BSI 20/30415094 DC:2020 Edition
$13.70
BS 10025. Records management. Code of practice
| Published By | Publication Date | Number of Pages |
| BSI | 2020 | 26 |
PDF Catalog
| PDF Pages | PDF Title |
|---|---|
| 1 | 30415094_Form 36.pdf |
| 3 | 30415094.pdf |
| 6 | Introduction |
| 7 | 1 Scope 2 Normative references 3 Terms and definitions 3.1 capture |
| 8 | 3.2 IT application and/or system 3.3 IT infrastructure 3.4 jurisdiction 3.5 legal entity 3.6 organization 3.7 top management 3.8 worker |
| 9 | 4 Principles of good practice for the management of records 5 Policy statements 5.1 The top management of the organization should set a clear direction and demonstrate support for, and commitment to, the management of records, and its place in the organization’s business strategy, through the issue, endorsement and maintenance of… |
| 10 | 5.2 A policy for the management of records should as a minimum specify: 5.3 The organization should set out how the policy is to be managed, including: 5.4 The organization should attach to the policy business rules for: 5.5 The policy and the attached business rules should be based on consultation with: 5.6 The policy and the attached business rules should be: |
| 11 | 5.7 The policy and the attached business rules should be kept up-to-date so that they reflect the current needs of the organization. They should be reviewed at agreed intervals, for example annually, and after major organizational or technological cha… 5.8 The organization should publish its policy so that stakeholders to whom they are accountable can see the basis on which the organization manages its records. 6 Organizational arrangements 6.1 The organization should recognize the management of records as a core corporate function, either separately or as part of a wider function that covers information security, business continuity, data protection or a combination of these and other r… 6.2 The organization should include the management of records in the risk management framework of the organization. 6.3 The organization should have a governance framework for the management of records that includes defined roles and responsibilities. 6.4 The organization should instruct workers to create, capture and manage records, as appropriate to their roles and responsibilities. These instructions should be applied to workers at all levels of the organization. |
| 12 | 6.5 The organization should embed the management of records in their project and change management processes. In particular, there should be processes in place to manage records when: 6.6 The organization should provide training to make workers aware of the organization’s policy, business rules, standards, procedures and guidelines for the management of records and to understand their personal responsibilities. 6.7 The organization should develop, maintain and implement approved plans for delivering management of records in accordance with this British Standard. They should monitor and report progress (see Clause 13). The organization should build their plan… 7 Identifying, creating and capturing records to meet an organization’s requirements 7.1 Identifying requirements for creation and capture 7.1.1 The organization should establish what records it is likely to need to create about its activities, and the risks of not having those records, considering the need to: 7.1.2 Having established its broad requirements, the organization should establish: |
| 13 | 7.1.3 The organization should determine whether any records should be subject to particular controls in order to be able to demonstrate that they: 7.1.4 Where a need has not otherwise been identified, the organization should establish criteria for what other records to capture; for example, records that are: 7.1.5 The organization should provide guidance on the management of records to be treated as ephemeral (records which are of little or no value), or which should be discarded as soon as they no longer need to be retained for the purpose for which they… 7.1.6 The organization should specify where records should be captured [for example, in a specific records system (see 8.2.1) or a particular file, folder or similar unit in a records system (see 8.2.3)]. 7.2 Creating and capturing the records it has decided should be kept 7.2.1 The organization should produce business rules covering requirements for creation and capture (see 7.1). They should be based on consultation with: 7.2.2 The business rules covering requirements for creation and capture should be: |
| 14 | 7.2.3 The organization should make its workers aware of: 7.2.4 The organization should make workers creating or capturing records aware of the need to: 7.2.5 Managers within the organization should check and monitor that workers in the areas for which they are responsible are creating, capturing and managing the agreed records of their activities and they are available for use by the organization. 7.3 Making changes to records 7.3.1 The organization should establish business rules for making changes to records and records systems (see 8.2.1). The rules should make it clear that some records are not allowed to be changed (see 7.1.3). Where changes can be made, the rules shou… 7.3.2 The business rules for changing records should be based on consultation with: 7.3.3 The business rules for changing records should be: |
| 15 | 8 Organizing records for retrieval and management 8.1 Building frameworks for effective retrieval and management 8.1.1 The organization should create, maintain and use classification schemes when organizing records that reflect the actions of the organization, its objectives, functions, activities, processes and the steps taken to achieve its objectives. Classif… 8.1.2 The organization should structure and label their records to support and enable: 8.1.3 The organization should create and maintain a records metadata schema which sets out the records’ metadata elements, descriptions of each and how they are related. 8.2 Grouping records together into manageable units 8.2.1 The organization should create and maintain records systems (or, alternatively, records series) and manage the records in them. Each records system should consist of records which have five common elements: |
| 16 | 8.2.2 Records systems should be organized and structured to: 8.2.3 Within each records system, the organization should create units in which to accumulate records that are related or need to be managed together. 8.3 Keeping track of what records are held 9 Storing and maintaining records 9.1 General recommendations for storage 9.1.1 The organization should decide the media and format in which its records are to be stored and maintained. Where an organization creates and captures records electronically, they should hold the resulting records electronically unless there is a … |
| 17 | 9.1.2 The organization should determine if there is a need to create electronic versions of physical records, typically by using scanning technologies, to provide for: 9.1.3 Where records are held in a number of different media, formats, buildings and locations, organizations should have a method to connect them, for example a unique reference code such as an employee, customer or contract number. 9.1.4 The organization should develop and maintain business continuity plans which include actions to identify, protect and recover the records that are essential to the: 9.2 Managing storage of physical records (or the IT infrastructure containing records) 9.2.1 The organization should provide storage that gives protection appropriate for the nature, contents and value of the records and IT infrastructure containing records. 9.2.2 The organization should assess and manage the potential hazards of a storage location (for example, the risk of flooding) and follow accepted standards for building construction, temperature and humidity control, and fire detection and extinguis… |
| 18 | 9.2.3 The organization should regularly monitor records to check that they are still readable. 9.2.4 The organization should determine the need to move records that are no longer required for frequent reference from current IT applications and systems or office areas to off-line and/or off-site storage. When records are moved, they should conti… 9.3 Managing IT applications and systems 9.3.1 The organization should design, develop and build IT applications and systems that they use to capture and hold records to support the : 9.3.2 The organization should put in place a strategy for the continuing maintenance of IT applications and systems to keep records intact, reliable and usable for as long as is required. The strategy should provide for updating of IT applications and… 9.3.3 The organization should assess the security risks to IT applications and systems and put appropriate safeguards in place (see Clause 10). |
| 19 | 9.3.4 The organization should keep and maintain back-up copies of IT applications and systems to support the organization’s capacity to recover from system failures and major disasters. The organization should keep back-up copies securely in a separat… 10 Managing security and controlling access 10.1 The organization should put in place arrangements for storage, handling and transmission of records that reflect accepted good practice in information security. 10.2 The organization should classify, label and manage their records to reflect their contents, value, criticality and sensitivity to unauthorized disclosure, modification and associated security risks. 10.3 Based on its security classification, the organization should apply restrictions on storage access, transfer and transmission when necessary to protect records. These should cover all types of communications and be kept up-to-date. 10.4 The organization should put in place access controls on IT infrastructure and IT applications and systems based on the nature and sensitivity of the records which include: 10.5 The organization should determine the need for and benefits of cryptography or other related techniques to protect the confidentiality and integrity of records in transit and storage. 10.6 The organization should put in place arrangements to prevent unauthorized physical access, damage and interference to buildings and IT infrastructure. This should include secure perimeters to protect areas that contain either sensitive or critica… |
| 20 | 10.7 To ensure that workers fulfil their information security responsibilities and are suitable for their roles, the organization should: 10.8 The organization should follow sound security design principles when developing and modifying IT applications and systems such that they are built to be secure and reliable. IT applications and systems should be tested throughout their life, to i… 10.9 The organization should maintain an audit trail of access to records, to a level of detail proportionate to the sensitivity and value of the records in question. 10.10 The organization should manage and maintain their IT infrastructure to mitigate risks, including the use of measures such as: 10.11 The organization should establish and maintain an approach to responding to and managing security-related concerns, incidents and events. They should log them, investigate them in a timely manner, proportionate to the sensitivity and value of th… 11 Managing retention and organizing disposal |
| 21 | 11.1 Establishing and documenting how long records need to be retained 11.1.1 The organization should produce retention schedules (or, alternatively, retention and disposal schedules) that cover the records of the whole organization. They should set out how long records are needed for: 11.1.2 Retention schedules should contain sufficient details to enable the relevant records to be easily identified and the disposal action applied to them on a routine and timely basis. 11.1.3 Retention schedules should be kept up-to-date. They should be amended if a relevant statutory provision or business need changes, to fill any identified gaps in coverage or where there is a lack of clarity in what record types fall within speci… 11.2 Organizing the disposal of redundant records 11.2.1 The organization should define and operate rules for regular and systematic disposal of their records. These should cover: |
| 22 | 11.2.2 The organization’s retention schedules (see 11.1) and business rules for disposal of records (see 11.2.1) should be based on consultation with: 11.2.3 The retention schedules and business rules for disposal should be: 11.3 Destroying redundant records and the IT infrastructure on which they are stored 11.3.1 The organization should destroy records and the IT infrastructure on which they are stored in as secure a manner as required by the level of sensitivity or confidentiality or their security classification (see 10.2). Where records or IT infrast… 11.3.2 When destruction is carried out by an external contractor, the contract should stipulate that the security and access arrangements established for the records would continue to be applied until destruction has taken place. 11.3.3 Before records are marked as destroyed, all copies and parts of an aggregated record where the parts are stored in different IT application or systems and/or locations should have been destroyed with no possibility that the records could be rec… 11.3.4 Evidence of destruction should be kept indefinitely because the previous existence of records can be useful information. The level of detail and for how long it should be kept depends on an assessment of the costs and the risks to the organizat… |
| 23 | 11.3.5 The organization should be able to provide evidence that destruction of a specified type of record of a specified age range took place in the daily course of business, in accordance with the provisions of the retention schedules and business ru… 11.4 Transferring records for permanent preservation 12 Managing an organization’s records held by another organization 12.1 Records managed on behalf of the organization 12.1.1 When the organization plans to have parts of the management of its records undertaken by another organization, it should define and document the scope of the areas covered. 12.1.2 Having established the requirements, the organization should establish that prospective organizations have the necessary skills, infrastructure and experience to deliver them as required. |
| 24 | 12.1.3 When a supplier organization has been selected that meets the organization’s requirements, the applicable records requirements should form part of the contract. 12.1.4 The organization should undertake regular checks during the term of a contract to establish that the other organization continues to manage the records appropriately and in accordance with the contractual terms and specified service levels. At … 12.2 Records produced as part of collaborative working 12.2.1 When working in partnership with another organization, sharing records or contributing to a joint project, the organization should, before starting any arrangement, agree with all parties: 12.2.2 The organization should provide workers involved in collaborative working with instructions and appropriate training. 12.2.3 The organization should apply appropriate controls to records shared with or passed to another organization so that the records continue to be managed in accordance with this British Standard. 13 Monitoring and reporting on the management of records 13.1 The organization should identify performance measures that reflect their needs for records, set out in the policy and business rules (see Clause 5), and the risks that non-compliance with this British Standard would present to the organization, i… |
| 25 | 13.2 The performance measures should include that: 13.3 The organization should evaluate the benefits of automating monitoring using monitoring, analysis and reporting tools, either within IT applications or systems or independent data analysis tools. 13.4 The organization should apply qualitative measures, for example whether guidance is being followed. These can be measured by spot checks or by interviews. 13.5 To measure improvement, baseline measures should be undertaken prior to any improvement action being undertaken, and targets for improvement agreed. 13.6 The organization’s monitoring and compliance should be based on consultation with all parts of the organization and cover the whole organization, including any of the organization’s records held by another organization (see Clause 12). 13.7 Monitoring should be undertaken on a regular basis and results reported to the person with lead responsibility for the management of records in the governance structure (see 6.3), so that risks can be assessed, and appropriate action taken. |
Related products
-
BSI 20/30410894 DC:2020 Edition
BS ISO 25518. Single-use rubber gloves for general applications. Specification Published By Publication Date Number…
-
BSI 20/30410974 DC:2020 Edition
BS EN 13286-4. Unbound and hydraulically bound mixtures – Part 4. Test methods for laboratory…
-
BSI 20/30419091 DC:2020 Edition
BS EN ISO 20257-2. Installation and equipment for liquefied natural gas. Design of floating LNG…
-
BSI 20/30412904 DC:2020 Edition
BS ISO/IEC 18181-2. Information technology. JPEG XL Image coding system – Part 2. File format…
-
BSI 20/30412509 DC:2020 Edition
BS EN ISO 1833-18. Textiles. Quantitative chemical analysis – Part 18. Mixtures of silk with…
-
BSI 21/30416095 DC:2021 Edition
BS ISO/IEC 23090-18. Information technology. Coded representation of immersive media (MPEG-I) – Part 18. Carriage…
-
BSI 20/30415624 DC:2020 Edition
BS EN 17530. Railway applications. Interior glazing for rail vehicles Published By Publication Date Number…
-
BSI 20/30427094 DC 2020
BS EN IEC 61169-67. Radio frequency connectors – Part 67. Sectional specification for series TRL…
-
BSI 20/30410794 DC:2020 Edition
BS EN 4827. Aerospace series. Hexavalent chromium free anodizing of aluminium and aluminium alloys Published…
-
BSI 20/30414064 DC:2020 Edition
BS EN IEC 63295. Specification for WB series glass beads with 50Ω impedance for RF…
-
BSI 20/30415005 DC:2020 Edition
BS EN 60404-3 Ed.3.0. Magnetic materials – Part 3. Methods of measurement of the magnetic…
-
BSI 20/30415914 DC:2020 Edition
BS IEC IEC 62906-5-7. Laser displays – Part 5-7. Measuring methods of visual quality for…
-
BSI 20/30415596 DC:2020 Edition
BS EN 351-1. Durability of wood and wood-based products. Preservative-treated solid wood – Part 1.…
-
BSI 20/30413509 DC:2020 Edition
BS EN IEC 60519-6. Safety in installations for electroheating and electromagnetic processing – Part 6.…
-
BSI 23/30445014 DC:2023 Edition
BS ISO 13315-2 Environmental management for concrete and concrete structures – Part 2. System boundary…
-
BSI 20/30400594 DC 2020
BS EN 60127-8 AMD1. Miniature fuses – Part 8. Fuse resistors with particular overcurrent protection…
-
BSI 20/30416064 DC:2020 Edition
BS EN ISO 19085-2. Woodworking machines. Safety – Part 2. Horizontal beam panel circular sawing…
-
BSI 20/30413904 DC:2020 Edition
BS EN 50059. Electrostatic hand-held spraying equipment. Safety requirements. Hand-held spraying equipment for non-ignitable coating…
-
BSI 20/30412494 DC:2020 Edition
BS EN ISO 8233. Thermoplastics valves. Torque. Test method Published By Publication Date Number of…
-
BSI 20/30415946 DC:2020 Edition
BS 0. A standard for standards. Principles of standardization Published By Publication Date Number of…
-
BSI 20/30415649 DC:2020 Edition
BS EN 17529. Data protection and privacy by design and by default Published By Publication…
-
BSI 20/30419494 DC:2020 Edition
BS ISO 19880-8 AMD 1. Gaseous hydrogen. Fuelling stations – Part 8. Fuel quality control…
-
BSI 20/30415609 DC:2020 Edition
BS EN 13329 AMD2. Laminate floor coverings. Elements with a surface layer based on aminoplastic…
-
BSI 24/30485194 DC:2024 Edition
BS EN IEC 60287-3-3 Electric cables. Calculation of the current rating – Part 3-3. Sections…
-
BSI 20/30414084 DC:2020 Edition
BS EN IEC 63296-1. Portable multimedia equipment. Determination of battery duration – Part 1. Powered…
-
BSI 20/30420094 DC 2020
BS EN 50636-2-107 AMD3. Safety of household and similar appliances – Part 2-107. Particular requirements…
-
BSI 20/30419054 DC:2020 Edition
BS EN 14825. Air conditioners, liquid chilling packages and heat pumps, with electrically driven compressors,…
-
BSI 20/30415599 DC:2020 Edition
BS EN 351-2. Durability of wood and wood-based products. Preservative-treated solid wood – Part 2.…
-
BSI 21/30416092 DC:2021 Edition
BS ISO/IEC 23090-14. Information technology. Coded representation of immersive media – Part 14. Scene Description…
-
BSI 20/30415081 DC:2020 Edition
BS EN 60947-9-2. Low-voltage switchgear and controlgear. Active arc-fault mitigation systems – Part 9-2. Optical-based…
-
BSI 20/30410949 DC:2020 Edition
BS EN 16583. Heat exchangers. Hydronic room fan coils units. Determination of the sound power…
-
BSI 20/30410943 DC:2020 Edition
BS EN 558. Industrial valves. Face-to-face and centre-to-face dimensions of metal valves for use in…
-
BSI 20/30395094 DC 2020
BS EN ISO 11806-1. Agricultural and forestry machinery. Safety requirements and testing for portable, hand-held,…
-
BSI 20/30410946 DC:2020 Edition
BS EN 203-2-4. Gas heated catering equipment – Part 2-4. Specific requirements. Fryers Published By…
-
BSI 21/30430594 DC:2021 Edition
BS EN 61951-2 AMD1. Secondary cells and batteries containing alkaline or other non acid electrolytes.…
-
BSI 20/30414092 DC:2020 Edition
BS EN IEC 60794-1-403. Optical Fibre Cables. Basic optical cable test procedures – Part 403.…
-
BSI 20/30415654 DC:2020 Edition
BS EN IEC 61754-37. Fibre optic interconnecting devices and passive components. Fibre optic connector interfaces…
