Bs Iso 30301-2019

BS ISO 30301:2019

BSI Standards Publication

Information and documentation — Management systems for records — Requirements

BS ISO 30301:2019

BRITISH STANDARD

National foreword This British Standard is the UK implementation of ISO 30301:2019. It supersedes BS ISO 30301:2011, which is withdrawn. The UK participation in its preparation was entrusted to Technical Committee IDT/2/17, Archives/records management.

A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. © The British Standards Institution 2019 Published by BSI Standards Limited 2019 ISBN 978 0 580 52018 1

ICS 01.140.20; 03.100.70

Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 28 February 2019. Amendments/corrigenda issued since publication Date

Text affected

INTERNATIONAL STANDARD

BS ISO 30301:2019

ISO 30301

Second edition 2019-02-15

Information and documentation — Management systems for records — Requirements Information et documentation — Systèmes de gestion des documents d'activité — Exigences

Reference number ISO 30301:2019(E) © ISO 2019

BS ISO 30301:2019 ISO 30301:2019(E) 

COPYRIGHT PROTECTED DOCUMENT © ISO 2019, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 • CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 [email protected] www.iso.org

ii



© ISO 2019 – All rights reserved

BS ISO 30301:2019 ISO 30301:2019 

Contents

Page

Foreword......................................................................................................................................................................................................................................... iv

Introduction...................................................................................................................................................................................................................................v 1 Scope.................................................................................................................................................................................................................................. 1 2 3 4

Normative references....................................................................................................................................................................................... 1 Terms and definitions...................................................................................................................................................................................... 1

Context of the organization........................................................................................................................................................................ 4 4.1 Understanding the organization and its context........................................................................................................ 4 4.1.1 General...................................................................................................................................................................................... 4 4.1.2 Records requirements.................................................................................................................................................. 5 4.2 Understanding the needs and expectations of interested parties............................................................... 5 4.3 Determining the scope of the MSR.......................................................................................................................................... 6 4.4 Management system for records.............................................................................................................................................. 6

5 Leadership................................................................................................................................................................................................................... 6 5.1 Leadership and commitment...................................................................................................................................................... 6 5.2 Policy................................................................................................................................................................................................................ 6 5.3 Organization roles, responsibilities and authorities............................................................................................... 7 6 Planning.......................................................................................................................................................................................................................... 7 6.1 Actions to address risks and opportunities.................................................................................................................... 7 6.2 Records objectives and planning to achieve them.................................................................................................... 8

7 Support............................................................................................................................................................................................................................ 8 7.1 Resources...................................................................................................................................................................................................... 8 7.2 Competence................................................................................................................................................................................................ 9 7.3 Awareness.................................................................................................................................................................................................... 9 7.4 Communication....................................................................................................................................................................................... 9 7.5 Documented information................................................................................................................................................................ 9 7.5.1 General...................................................................................................................................................................................... 9 7.5.2 Creating and updating............................................................................................................................................... 10 7.5.3 Control of documented information............................................................................................................. 10 8 Operation................................................................................................................................................................................................................... 10 8.1 Operational planning and control........................................................................................................................................ 10 8.2 Determining records to be created...................................................................................................................................... 11 8.3 Designing and implementing records processes, controls and systems............................................. 11 9

Performance evaluation.............................................................................................................................................................................11 9.1 Monitoring, measurement, analysis and evaluation............................................................................................. 11 9.2 Internal audit.......................................................................................................................................................................................... 11 9.3 Management review......................................................................................................................................................................... 12

10 Improvement..........................................................................................................................................................................................................12 10.1 Nonconformity and corrective actions............................................................................................................................. 12 10.2 Continual improvement................................................................................................................................................................ 13 Annex A (normative) Operational requirements for records processes, control and systems.............14 Bibliography.............................................................................................................................................................................................................................. 17

© ISO 2019 – All rights reserved



iii

BS ISO 30301:2019 ISO 30301:2019 

Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso. org/iso/foreword.html. This document was prepared by Technical Committee ISO/TC 46, Information and documentation, Subcommittee SC 11, Archives/records management.

This second edition cancels and replaces the first edition (ISO 30301:2011), which has been technically revised to fully follow the common text of the high level structure (HLS) for all ISO management systems standards (MSS), and to align operational requirements with the guidelines in ISO 15489. The main changes compared to the previous edition are as follows: — a new subclause, 4.1.2 Records requirements, has been added; — subclauses 8.2 and 8.3 have been redrafted;

— the requirements in Annex A have been renamed and reordered. Requirements numbered A.1.1.1 and A.1.1.2 are now included in 8.2, A.2.5.7 has been deleted from Annex A. ISO 30301 is part of a family of International Standards on management systems for records. A list of all products in the ISO 30300 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html.

iv



© ISO 2019 – All rights reserved

BS ISO 30301:2019 ISO 30301:2019 

Introduction 0.1   General Organizational success largely depends upon implementing and maintaining a management system that is designed to continually improve performance while addressing the needs of all interested parties. Management systems offer methodologies to make decisions and manage resources in order to achieve the organization's goals. Creation and management of records are integral to any organization's activities, processes and systems. They enable business efficiency, accountability, risk management and business continuity. They also enable organizations to capitalize on the value of their information resources as strategic assets, and to contribute to the preservation of collective memory, in response to the challenges of the global and digital environment. 0.2   Management system

Management system standards (MSS) provide tools for top management to implement a systematic and verifiable approach to organizational control in an environment that encourages good business practices.

The standards on management systems for records are designed to assist organizations of all types and sizes, or groups of organizations with shared business activities, to implement, operate and improve an effective management system for records (MSR). The MSR directs and controls an organization for the purposes of establishing a policy and objectives with regard to records and achieving those objectives. This is done through the use of: — defined roles and responsibilities; — systematic processes;

— measurement and evaluation; — review and improvement.

Implementation of a records policy and objectives soundly based on the organization's requirements will ensure that authoritative and reliable information about, and evidence of, business activities is created, managed and made accessible to those who need it for as long as required. Successful implementation of good records policy and objectives results in records and records systems adequate for all of an organization's purposes. Implementing an MSR in an organization also guarantees the transparency and traceability of decisions made by responsible management and the recognition of public interest. 0.3   Relationship with other records standards

The standards on MSR are developed within the MSS framework to be compatible and to share elements and methodology with other MSS. ISO 15489‑1, together with other International Standards and Technical Reports, are the principal tools for designing, implementing, monitoring and improving records processes and controls, which operate under the governance of the MSR where organizations decide to implement MSS methodology. NOTE

ISO 15489 is the foundation standard which codifies best practice for records management operations.

The structure of standards on MSR and the most relevant products for implementing records processes and controls, either published or under preparation, is shown in Figure 1.

© ISO 2019 – All rights reserved



v

BS ISO 30301:2019 ISO 30301:2019 

NOTE Titles of some products and technical reports are susceptible to change when they are revised. Titles in this figure represent the subject or domain, not the complete official titles of published standards and technical reports. An updated figure with new products is available at https://committee.iso.org/home/tc46sc11.

Figure 1 — Standards on MSR and related International Standards and Technical Reports

0.4   MSR family of standards This family of standards is intended to be used in support of:

a) top management who make decisions regarding the establishment and implementation of management systems within their organization; b) people responsible for the implementation of MSR, such as professionals in the areas of risk management, auditing, management of records, information technology and information security.

The process approach incorporated to a management system for records emphasizes the importance of: — identifying the organization's records requirements, including interested parties' needs and expectations, and establishing policy and objectives for records;

— implementing and operating controls for managing an organization’s risks in relation to its records, in the context of its overall business risks; — monitoring and reviewing the performance and effectiveness of the MSR; — continual improvement based on objective measurement.

Figure 2 represents the structure of this document in process approach. vi



© ISO 2019 – All rights reserved

BS ISO 30301:2019 ISO 30301:2019 

Figure 2 — Structure of MSR in process approach 0.5   Relationship and compatibility with other management system standards This document conforms to ISO’s requirements for management system standards. These requirements include a high-level structure, identical core text, common terms with core definitions, designed to benefit users implementing multiple ISO management system standards.

The term “documented information” is one of the core terms for MSS. Requirements related to documented information are given in 7.5. in all MSS. This document, apart from constituting a MSS itself, can support organizations to implement the documented information requirements of other management systems. For more information, see https://committee.iso.org/home/tc46sc11).

© ISO 2019 – All rights reserved



vii

This page deliberately left blank

BS ISO 30301:2019

INTERNATIONAL STANDARD

ISO 30301:2019

Information and documentation — Management systems for records — Requirements 1 Scope This document specifies requirements to be met by a management system for records (MSR) in order to support an organization in the achievement of its mandate, mission, strategy and goals. It addresses the development and implementation of a records policy and objectives and gives information on measuring and monitoring performance.

An MSR can be established by an organization or across organizations that share business activities. Throughout this document, the term “organization” is not limited to one organization but also includes other organizational structures. This document is applicable to any organization that wishes to:

— establish, implement, maintain and improve an MSR to support its business; — ensure itself of conformity with its stated records policy; — demonstrate conformity with this document by

a) undertaking a self-assessment and self-declaration, or

b) seeking confirmation of its self-declaration by a party external to the organization, or c) seeking certification of its MSR by an external party.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 30300, Information and documentation — Management systems for records — Fundamentals and vocabulary

3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO 30300 and the following apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: — ISO Online browsing platform: available at https://www.iso.org/obp — IEC Electropedia: available at http://www.electropedia.org/

3.1 organization person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives (3.8)

Note 1 to entry: The concept of organization includes, but is not limited to sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private. © ISO 2019 – All rights reserved



1

BS ISO 30301:2019 ISO 30301:2019  3.2 interested party stakeholder person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision or activity 3.3 requirement need or expectation that is stated, generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested parties that the need or expectation under consideration is implied. Note 2 to entry: A specified requirement is one that is stated, for example in documented information.

3.4 management system set of interrelated or interacting elements of an organization (3.1) to establish policies (3.7) and objectives (3.8) and processes (3.12) to achieve those objectives Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning and operation. Note  3  to entry:  The scope of a management system may include the whole of the organization, specific and identified functions of the organization, specific and identified sections of the organization, or one or more functions across a group of organizations.

3.5 top management person or group of people who directs and controls an organization (3.1) at the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the organization. Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top management refers to those who direct and control that part of the organization.

3.6 effectiveness extent to which planned activities are realized and planned results achieved

3.7 policy intentions and direction of an organization (3.1), as formally expressed by its top management (3.5) 3.8 objective result to be achieved

Note 1 to entry: An objective can be strategic, tactical, or operational.

Note  2  to entry:  Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels [such as strategic, organization-wide, project, product and process (3.12)]. Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as an MSR objective, or by the use of other words with similar meaning (e.g. aim, goal, or target).

Note 4 to entry: In the context of MSR, MSR objectives are set by the organization, consistent with the MSR policy, to achieve specific results.

2



© ISO 2019 – All rights reserved

BS ISO 30301:2019 ISO 30301:2019  3.9 risk effect of uncertainty

Note 1 to entry: An effect is a deviation from the expected — positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:2009, 3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these. Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.

3.10 competence ability to apply knowledge and skills to achieve intended results

3.11 documented information information required to be controlled and maintained by an organization (3.1) and the medium on which it is contained Note 1 to entry: Documented information can be in any format and media, and from any source. Note 2 to entry: Documented information can refer to:

— the management system (3.4), including related processes (3.12);

— information created in order for the organization to operate (documentation); — evidence of results achieved (records).

3.12 process set of interrelated or interacting activities which transforms inputs into outputs 3.13 performance measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

Note 2 to entry: Performance can relate to the management of activities, processes (3.12), products (including services), systems or organizations (3.1).

3.14 outsource, verb make an arrangement where an external organization (3.1) performs part of an organization’s function or process (3.12)

Note 1 to entry: An external organization is outside the scope of the management system (3.4), although the outsourced function or process is within the scope.

3.15 monitoring determining the status of a system, a process (3.12) or an activity

Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.

3.16 measurement process (3.12) to determine a value © ISO 2019 – All rights reserved



3

BS ISO 30301:2019 ISO 30301:2019  3.17 audit systematic, independent and documented process (3.12) for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines). Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf. Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.

3.18 conformity fulfilment of a requirement (3.3)

3.19 nonconformity non-fulfilment of a requirement (3.3)

3.20 corrective action action to eliminate the cause of a nonconformity (3.19) and to prevent recurrence 3.21 continual improvement recurring activity to enhance performance (3.13)

4 Context of the organization

4.1 Understanding the organization and its context 4.1.1 General The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its MSR. External issues in the organization's context may include, but is not limited to:

— the social and cultural, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local; — key drivers and trends which can have an impact on the objectives of the organization;

— relationships with, and perceptions, values and expectations of, external interested parties (see 4.2). Internal issues in the organization's context may include, but is not limited to: a) governance, organizational structure, roles and accountabilities;

b) policies, objectives and the strategies that are in place to achieve them;

c) capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);

d) information systems, information flows and decision-making processes (both formal and informal);

e) technological context, including technologies that are maintained solely by the organization, as well as technologies used for collaboration with other parties; 4



© ISO 2019 – All rights reserved

BS ISO 30301:2019 ISO 30301:2019  f) relationships with, and perceptions and values of, internal interested parties and the organization's culture; g) standards, guidelines and models adopted by the organization; h) the form and extent of contractual relationships. 4.1.2

Records requirements

The organization shall identify and document the business need for records in order to understand what records should be created, captured and managed.

The organization shall identify, assess and document records requirements affecting its business operations with which it shall comply and for which it requires evidence of compliance. These requirements can be business, legal, regulatory or other requirements. Business requirements include all the requirements for the performance of the operations or business of the organization. Requirements arise from current business performance, future planning and development, risk management and business continuity planning. Legal requirements include requirements related to the creation, capture and management of records. Sources of legal requirements are:

— statute and case law, including law and regulations governing the sector-specific and general business environment;

— laws and regulations relating specifically to evidence, records and archives, access, privacy, data and information protection, and electronic commerce;

— the constitutional rules of organizations, charters or agreements to which the organization is a party; — treaties and other instruments the organization is legally bound to uphold.

Other requirements include non-legal voluntary commitments made by the organization: a) voluntary codes of best practice;

b) voluntary codes of conduct and ethics.

4.2 Understanding the needs and expectations of interested parties The organization shall determine:

— the interested parties that are relevant to the MSR; — the requirements of these interested parties.

In relation to records, interested parties expect organizations to be accountable for their actions and retain and make records available when needed. Requirements of the interested parties, may include, but is not limited to: a) identifiable expectations about what is acceptable behaviour for the specific sector or organization, including good governance, the proper control of fraudulent or malicious behaviour and transparency in decision making; b) protection of involved agents or other interested parties’ rights and entitlements;

c) expectations that information in records will be available for research purposes by particular communities or disciplines; d) documentation of significant events that define the historical and cultural experiences. © ISO 2019 – All rights reserved



5

BS ISO 30301:2019 ISO 30301:2019  4.3 Determining the scope of the MSR The organization shall determine the boundaries and applicability of the MSR to establish its scope. When determining this scope, the organization shall consider — the external and internal issues referred to in 4.1.1, and — the requirements referred to in 4.1.2 and 4.2. An MSR can be applied:

a) for one or more specific business processes within an organization; b) across a whole organization covering all business processes;

c) for a number of organizations with shared business processes, such as across a specific sector, trading partners or a collaborative partnership.

When a MSR is established for one or more specific functions across a group of organizations, the scope shall include relationships between, and roles of, each entity. The scope shall be available as documented information.

4.4 Management system for records

The organization shall establish, implement, maintain and continually improve an MSR, including the processes needed and their interactions, in accordance with the requirements of this document.

5 Leadership

5.1 Leadership and commitment Top management shall demonstrate leadership and commitment with respect to the MSR by

— ensuring that the records policy and records objectives are established and are compatible with the strategic direction of the organization; — ensuring the integration of the MSR requirements into the organization’s business processes; — ensuring that the resources needed for the MSR are available;

— communicating the importance of effective records management and of conforming to the MSR requirements; — ensuring that the MSR achieves its intended outcome(s);

— directing and supporting persons to contribute to the effectiveness of the MSR; — promoting continual improvement;

— supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

NOTE Reference to “business” in this document can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence.

5.2 Policy

Top management shall establish a records policy that: a) is appropriate to the purpose of the organization; 6



© ISO 2019 – All rights reserved

BS ISO 30301:2019 ISO 30301:2019  b) provides a framework for setting records objectives;

c) includes a commitment to satisfy applicable requirements;

d) include a commitment to continual improvement of the MSR. The records policy shall:

— be available as documented information;

— be communicated within the organization;

— be available to interested parties, as appropriate.

The records policy shall include the high-level strategies with regard to the creation, capture and management of authentic, reliable and useable records capable of supporting the organization's functions and activities and protecting the integrity of those records for as long as they are required.

5.3 Organization roles, responsibilities and authorities

Top management shall ensure the responsibilities and authorities for relevant roles are assigned and communicated within the organization. The assignment of responsibilities shall be appropriately allocated to all personnel at relevant functions and levels within the organization, in particular top management, programme managers, records professionals, information technology professionals, system administrators and all others who create and control records as part of their work. Top management shall assign the responsibility and authority for:

a) ensuring that the MSR conforms with the requirements of this document; b) reporting on the performance of the MSR to top management.

The organization's top management shall appoint a specific records operational representative who shall have a defined role, responsibility and authority, which includes — implementing the MSR at the operational level,

— reporting to the top management on the effectiveness of the MSR for review, including recommendations for improvement, and — establishing liaison with external parties on matters relating to the MSR.

6 Planning

6.1 Actions to address risks and opportunities When planning for the MSR, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: — ensure the MSR can achieve its intended outcome(s); — prevent or reduce undesired effects; — achieve continual improvement. The organization shall plan:

a) actions to address these risks and opportunities and, © ISO 2019 – All rights reserved



7

BS ISO 30301:2019 ISO 30301:2019  b) how to:

— integrate and implement the actions into its MSR processes; — evaluate the effectiveness of these the actions.

6.2 Records objectives and planning to achieve them The organization shall establish records objectives at relevant functions and levels. Successful achievement of the records objectives results in the creation, capture and management of records which are reliable, authentic, have integrity and are useable. The records objectives of an MSR are achieved by the establishment of a records system or systems to capture and control records which are reliable, secure, compliant, comprehensive and systematic. The records objectives shall:

a) be consistent with the records policy; b) be measurable (if practicable);

c) take into account applicable requirements; d) be monitored;

e) be communicated;

f) updated as appropriate.

The organization shall retain documented information on the records objectives.

When planning how to achieve its records objectives, the organization shall determine: — what will be done;

— what resources will be required; — who will be responsible;

— when it will be completed;

— how the results will be evaluated.

7 Support

7.1 Resources The organization shall determine and provide the resources needed for establishment, implementation, maintenance and continual improvement of the MSR. Resources management includes

— assigning responsibility to personnel competent to perform the roles assigned in the MSR, — periodic review of the competencies and training of those personnel, and

— maintenance and sustainability of resources and technical infrastructure.

8



© ISO 2019 – All rights reserved

BS ISO 30301:2019 ISO 30301:2019  7.2 Competence The organization shall:

— determine the necessary competence of person(s) doing work under its control that affects the performance of its records processes and systems; — ensure that these persons are competent on the basis of appropriate education, training, and experience; — where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; — retain appropriate documented information as evidence of competence.

NOTE Applicable actions can include, for example, the provision of training to, the mentoring of, or the reassignment of currently employed persons; or the hiring or contracting of competent persons.

7.3 Awareness

Persons doing work under the organization control shall be aware of: — the records policy;

— their contribution to the effectiveness of the MSR, including the benefits of improved records processes and systems performance; — the implications of not conforming with the MSR requirements.

7.4 Communication

The organization shall determine the internal and external communication relevant to the MSR including: — on what it will communicate; — when to communicate;

— with whom to communicate; — how to communicate.

7.5 Documented information 7.5.1 General The organization’s MSR shall include:

— documented information as required by this document;

— documented information determined by the organization as being necessary for the effectiveness of MSR. NOTE

The extent of documented information for an MSR can differ from one organization to another due to

a) the size of organization and its type of activities, processes, products and services, b) the complexity of processes and their interactions, and c)

the competence of persons.

© ISO 2019 – All rights reserved



9

BS ISO 30301:2019 ISO 30301:2019  7.5.2

Creating and updating

When creating and updating documented information the organization shall ensure appropriate: a) identification and description (e.g. a title, date, author, or reference number);

b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); c) review and approval for suitability and adequacy. 7.5.3

Control of documented information

Documented information required by the MSR and by this document shall be controlled to ensure: a) it is available and suitable for use, where and when it is needed;

b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

For the control of documented information, the organization shall address the following activities, as applicable: — distribution, access, retrieval and use;

— storage and preservation, including preservation of legibility; — control of changes (e.g. version control); — retention and disposition.

Documented information of external origin determined by the organization to be necessary for the planning and operation of the MSR shall be identified as appropriate, and controlled. NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc.

Documented information of the MSR is part of the records of an organization, which shall be managed in a records system. The MSR documented information creation and control requirements shall be consistent with the general records creation, capture and management requirements (Clause 8 and Annex A).

8 Operation

8.1 Operational planning and control The organization shall plan, implement and control the records processes needed to meet the requirements and to implement the actions determined in 6.1, by: — establishing criteria for the records processes;

— implementing control of the records processes in accordance with the criteria;

— keeping documented information to the extent necessary to have confidence that the records processes have been carried out as planned. The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that outsourced records processes included in the scope on MSR are controlled. 10



© ISO 2019 – All rights reserved

BS ISO 30301:2019 ISO 30301:2019  8.2 Determining records to be created The organization shall determine what, when and how records shall be created and captured for each business process. This shall be achieved through:

— the analysis of the business process in order to determine the requirements for records creation, capture and management in relation to continuing operations, and to satisfy accountability and other interested parties' interests (see ISO/TR 26122 and ISO/TR 21946);

— the assessment of the risks that might be incurred through failure to control authentic, reliable and useable records for this business process and to protect the integrity of those records (see ISO/TR 18128). The results of this analysis shall be documented and authorized by the top management.

8.3 Designing and implementing records processes, controls and systems

The organization shall design and implement records processes, controls and systems taking into account the records requirements in 4.1.2 and Annex A.

The records processes and controls in Annex A should be implemented, taking into account the resources of the organization and the identified risks that can be managed through the creation, capture and management of records.

The organization shall implement the records processes in records systems, manage the operation of the records systems, and establish regular monitoring of the performance of the records systems.

9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation The organization shall determine:

a) what needs to be monitored and measured;

b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; c) when the monitoring and measuring shall be performed;

d) when the results from monitoring and measurement shall be analysed and evaluated.

The organization shall retain appropriate documented information as evidence of the results.

The organization shall evaluate the performance of records processes and systems and the effectiveness of the MSR.

9.2 Internal audit

9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the MSR: a) conforms to

— the organization's own requirements for its MSR; — the requirements of this document;

© ISO 2019 – All rights reserved



11

BS ISO 30301:2019 ISO 30301:2019  b) is effectively implemented and maintained. 9.2.2 The organization shall:

a) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit program shall take into consideration the importance of the processes concerned and the results of previous audits; b) define the audit criteria and scope for each audit;

c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; d) ensure that the results of the audits are reported to relevant management;

e) retain documented information as evidence of the implementation of the audit programme and the audit results.

9.3 Management review

Top management shall review the organization's MSR, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of:

a) the status of actions from previous management reviews;

b) changes in external and internal issues that are relevant to the MSR;

c) information on the performance of records processes and systems, including trends in: — nonconformities and corrective actions; — monitoring and measurement results; — audit results;

d) opportunities for continual improvement.

The outputs of the management review shall include decisions related to continual improvement opportunities and need for changes to the MSR.

The organization shall retain documented information as evidence of the results of management reviews.

10 Improvement

10.1 Nonconformity and corrective actions When a nonconformity occurs, the organization shall: a) react to the nonconformity and, as applicable: — take action to control and correct it; and — deal with the consequences;

b) evaluate the need for action to eliminate the cause(s) of the nonconformity in order that it does not recur or occur elsewhere, by: — reviewing the nonconformity;

12

— determining the causes of the nonconformity; 

© ISO 2019 – All rights reserved

BS ISO 30301:2019 ISO 30301:2019  — determining if similar nonconformities exist, or could potentially occur;

c) implement any action needed;

d) review the effectiveness of any corrective action taken; e) make changes to the MSR, if necessary.

Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organization shall retain documented information as evidence of:

— the nature of the nonconformities and any subsequent actions taken; — the results of any corrective action.

10.2 Continual improvement

The organization shall continually improve the suitability, adequacy and effectiveness of the MSR.

© ISO 2019 – All rights reserved



13

BS ISO 30301:2019 ISO 30301:2019 

Annex A (normative)

Operational requirements for records processes, control and systems Table A.1 specifies requirements for records processes, records controls and records systems. Their implementation should be applied in a scaled way to suit the characteristics of the organization. A decision not to implement any particular requirement shall be justified in writing (e.g. an organization might decide not to implement A.1.11, Migrating and converting records, because the transfer of its records to another organization is not planned). Table A.1 — Operational requirements for records processes, control and systems

No

Categories

A.1

Records processes

A.1.1.

Creating records

A.1.2.

Creating records

A.1.3.

Capturing records

A.1.4. A.1.5.

Capturing records Capturing records

A.1.6.

Capturing records

A.1.7.

Records classification and indexing

A.1.8.

A.1.9. A.1.10. A.1.11. A.1.12.

14

Storing records Use and reuse Use and reuse

Migrating and converting records Migrating and converting records

Old No. ISO 30301:2011

Operational requirement

Records shall be created at the time of (or soon after) the transaction or event to which they relate by individuals who have direct knowledge of the facts or by instruments routinely used by the organization to conduct the transaction.

 

A.1.1.3

The form and structure of the information required as records for each work process shall be identified and documented.

A.1.3.1

The contextual information about records shall be added at the point of capture.

A.1.2.2

Methods of integrating the capture of records with business processes shall be decided upon and documented.

A.1.1.6

A unique identifier at the time of capture shall be implemented for work processes which require evidence of capture.

A.2.1.1

When a record supersedes an existing one (updating), such as  < N/A some of documented information, the new version shall indicate the obsolete one and the changes made. The records shall be grouped (classified) according to the work processes to which they relate.

A.2.1.2

Digital records shall remain accessible and useable over time.

A.2.3.3

Controlled migration of records to another organization or system shall be authorized and documented

A.2.4.3

The means of maintaining/storing the records shall meet the A.2.3.2 relevant standards for the medium and technology used, in order to ensure they remain accessible and useable for as long as required. Actions on records to be recorded in metadata shall be defined and implemented. Regular conversion of records formats, including conversion from analogue to digital formats (digitization) shall be authorized and documented.



A.2.1.5 A.2.4.4

© ISO 2019 – All rights reserved

BS ISO 30301:2019 ISO 30301:2019 

No

Categories

A.1.13.

Migrating and converting records

A.1.14.

Disposition

A.1.15.

Disposition

A.1.16.

Disposition

A.1.17.

Disposition

A.2

Records controls

A.2.1.

Metadata schemas for records

A.2.2.

Metadata schemas for records

A.2.3.

A.2.4. A.2.5. A.2.6. A.2.7. A.2.8.

A.2.9. A.3 A.3.1.

Metadata schemas for records

Business classification schemes Access and permissions rules Access and permissions rules Access and permissions rules

Disposition authorities

Disposition Authorities Records systems

Integrity / security

A.3.2.

Technologies

A.3.3.

Inventory

A.3.4.

Documentation

© ISO 2019 – All rights reserved

Operational requirement

Old No. ISO 30301:2011

During migration and conversion process originating system or N/A format shall be retained until the process is finished and integrity and reliability of the destination format or system have been confirmed

Criteria to determine retention periods for records according to A.1.1.4 requirements of each working process shall be established and documented Decisions about the transfer, removal or destruction of records shall be authorized and documented.

A.2.4.2

Control information (registration, identification and history metadata) about records which have been destroyed shall be retained where the nature and complexity of the business and formal accountabilities require it

A.2.4.6

Records authorized for destruction shall be destroyed under appropriate supervision. The destruction shall be documented.

A.2.4.5

 

Information needed to identify the records of each work process, A.1.2.1 including identifying the area of the organization responsible for those records and the work process, shall be determined and documented. Descriptive and control information (metadata elements) required to create and control the records for each work process shall be identified and documented.

A.2.1.4

Decisions about metadata required to identify, manage and con- A.2.1.6 trol records shall be documented and implemented.

A scheme or classification to link business activities and records A.2.1.3 shall be established and documented

Rules for access to records shall be established, documented and A.2.2.1 maintained for as long as the records are required. Access rules in the records systems shall be implemented by assigning access status to both records and individuals.

A.2.2.2

Decisions about retention and disposition of records based on business, legal and other identified requirements shall be documented in a disposition schedule.

A.1.1.5

The records system shall ensure the integrity/security of the records to prevent unauthorized use, modification, removal, distribution, concealment and/or destruction.

A.2.3.1

Records systems shall be clearly identified, assigned to a responsible owner and documented in an inventory which is regularly updated.

A.2.5.1

Restrictions, including use of encryption, shall be removed after A.2.3.4 a stated period.

Retention and disposition schedules and actions shall be author- A.2.4.1 ized and documented.

Technologies for creating and capturing records shall be selected for work processes (whether automated or manual). The selection and any change of technologies shall be documented.

A.1.4.1.

Implementation decisions on records systems shall be documented, maintained and made available to all users who need them.

A.2.5.2



15

BS ISO 30301:2019 ISO 30301:2019 

No A.3.5. A.3.6. A.3.7.

A.3.8.

Categories

Old No. ISO 30301:2011

Operational requirement

Availability

The availability of records systems shall be ensured and documented.

A.2.5.4

Monitoring

Regular monitoring of the performance of records systems against business requirements and records objectives shall be implemented and documented.

A.2.5.5

Integrity

Access

System malfunctions, upgrade or regular maintenance shall not A.2.5.6 affect records integrity.

Rules for access to records systems in order to undertake system administration tasks shall be established, documented and maintained.

A.2.5.3

NOTE ISO 30301:2011, Annex A requirements numbered A.1.1.1 and A.1.1.2 are now included in 8.2, A.2.5.7 is deleted from Annex A.

16



© ISO 2019 – All rights reserved

BS ISO 30301:2019 ISO 30301:2019 

Bibliography [1]

ISO 9001, Quality management systems — Requirements

[3]

ISO/TR 13028, Information digitization of records

[2] [4]

[5]

ISO 13008, Information and documentation — Digital records conversion and migration process and

documentation —

Implementation

guidelines

for

ISO 14001, Environmental management systems — Requirements with guidance for use

ISO 15489‑1, Information and documentation — Records management — Part 1: Concepts and principles

[6]

ISO 16175‑1, Information and documentation — Principles and functional requirements for records in electronic office environments — Part 1: Overview and statement of principles

[8]

ISO 1706, Information and documentation — Trusted third party repository for digital records

[10]

ISO 23081‑1, Information and documentation — Records management processes — Metadata for records — Part 1: Principles

[7]

[9]

[11]

[12] [13] [14]

[15]

ISO 16175‑2, Information and documentation — Principles and functional requirements for records in electronic office environments  — Part  2: Guidelines and functional requirements for digital records management systems

ISO 19011, Guidelines for auditing management systems

ISO 23081‑2, Information and documentation  — Managing metadata for records  — Part  2: Conceptual and implementation issues ISO/TR 26122, Information and documentation — Work process analysis for records

ISO/TR 18128, Information and documentation — Risk assessment for records processes and systems ISO/TR 21946, Information and documentation — Appraisal for managing records

ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements

© ISO 2019 – All rights reserved



17

NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW

British Standards Institution (BSI) BSI is the national body responsible for preparing British Standards and other standards-related publications, information and services. BSI is incorporated by Royal Charter. British Standards and other standardization products are published by BSI Standards Limited. About us

Reproducing extracts

We bring together business, industry, government, consumers, innovators and others to shape their combined experience and expertise into standards -based solutions.

For permission to reproduce content from BSI publications contact the BSI Copyright & Licensing team.

The knowledge embodied in our standards has been carefully assembled in a dependable format and refined through our open consultation process. Organizations of all sizes and across all sectors choose standards to help them achieve their goals.

Information on standards We can provide you with the knowledge that your organization needs to succeed. Find out more about British Standards by visiting our website at bsigroup.com/standards or contacting our Customer Services team or Knowledge Centre.

Buying standards You can buy and download PDF versions of BSI publications, including British and adopted European and international standards, through our website at bsigroup.com/shop, where hard copies can also be purchased. If you need international and foreign standards from other Standards Development Organizations, hard copies can be ordered from our Customer Services team.

Copyright in BSI publications All the content in BSI publications, including British Standards, is the property of and copyrighted by BSI or some person or entity that owns copyright in the information used (such as the international standardization bodies) and has formally licensed such information to BSI for commercial publication and use. Save for the provisions below, you may not transfer, share or disseminate any portion of the standard to any other person. You may not adapt, distribute, commercially exploit, or publicly display the standard or any portion thereof in any manner whatsoever without BSI’s prior written consent.

Storing and using standards Standards purchased in soft copy format: • A British Standard purchased in soft copy format is licensed to a sole named user for personal or internal company use only. • The standard may be stored on more than 1 device provided that it is accessible by the sole named user only and that only 1 copy is accessed at any one time. • A single paper copy may be printed for personal or internal company use only. • Standards purchased in hard copy format: • A British Standard purchased in hard copy format is for personal or internal company use only. • It may not be further reproduced – in any format – to create an additional copy. This includes scanning of the document. If you need more than 1 copy of the document, or if you wish to share the document on an internal network, you can save money by choosing a subscription product (see ‘Subscriptions’).

Subscriptions Our range of subscription services are designed to make using standards easier for you. For further information on our subscription products go to bsigroup.com/subscriptions. With British Standards Online (BSOL) you’ll have instant access to over 55,000 British and adopted European and international standards from your desktop. It’s available 24/7 and is refreshed daily so you’ll always be up to date. You can keep in touch with standards developments and receive substantial discounts on the purchase price of standards, both in single copy and subscription format, by becoming a BSI Subscribing Member. PLUS is an updating service exclusive to BSI Subscribing Members. You will automatically receive the latest hard copy of your standards when they’re revised or replaced. To find out more about becoming a BSI Subscribing Member and the benefits of membership, please visit bsigroup.com/shop. With a Multi-User Network Licence (MUNL) you are able to host standards publications on your intranet. Licences can cover as few or as many users as you wish. With updates supplied as soon as they’re available, you can be sure your documentation is current. For further information, email [email protected].

Revisions Our British Standards and other publications are updated by amendment or revision. We continually improve the quality of our products and services to benefit your business. If you find an inaccuracy or ambiguity within a British Standard or other BSI publication please inform the Knowledge Centre.

Useful Contacts Customer Services Tel: +44 345 086 9001 Email (orders): [email protected] Email (enquiries): [email protected] Subscriptions Tel: +44 345 086 9001 Email: [email protected] Knowledge Centre Tel: +44 20 8996 7004 Email: [email protected] Copyright & Licensing Tel: +44 20 8996 7070 Email: [email protected]

BSI Group Headquarters 389 Chiswick High Road London W4 4AL UK

This page deliberately left blank