,

avoiding duplication, and

reducing corporate risk exposure in

legal and other discovery processes.

ISO 10244:2010 Document management

– Business process base lining

and analysis – specifies the detailed information

associated with the activities

organizations perform when

documenting existing work or business

processes (business process base lining),

defining the level of information

required to be gathered, methods of

documenting the work or business

processes, and the procedures used

when evaluating or analyzing the

work or business processes.

ISO 23081-1:2006 Information and

documentation – Records management

processes – Metadata for records – Part

1: Principles – covers the principles

that underpin and govern records

management metadata.

ISO 23081-2:2009 Information and

documentation – Managing metadata

for records – Part 2: Conceptual and

implementation issues – establishes a

framework for defining metadata elements

consistent with the principles

and implementation considerations

outlined in ISO 23081-1:2006.

ISO 13008:2012 Information and

documentation – Digital records conversion

and migration process –provides

guidance in understanding

recordkeeping requirements, the organizational

and business framework for

conducting the conversion and migration

process, technology planning issues,

and monitoring/controls for

the process. [Editor’s Note: This publications

supersedes ANSI/ARMA 16-

2007 The Digital Records Conversion

Process.]

ISO/TR 13028:2010 Information

and documentation – Implementation

guidelines for digitization of records –

establishes guidelines for creating and

maintaining records in digital format

only and establishes best practice

guidelines for digitization to ensure the

trustworthiness and reliability of

records.

ISO/TR 22957: 2009 Document

management – Analysis, selection and

implementation of electronic document

management systems (EDMS) – presents

a recommended set of procedures

and activities that are advisable when

performing analysis, selection, and implementation

of project phases associated

with electronic document

management systems technologies.

ISO/TR 26122: 2008 Information

and documentation – Work process

analysis for records – provides guidance

on work process analysis from the

perspective of the creation, capture,

and control of records.

Legal, Protection, and

Preservation RIM Issues

These publications include requirements

and guidelines for meeting legal

and regulatory obligations, protecting

records and information from loss or

damage, and preserving records and

information of historical value.

ANSI/AIIM TR31-2004 Legal

Acceptance of Records Produced by

Information Technology Systems – addresses

laws that affect personal or

business recordkeeping practices. In

particular, it addresses laws contain-