Most RIM practitioners can build a strong case for a good records management and retention policy – it can help avoid litigation, save on discovery costs, and limit the impact of a data breach. But what about using RIM as a way to elevate your company in the eyes of customers? One way to achieve this is through obtaining advanced certifications developed by the Industry Standards Organization (ISO).

The ISO develops “families” of internationally recognized standards companies can use to develop and certify their business processes. Two ISO standards that rely heavily on RIM are the ISO 9000 family on quality management and the ISO/IEC 27000 family on information security management. Both have stringent document information requirements.

Let’s start with the ISO 9001 Certification
ISO 9001, one of the more well-known ISO standards, is the only standard in the ISO 9000 family to which a company can be certified. This certification is available to any organization, regardless of size or industry, and is based on quality management principles like having a strong customer focus, top-tier management, and a business plan showing an approach and process for continual improvement.[3] Currently, there are over one million companies in over 170 countries that have achieved the ISO 9001 certification. Certification can be one of the most effective ways to alert consumers that your quality management system is consistent and products and services are good-quality.[3] This in turn brings business. So, to the millions of companies not yet 9001 certified, you may be wondering how to achieve such certification and how RIM plays into this process.

Achieving ISO 9001 Certification
To earn ISO 9001 certification, you must implement an ISO 9001 quality management system. Once you feel ready, you may select an external registrar to audit the performance of your organization. Upon earning a passing review, the registrar will issue the ISO 9001 certificate, which is good for three years. [4] Now, here’s where having a strong RIM program is beneficial, if not essential.

A Strong RIM Program Is Key to ISO 9001 Certification
For the audit, your organization will need to create, maintain, and retain certain documents to show, on paper, how its quality management system follows the ISO 9001 standards. These records must adhere to the documented information requirements of ISO 9001 clause 7.5 which outlines the following document types you must maintain:

• The scope of the quality management system (clause 4.3).
• Documented information necessary to support the operation of processes (clause 4.4). Examples include organization charts, process maps, process flow charts and/or process descriptions, procedures, work and/or test instructions, specifications, documents containing internal communications, production schedules, approved supplier lists, test, and inspection plans, quality plans, quality manuals, strategic plans, and forms.
• The quality policy (clause 5). The quality objectives (clause 6.2).[5]

Clause 7.5 also identifies the following document types that you must retain:

• Documented information to the extent necessary to have confidence that the processes are being carried out as planned (clause 4.4).
• Evidence of fitness for purpose of monitoring and measuring resources (clause 7.1.5.1).
• Evidence of the basis used for calibration of the monitoring and measurement resources (when no international or national standards exist) (clause 7.1.5.2).
• Evidence of competence of person(s) doing work under the control of the organization that affects the performance and effectiveness of the QMS (clause 7.2).
• Results of the review and new requirements for the products and services (clause 8.2.3).
• Records needed to demonstrate that design and development requirements have been met (clause 8.3.2).
• Records on design and development inputs (clause 8.3.3).
• Records of the activities of design and development controls (clause 8.3.4).
• Records of design and development outputs (clause 8.3.5).
• Design and development changes, including the results of the review and the authorization of the changes and necessary actions (clause 8.3.6).
• Records of the evaluation, selection, monitoring of performance, and re‐evaluation of external providers and any and actions arising from these activities (clause 8.4.1).[5]

That is a lot of information!

So, What is the Best Way to Manage and Retain All of These Records and Documented Information?
The first step is to figure out what you have, where it’s all located, and how it should be organized. Then, catalog it in a retention schedule so you can be sure you’re retaining the necessary records for your future ISO audits. You also must track the location and retention of the documents required by Clause 7.5 in a records management system and dispose of unnecessary information (since we know too much information can be a liability). Sounds simple enough, right?

Alternatively, you can reach out to Zasio. Our team of in-house consultants can review your records to identify what you have, develop a retention schedule for you, and deliver it in Versatile Retention, our leading retention management solution. Once you have your retention schedule, you can easily apply it to your physical and electronic records using one of Zasio’s Versatile records management solutions. Then, when it’s time for your ISO 9001 audit, your information will be at your fingertips, helping ensure your company aces the documented information requirement.

Now Let’s Jump to the ISO/IEC 27001 Certification
While ISO 9001 concerns quality management systems, ISO 27001 is all about information security management systems (ISMS). But similar to ISO 9001, companies must build a system and show how the system was established, implemented, and the processes for maintaining and continually improving it.[6]

The ISO 27001 standard not only ensures an organization has an ISMS, but through its requirements, it also certifies that companies are compliant with applicable laws and regulations.[8] Information security concerns every organization, so keeping up with ISO 27001 requirements is a great way to help stay compliant with current regulations. Further, should you ever face an information security incident, ISO 27001 certification can help demonstrate due diligence regarding regulatory compliance.

What Kind of Information Security Requirements are in the ISO 27001 Standard?
Information security requirements may vary depending on your industry but in general, the information security requirements you can expect to see include:

• A.18.1.1. – Identification of Applicable Legislation and Contractual Requirements.
• A.18.1.2 – Intellectual Property Rights.
• A.18.1.3 – Protection of Records.
• A.18.1.4 – Privacy and Protection of Personally Identifiable Information (PII).
• A.18.1.5 – Regulation of Cryptographic Controls.[8]

The ISO 27001 Audit Process
So how do you prove ISO 27001 compliance during a certification audit? ISO/IEC 27001:2013 (the most recent revision) has a documented information clause that is very similar to ISO 9001’s clause 7.5. Accordingly, clause 7.5’s process for document retention applies here as well.

Conclusion
Becoming ISO 9000 certified for quality management or ISO 27001 certified for information security is a great way to ensure your company is performing to the highest level of standards and regulatory compliance. It also shows customers your company is a trusted business partner. Plus, it’s a perfect excuse to review your company’s information and strengthen your RIM program which provides more benefits than just ISO certification. Just about all cybersecurity frameworks—such as NIST, CSA-CCM, SOC 2 Type II, and COBIT—require records retention, so a strong RIM program will help your organization achieve maturity in those standards, as well.

[1] https://techjury.net/blog/how-much-data-is-created-every-day/#gref
[2] https://www.ibm.com/security/data-breach
[3] https://www.iso.org/iso-9001-quality-management.html 
[4] https://the9000store.com/what-are-iso-9000-standards/what-is-iso-9001/
[5] https://www.iso.org/files/live/sites/isoorg/files/archive/pdf/en/documented_information.pdf
[6] https://www.iso.org/standard/54534.html
[7] https://www.standardfusion.com/blog/iso-27001-18-1-1-satisfy-legal-regulatory-contractual-requirements/
[8] https://www.isms.online/iso-27001/annex-a-18-compliance/
[9] https://www.isms.online/iso-27001/determining-the-scope-for-your-isms/

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post ISO Compliance and Cybersecurity Reporting – Yet Another Way to Strengthen Your Records and Information Management Program appeared first on Zasio.

If you’re new to records and document management, the two ideas might seem interchangeable. After all, what is the difference between a “record” and a “document?” Moreover, if you’re tasked with selecting software to address one or both concerns, you might be overwhelmed with the amount of information available for each process. Big surprise: these are two very different realms of dealing with information.

Let’s explore the difference between records management vs document management. This is especially important if you’re looking for software to meet business needs to clarify which features you might be looking for (it might even be both)! The distinction between document and records management revolve around their objectives, the type of documents/records involved, and the way personnel at a business handles them.

Document Management

Document management involves the “living” documents your organization uses during each business day. It would be tough to run a business without the data you produce from regular business processes and daily employee communication.

Document management, much like records management, can involve physical or electronic files. The focus in document management, though, is to improve workflow and efficiency and to provide a central repository to access the documents with which you need to work. You need to be able to “check out” a document, make necessary edits, submit it back into your document management system, and make it available for other employees. These documents will likely be touched by many people over their lifecycle to provide information to get their jobs done. In summary, documents in a document management system are regularly accessed by people in the organization to perform their duties and ensure the latest, most significant information is available to those that require it.

Records Management

Most records in a records keeping software are comprised of historical records that won’t be altered. Records management is more concerned with legal compliance. That is, it’s crucial that these records comply with laws and regulations that affect the required retention schedule and handling of records. Records management programs and the records managers that maintain them establish policies and procedures that guide the lifecycle of records. From creation to disposition, records management ensures the lifecycle of records are on the right track, and this leads to peace of mind for those in the organization.

Records management typically involves creating a records inventory, researching laws that affect those records and following established retention periods. Ensuring an audit trail is in place and managing the disposal of documents when the time comes are all in the job description. Records management is a must in all organizations, and a well-defined records management program protects an organization from potential penalties, costly e-discovery, and failed audits.

Records Management vs Document Management Conclusion

While document management and records management share some similarities, they are also very different beasts. Document management involves workflow, and documents in a document management system will be shared and evolve until they are classified as historical records.

Records management, on the other hand, deals mostly with historical records that don’t typically change and instead serve as evidence that specific actions have taken place. Records management is all about compliance with laws and regulations and is concerned with the classification of records, so your organization adheres to retention periods. Both document and record management are crucial to the efficiency of a well-run business, but in different ways and with different purposes.

Disclaimer: The purpose of this post is to provide general education on Information Governance software topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Records Management vs. Document Management appeared first on Zasio.