LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Condense Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Content-Type:	text/plain; charset=UTF-8
Sender:	Records Management Program <[log in to unmask]>
Subject:	Re: Comparison of old 15489-1 and new one
From:	Patrick Cunningham <[log in to unmask]>
Date:	Sun, 18 Sep 2016 14:01:09 -0500
In-Reply-To:	<[log in to unmask]>
MIME-Version:	1.0
Reply-To:	Records Management Program <[log in to unmask]>
Parts/Attachments:	text/plain (51 lines)

I was sort of thinking along those lines and looking to see if I had a copy
of ISO 27001 around (I don't). I know that trying to be compliant with ISO
27001 means writing several hundred control statements in order to map all
the requirements. So, arguably, a records management prescriptive standard
could have similar volume. That said, one of the challenges of auditing
records management programs is building the control statements that need to
be audited. You can go very high level like the Principles, but that
doesn't get down to what individual users are actually doing and whether or
not the organization is truly managing information well.

Ultimately, I think you can get to a pared down Standard that has enough
meat to be worthwhile, but that will be a very hard path. The cultural
issues will be difficult, and trying to address archival appraisal will be
equally difficult. If you look at most corporate records policies, they
seldom have a meaningful provision for archival retention -- many are
written assuming that all records have a retention period and there are no
permanent records or records that might be subjectively appraised for long
term value. Throw in electronic records and I can picture the fist fights
already. How do you write a standard that deals effectively with
dynamically evolving enterprise databases, data warehouses, and "data
lakes" (nevermind email)?

I think another consideration is that records management has had (in some
countries) a somewhat robust regulatory environment. These regulations
typically are limited to requirements to retain certain records, although
when you get to government records, the regulations are much more
prescriptive. (But as we have seen with the former Secretary of State, even
those regulations were not written -- or enforced -- well enough to prevent
the email fiasco.) Trying to overlay government regulations in hundreds of
jurisdictions with an international standard would be formidable -- and
likely create all sorts of contradictions. Information Security (which is
the focus of ISO 27001) has tended to be less regulated, so an
international standard was somewhat easier to formulate.

I think the fact that the new version of ISO 15489 is not prescriptive is
indicative of the difficulty in getting agreement on the language. I think
the standard probably gets a little better with each iteration, but until
there is a demand for something more prescriptive, I doubt one will be
developed. And, perhaps somewhat cynically, there is not the burning
platform that you see in the information security world that can be
associated with records management on a global scale. Without that burning
platform, the likelihood of concerted effort towards a prescriptive
standard is unlikely.

Patrick Cunningham, CISM, FAI

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.IGGURU.US