ISO 30302:2015
(Main)Information and documentation - Management systems for records - Guidelines for implementation
Information and documentation - Management systems for records - Guidelines for implementation
ISO 30302:2015 gives guidance for the implementation of a MSR in accordance with ISO 30301. This International Standard is intended to be used in conjunction with ISO 30300 and ISO 30301. This International Standard does not modify and/or reduce the requirements specified in ISO 30301. It describes the activities to be undertaken when designing and implementing a MSR. ISO 30302:2015 is intended to be used by any organization implementing a MSR. It is applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations) of all sizes.
Information et documentation — Système de gestion des documents d'activité — Lignes directrices de mise en oeuvre
L'ISO 30302:2015 fournit des lignes directrices pour la mise en ?uvre d'un Système de Gestion des Documents d'Activité (SGDA) conforme à l'ISO 30301. La présente Norme internationale est destinée à être utilisée conjointement avec l'ISO 30300 et l'ISO 30301. La présente Norme internationale ne modifie pas et/ou ne restreint pas les exigences spécifiées dans l'ISO 30301. Elle décrit les activités à entreprendre pour concevoir et mettre en ?uvre un SGDA. L'ISO 30302:2015 est destinée à être utilisée par tout organisme mettant en ?uvre un SGDA. Elle est applicable à tous les types d'organismes (par exemple: entreprises commerciales, organismes publics, organismes à but non lucratif) de toutes tailles.
Informatika in dokumentacija - Sistemi za upravljanje zapisov - Smernice za uvedbo
Ta mednarodni standard podaja smernice za uvedbo sistemov za upravljanje zapisov v skladu s standardom ISO 30301. Ta mednarodni standard je treba uporabljati v povezavi s standardoma ISO 30300 in ISO 30301. Ta mednarodni standard ne spreminja in/ali zmanjšuje nobenih zahtev, ki so podane v standardu ISO 30301. Opisuje dejavnosti, ki jih je treba izvesti pri načrtovanju in uvajanju sistema za upravljanje zapisov.
Ta mednarodni standard je namenjen organizacijam, ki uvajajo sistem za upravljanje zapisov. Uporablja
se za vse vrste organizacij (npr. komercialna podjetja, vladne agencije, neprofitne organizacije) vseh velikosti.
General Information
Relations
Frequently Asked Questions
ISO 30302:2015 is a standard published by the International Organization for Standardization (ISO). Its full title is "Information and documentation - Management systems for records - Guidelines for implementation". This standard covers: ISO 30302:2015 gives guidance for the implementation of a MSR in accordance with ISO 30301. This International Standard is intended to be used in conjunction with ISO 30300 and ISO 30301. This International Standard does not modify and/or reduce the requirements specified in ISO 30301. It describes the activities to be undertaken when designing and implementing a MSR. ISO 30302:2015 is intended to be used by any organization implementing a MSR. It is applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations) of all sizes.
ISO 30302:2015 gives guidance for the implementation of a MSR in accordance with ISO 30301. This International Standard is intended to be used in conjunction with ISO 30300 and ISO 30301. This International Standard does not modify and/or reduce the requirements specified in ISO 30301. It describes the activities to be undertaken when designing and implementing a MSR. ISO 30302:2015 is intended to be used by any organization implementing a MSR. It is applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations) of all sizes.
ISO 30302:2015 is classified under the following ICS (International Classification for Standards) categories: 01.140.20 - Information sciences. The ICS classification helps identify the subject area and facilitates finding related standards.
ISO 30302:2015 has the following relationships with other standards: It is inter standard links to ISO 30302:2022. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase ISO 30302:2015 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of ISO standards.
Standards Content (Sample)
SLOVENSKI STANDARD
01-februar-2017
Informatika in dokumentacija - Sistemi za upravljanje zapisov - Smernice za
uvedbo
Information and documentation -- Management systems for records -- Guidelines for
implementation
Information et documentation -- Système de gestion des documents d'activité -- Lignes
directrices de mise en oeuvre
Ta slovenski standard je istoveten z: ISO 30302:2015
ICS:
01.140.20 Informacijske vede Information sciences
03.100.70 Sistemi vodenja Management systems
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
INTERNATIONAL ISO
STANDARD 30302
First edition
2015-09-15
Information and documentation —
Management systems for records —
Guidelines for implementation
Information et documentation — Système de gestion des documents
d’activité — Lignes directrices de mise en oeuvre
Reference number
©
ISO 2015
© ISO 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2015 – All rights reserved
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 1
4.1 Understanding of the organization and its context . 1
4.2 Business, legal and other requirements . 2
4.3 Defining the scope of the MSR . 3
5 Leadership . 4
5.1 Management commitment . 4
5.2 Policy . 4
5.3 Organizational roles, responsibilities and authorities. 5
5.3.1 General. 5
5.3.2 Management responsibilities . 6
5.3.3 Operational responsibilities . 7
6 Planning . 7
6.1 Actions to address risks and opportunities . 7
6.2 Records objectives and plans to achieve them . 9
7 Support .10
7.1 Resources .10
7.2 Competence .11
7.3 Awareness and training .12
7.4 Communication .13
7.5 Documentation .14
7.5.1 General.14
7.5.2 Control of documentation .15
8 Operation .16
8.1 Operational planning and control .16
8.2 Design of records processes .16
8.3 Implementation of records systems .19
9 Performance evaluation .21
9.1 Monitoring, measurement, analysis and evaluation .21
9.1.1 Determining what and how to monitor, measure, analyse and evaluate .21
9.1.2 Evaluation of the performance of records processes, systems and the
effectiveness of the MSR .22
9.1.3 Assessing effectiveness .22
9.2 Internal system audit .23
9.3 Management review .24
10 Improvement .25
10.1 Nonconformity control and corrective actions .25
10.2 Continual improvement .26
Annex A (informative) Examples of sources of information and requirements supporting
the analysis of organizational context .27
Bibliography .30
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 46, Information and documentation,
Subcommittee SC 11, Archives/records management.
iv © ISO 2015 – All rights reserved
Introduction
ISO 30302 is part of a series of International Standards, under the general title Information and
documentation — Management systems for records:
— ISO 30300, Information and documentation — Management systems for records — Fundamentals
and vocabulary
— ISO 30301, Information and documentation — Management systems for records — Requirements
— ISO 30302, Information and documentation — Management systems for records — Guidelines for
implementation
ISO 30300 specifies the terminology for the Management systems for records (MSR) series of standards
and the objectives and benefits of a MSR; ISO 30301 specifies the requirements for a MSR where an
organization needs to demonstrate its ability to create and control records from its business activities
for as long as they are required; ISO 30302 provides guidance for the implementation of a MSR.
The purpose of this International Standard is to provide practical guidance on how to implement a
management system for records (MSR) within an organization in accordance with ISO 30301. This
International Standard covers what is needed to establish and maintain a MSR.
The implementation of a MSR is generally executed as a project. A MSR can be implemented in
organizations with existing records systems or programmes to review and improve the management
of those systems or programmes or in organizations planning to implement a systematic and verifiable
approach to records creation and control for the first time. Guidance described in this International
Standard can be used in both situations.
It is assumed that organizations that decide to implement a MSR have made a preliminary assessment of
their existing records and records systems and have identified risks to be addressed and opportunities
for major improvements. For example, the decision to implement a MSR can be taken as a risk-reduction
measure for undertaking a major information technology platform change or outsourcing business
processes identified as high risk. Alternatively, the MSR can provide a standardized management
framework for major improvements such as integrating records processes with specific business
processes or improving control and management of records of online transactions or business use of
social media.
The use of this guidance is necessarily flexible. It depends on the size, nature and complexity of the
organization and the level of maturity of the MSR if one is already in place. Each organization’s context
and complexity is unique and its specific contextual requirements will drive the MSR implementation.
Smaller organizations will find that the activities described in this International Standard can be
simplified. Large or complex organizations might find that a layered management system is needed to
implement and manage the activities in this International Standard effectively.
Guidance in this International Standard follows the same structure as ISO 30301, describing the
activities to be undertaken to meet the requirements of ISO 30301 and how to document those activities.
Clause 4 deals with how to perform the analysis needed to implement a MSR. From this analysis, the
scope of the MSR is defined and the relationship between implementing a MSR and other management
systems is identified.
Clause 5 explains how to gain the commitment of top management. The commitment is expressed in a
records policy, the assignment of responsibilities, planning the implementation of the MSR and adopting
records objectives.
Clause 6 deals with planning, which is informed by high-level risk analysis, the contextual analysis (see
Clause 4), and the resources available (see Clause 7). Clause 7 outlines the support needed for the MSR,
such as resources, competence, training and communication, and documentation.
Clause 8 deals with defining or reviewing and planning the records processes to be implemented. It
draws on the contextual requirements and scope (see Clause 4) and is based on the records policy
(see 5.2), the risk analysis (see 6.1) and resources needed (see 7.1) to meet the records objectives
(see 6.2) in the planned implementation. Clause 8 explains what records processes and systems need to
be implemented for a MSR.
Clauses 9 and 10 deal with performance evaluation and improvement against planning, objectives and
requirements defined in ISO 30301.
For each of ISO 30301:2011, Clauses 4 to 10 , this International Standard provides the following:
a) the activities necessary to meet the requirements of ISO 30301 – activities can be done sequentially,
while some will need to be done simultaneously using the same contextual analysis;
b) inputs to the activities – these are the starting points and can be outputs from previous activities;
c) outputs of the activities – these are the results or deliverables on completion of the activities.
This International Standard is intended to be used by those responsible for leading the implementation
and maintenance of the MSR. It can also help top management in making decisions on the establishment,
scope and implementation of management systems in their organization. It is to be used by people
responsible for leading the implementation and maintenance of the MSR. The concepts of how to
design the operational records processes are based on the principles established by ISO 15489-1. Other
International Standards and Technical Reports developed by ISO/TC 46/SC 11 are the principal tools
for designing, implementing, monitoring and improving records processes, controls and systems, and
can be used in conjunction with this International Standard for implementing the detailed operational
elements of the MSR.
Organizations that have already implemented ISO 15489-1 can use this International Standard to
develop an organizational infrastructure for managing records under the systematic and verifiable
approach of the MSR.
vi © ISO 2015 – All rights reserved
INTERNATIONAL STANDARD ISO 30302:2015(E)
Information and documentation — Management systems
for records — Guidelines for implementation
1 Scope
This International Standard gives guidance for the implementation of a MSR in accordance with
ISO 30301. This International Standard is intended to be used in conjunction with ISO 30300 and
ISO 30301. This International Standard does not modify and/or reduce the requirements specified in
ISO 30301. It describes the activities to be undertaken when designing and implementing a MSR.
This International Standard is intended to be used by any organization implementing a MSR. It is
applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit
organizations) of all sizes.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 30300, Information and documentation — Management systems for records — Fundamentals and
vocabulary
ISO 30301:2011, Information and documentation — Management systems for records — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 30300 apply.
4 Context of the organization
4.1 Understanding of the organization and its context
The context of the organization should determine and drive the implementation and improvement of
a MSR. The requirements of this Clause are intended to ensure the organization has considered its
context and needs as part of the implementation of a MSR. These requirements are met by analysing
the organization’s context. This analysis should be performed as the first step of the implementation to
a) identify internal and external factors (see 4.1),
b) identify business, legal and other requirements (see 4.2), and
c) define the scope of the MSR (see 4.3) and identify risks (see Clause 6).
NOTE 1 When the scope of the MSR is stated by top management at the starting point, before identifying
factors and the need for records, the extent of the contextual analysis is defined by the scope as stated.
NOTE 2 This MSS approach for context analysis and identification of requirements is compatible with the
analysis process (appraisal) proposed by ISO 15489-1 which also includes elements of planning (see Clause 6)
and identification of needs of records (see Clause 8).
Contextual information needs to be from a reliable source, accurate, up to date and complete. Regular
review of the sources of this information ensures the accuracy and reliability of the contextual analysis.
A.1 provides examples of sources of information about the organization’s internal and external context
and examples of potential stakeholders.
In identifying how the context affects the MSR, examples of important factors can be
1) how a competitive market affects the need to demonstrate efficient processes,
2) how external stakeholders’ values or perceptions affect records retention decisions or information
access decisions,
3) how the information technology infrastructure and information architecture can affect the
availability of records systems or records,
4) how the skills and competencies within the organization can affect the need for training or
external assistance,
5) how legislative instruments, policies, standards and codes affect the design of records processes
and controls,
6) how the organizational culture can affect compliance with the requirements of the MSR, and
7) how the complexity of the organization’s structure, business and legislative environment will affect
records policy, processes and controls (e.g. in a multi-jurisdictional environment).
Depending on the organization, the identification of internal and external factors may have been
performed for other purposes, including the implementation of other management system standards.
In such cases, a new analysis may not be needed and an adaptation will suffice.
The contextual analysis is a continual process. It informs the establishment and systematic evaluation
of the MSR (see Clause 9) and supports the cycle of continuous improvement (see Clause 10).
Output
Documented evidence that the analysis has been undertaken is a requirement of ISO 30301. Examples
are as follows:
— a list of internal and external factors to take into account;
— a chapter in a manual or project plan for implementing a MSR;
— a formal report on the analysis of the organization’s internal and external context and how it affects
and is affected by the MSR;
— a series of documents about the context of the organization.
4.2 Business, legal and other requirements
Using the result of the analysis described in 4.1 as the starting point, the legal, business and other
requirements are assessed in relation to the business activities and documented. The business
activities are the first elements that are analysed to identify the requirements that affect records
creation and control.
Identifying business requirements should take the following into account:
a) the nature of the activities of the organization (e.g. mining, financial advice, providing public
services, manufacturing, pharmaceutical, personal services, non-profit, community services);
b) the particular form or ownership of the organization (e.g. a trust, company or government
organization);
c) the particular sector to which the organization belongs (i.e. public or private sector, non-profit);
d) the jurisdiction(s) in which the organization operates.
2 © ISO 2015 – All rights reserved
Business requirements should be identified from the performance of current business processes and
also from the perspective of future planning and development. Special attention is needed when the
organization is implementing automated or digital business processes. In these cases, requirements can
change and need to be discussed with the people responsible for the development and implementation
of the proposed new processes.
Activities to determine all the mandatory legal and regulatory instruments applicable to the
organization include the following:
1) reviewing compliance requirements for sector-related legislation;
2) reviewing compliance for privacy and other records/data management legislation.
A.2 provides examples of the business, legal and other requirements relating to the creation and control
of records and for sources of expert assistance in identifying business, legal and other requirements.
Output
Documentation of the identification of the business, legal and other requirements is mandatory in order
to comply with ISO 30301. Requirements can be documented all together or in separate documents by
type of requirement. Examples of the kind of documentation are as follows:
— a list of requirements identified by type (e.g. business, legislative);
— a chapter in a manual or project plan for implementing a MSR;
— A formal report on identification of requirements for the MSR;
— a list of all laws and other codified regulatory or mandatory instruments that apply to the
organization relating to the creation and control of records;
— a Precedents Profile (a set of legal precedents on particular subject matters relevant to the
organization).
4.3 Defining the scope of the MSR
The scope of the MSR is a decision made by top management and clearly outlines the boundaries,
inclusions, exclusions, roles and relationships of the component parts of the MSR.
The scope can be defined as a result of the contextual analysis, taking into account identified factors
(see 4.1) and requirements (see 4.2) but also can be stated by top management from the starting point
before identifying factors and requirements.
The scope includes the following:
a) identification of what parts or functions of the organization are included. It can be the whole
organization, an area or department, a specific function or business process or a group of them;
b) identification of what parts or functions of other (related) organizations are included and the
relationships between them;
c) description of how the MSR integrates with the overall management system and with other
specific management systems implemented by the organization (e.g. ISO 9000, ISO 14000 and
ISO/IEC 27000);
d) identification of any processes that affect the MSR that are outsourced and the controls for the
entities responsible for the outsourced process.
Output
A documented statement defining the scope of the MSR is a requirement of the MSR. This statement can
be a single document or be included in other MSR documents such as the records policy (see 5.2) or in
manuals or project plans to implement the MSR.
5 Leadership
5.1 Management commitment
The commitment of top management to implementing the MSR is stated as explicitly and at the same
level of detail as for any other management systems implemented by the organization and as for its
other assets, e.g. human resources, finances and infrastructure. The requirement to demonstrate top
management commitment does not require a specific activity to be performed but is essential for
the success of the MSR. Commitment is also implicit in other requirements of ISO 30301 relating to
resources (see 7.1), communication (see 7.4) and management review (see 9.3).
Output
It is not mandatory to document top management’s commitment to the MSR, except in the records
policy (see 5.2), which can be considered as evidence of that commitment. Commitment can also be
demonstrated by actions or statements but depending on the nature and complexity of the organization,
evidence of commitment should be documented in addition to the records policy. Examples can be
found in the following:
— minutes of Boards of Directors or Boards of Management;
— statements in strategic and business plans;
— management resolutions and directives;
— budgets, business cases;
— communication plans.
5.2 Policy
The strategic direction of the organization, as defined by top management, is the basis for the records
policy. The records policy is established by top management as the driver for implementing and improving
an organization’s MSR and providing the benchmark for assessing the performance of the MSR.
Directions from top management need to be stated in a formal document. The document is not
normally drafted by top management but requires top management’s formal approval, independent of
the authors. Depending on the organization, top management can be identified by different positions
but the records policy should be endorsed by the person in the position recognized as the most senior.
The records policy contains the overall direction on how records creation and control meet the
organizational goals and provides the principles for action. It can be integrated into an overarching
management policy where more than one management systems standard are implemented. In this case,
the records policy does not require separate management endorsement.
Inputs to the records policy include the following:
a) analysis of the organizational context and identification of the requirements (see 4.1 to 4.2);
b) organizational goals and strategies;
c) influence of, or relationship of the policy to other organizational policies;
d) scope of the MSR (see 4.3);
4 © ISO 2015 – All rights reserved
e) organizational structure and delegations.
The records policy is a statement of intent and includes, for example,
1) purpose,
2) high-level directions for the creation and control of records,
3) high-level responsibilities or commitment for the creation and control of records,
4) indication of how the policy is to be implemented, and
5) definitions.
The records policy should be drafted in a form that all people affected by the MSR can readily
understand. In the implementation of records processes and systems, some technical documents
including decisions are called policies. When implementing ISO 30301, the records policy should be
unique and short document as a declaration from top management and does not include a description of
objectives, actions or records processes.
To communicate records policy, the organization can use the methods in 7.4.
Output
An authorized records policy is required as a formal document when implementing a MSR. This formal
document should be controlled and distributed throughout the organization. The records policy is the
overarching document for all other documents developed for the implementation of a MSR.
5.3 Organizational roles, responsibilities and authorities
5.3.1 General
MSR responsibilities and authorities are defined and assigned to appropriate roles. They are
communicated at all levels of the organization so that it is clear who is responsible for taking the
necessary action for the design, implementation and maintenance of the MSR. Apart from the formal
appointment of the management and operational representatives outlined in the following clauses, to
implement a MSR, top management should assign responsibilities for
a) policy development and approval,
b) resource allocation,
c) development of procedures and processes and their approvals,
d) systems design,
e) training and guidance,
f) implementation and maintenance of policy, procedures and processes,
g) audit/monitoring of compliance, and
h) performance management.
These responsibilities can be assigned to different roles in the organization. The following statements
can be used as guidelines for the assignment of responsibilities.
1) Top management is responsible for authorizing and supporting the application of the records policy
throughout the organization.
2) Leadership responsibility and accountability for the MSR is assigned to (a specific role) within
top management.
3) Business unit managers are responsible for ensuring that employees in their units create and
manage records in accordance with the records policy.
4) Records professionals are responsible for the design of records processes and controls, the
implementation and maintenance of records systems, and for training of persons in records
processes and controls and in the use of records systems, as they affect individual practices.
5) Systems administrators are responsible for ensuring that records systems are reliable, secure,
compliant, comprehensive and manage records in a systematic manner, including during
migration and changes.
6) Information technology employees are responsible for implementing and maintaining the
technological aspects required for managing records on a continuous and reliable basis including
the migration of systems when needed.
7) All employees are responsible and accountable for creating and managing records of their
activities according to the records policy, through use of the organization’s records systems,
processes and controls.
Requirements in this Clause are closely related to requirements in 7.2 and 7.3 and should be implemented
at the same time.
Output
Assignment of responsibilities is part of the documented information required when implementing a
MSR. It can be documented in different forms. The following are some examples:
— high-level responsibilities reflected in the records policy (see 5.2);
— documentation of the appointment of the management representative and the operational
representative;
— job descriptions or similar statements;
— formal delegations of responsibilities;
— a chapter in a manual or project plan relating to responsibilities for implementing a MSR.
5.3.2 Management responsibilities
The role and responsibilities of the management representative are assigned and clearly defined.
This role has overall responsibility for leading the implementation and maintenance of the MSR. The
management representative should be part of the top management of the organization. Depending on
the complexity of the organization and the MSR to be implemented, leadership should be complemented
by an operational representative (as defined in 5.3.3).
Responsibilities of the top management representative should include the following:
a) approving the formal documentation of planning, design, maintenance and evaluation of the MSR
and MSR projects, where required;
b) approving the allocation of resources necessary to implement and maintain the MSR;
c) approving the assignment of one or more roles to implement and maintain the MSR. Roles can be
assigned to a specific position or to a designated group as appropriate to the complexity and size of
the organization;
d) promoting compliant MSR behaviour through methods such as communication (see 7.4) and
employee participation, empowerment, motivation, recognition and rewards;
e) defining competencies required for persons (employees or contractors) assigned roles in
implementing and maintaining the MSR.
6 © ISO 2015 – All rights reserved
The scope, nature and documentation of responsibilities are outlined in 5.3.1.
Output
— As for 5.3.1.
5.3.3 Operational responsibilities
An operational representative is assigned responsibility for designing and directing the activities
required for the operational implementation of, and reporting to top management on the MSR. The
operational representative can be an employee or a contractor.
The operational representative should have specific records competencies as defined in 7.2.
The scope, nature and documentation of responsibilities are outlined in 5.3.1.
Tasks to be directed by the operational representative are based mainly on those identified in
ISO 30301:2011, Clause 8 and Annex A.
An operational representative can coordinate the activities of one or more MSR teams to implement
and maintain the MSR at the operational level and undertake performance improvements.
The operational representative should provide reports, with supporting documentation, to top
management or the management representative on the implementation and effectiveness of the MSR
and recommendations for process-related improvements. Reports can be delivered at regular scheduled
intervals, or stages, according to the organization’s requirements. Reports are records and should be
managed in accordance with the records processes and controls in ISO 30301:2011, Annex A.
Liaison with external parties on MSR matters are also part of the operational representative’s
responsibilities. They can include, but are not limited to
a) seeking advice from legal and regulatory experts,
b) complying with the requirements or directions of audit and quality control specialists,
c) directing and negotiating with suppliers of products or services (e.g. software suppliers,
implementation consultants), and
d) acquiring additional skills and assistance from human resources or information technology
contractors.
The roles of the management representative and operational representative can be performed by the
same person or group depending on the complexity and size of the organization and the scope of the MSR.
Output
— As for 5.3.1.
6 Planning
6.1 Actions to address risks and opportunities
This Clause focuses on planning around the strategic risks associated with ensuring the MSR achieves
its intended outcome. Successful implementation of a MSR requires risks to be identified, analysed
and evaluated as part of planning for the MSR implementation. The analysis of factors (see 4.1) and
requirements (see 4.2) should be completed in conjunction with a risk assessment. This is used to
define the records objectives (see 6.2) and identify what actions are needed to achieve those objectives.
These actions are incorporated into MSR processes (see Clause 8).
Establishing a MSR assists organizations to manage the effect of uncertainty on its business objectives.
Failing to create and keep adequate records can create business uncertainty and have a negative
impact on the ability to achieve organizational objectives. Establishing a MSR assists organizations
in managing that uncertainty and impact. In this sense, a MSR is a risk treatment. The strategic
opportunities associated with a MSR can be considered as the positives or the strengths underpinning
the implementation of the management system. These may be associated with increasing organizational
transparency and accountability, improving business processes, cost effectiveness and efficiency, and
strengthening stakeholder and client relationships. A MSR may provide the opportunity to correct
areas of weakness in practices and protect against business threats brought about by changes to the
external operating environment or context. Identification, analysis and evaluation of this kind of risks
and opportunities are normally done before the decision to implement a MSR as part of a general risk
management framework.
When implementing a MSR, uncertainties in regard to achieving objectives need to be identified as
risks. This risk assessment can also provide opportunities to improve business processes and have a
positive influence on business objectives. The purpose of the requirements in this Clause is to address
the assessment of those risks and opportunities relating to the objectives of a MSR. This is part of the
planning of the MSR. Organizations can decide what kind of risk management methodology they are
going to use and how the actions to mitigate risks are identified and put in place.
In addition, there are also risks related to the records themselves and the records systems in which they
reside. These are operational risks, and as such, should be assessed during operational planning (see 8.1).
Depending on the nature of the risks and opportunities, different types and levels of treatments and
actions are needed. The key determining factor is whether the risks and opportunities are related to
objectives of the MSR or operational in nature. While the requirements for both are in different clauses
of ISO 30301, they can be addressed as a single activity.
Where an organization has established a formal risk management framework, planning for the MSR
should be included in the risk identification, analysis and evaluation process of that framework.
Areas of uncertainty which could pose risks need to be considered in the strategic planning for a MSR.
They can include the following:
a) contextual change, such as legal and regulatory change, change to the economic or political
environment, structural change;
b) systems and processes involved in creating and controlling evidence to support the organization’s
achievement of its mission and goals;
c) human resources and skills to implement and maintain the MSR;
d) budgetary or financial implications and changes;
e) measurement and evaluation of achievement of policies, objectives and strategies;
f) relationships with other management systems already implemented.
Identification of strategic risks and opportunities and formulating records objectives can be mutually
influential. Therefore, this is not to be treated as a linear sequence of actions.
The identification of risk at this level should be linked to the MSR in general, or to a specific objective.
For example, risks related to “human resources and skills” mentioned above as an area of uncertainty
may be related to the MSR itself or to a records objective.
With the MSR itself, a risk may be that managers misunderstand the management system’s purpose and
its potential impact on business processes and objectives and just focus on the certification processes
associated with MSR implementation.
For example, if a records objective states the need for a specific system for capturing electronic
records in customer-related processes, a risk is that employees will be resistant to change and will
use alternative technologies (e.g. keeping records of business decisions in email applications instead of
using the designated system for keeping those records).
8 © ISO 2015 – All rights reserved
Actions to address risks and opportunities are specific for each organization. They are also specific to
each risk or opportunity identified. They should be included in actions to achieve objectives and in the
design of records processes.
Output
There is no specific requirement to document this aspect of the planning process. The risk approach
can be included in plans to achieve objectives (see 6.2) or be documented as a separate part of the
planning. Examples are
— any output of applying risk assessment tools (IEC 31010, Annex B includes a range of such tools and
ISO/TR 18128 includes some examples), and
— documentation of actions to be taken to address risks and opportunities.
6.2 Records objectives and plans to achieve them
Objectives of the implementation of a MSR, or records objectives, are defined according to the
organization’s context, requirements and priorities. The actions to achieve them are identified and
the objectives and plan are communicated throughout the organization in accordance with the
scope of the MSR.
Inputs to the definition of the records objectives include
a) the analysis of the organization’s context and identification of requirements (see Clause 4),
b) the records policy (see 5.2),
c
...
INTERNATIONAL ISO
STANDARD 30302
First edition
2015-09-15
Information and documentation —
Management systems for records —
Guidelines for implementation
Information et documentation — Système de gestion des documents
d’activité — Lignes directrices de mise en oeuvre
Reference number
©
ISO 2015
© ISO 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2015 – All rights reserved
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 1
4.1 Understanding of the organization and its context . 1
4.2 Business, legal and other requirements . 2
4.3 Defining the scope of the MSR . 3
5 Leadership . 4
5.1 Management commitment . 4
5.2 Policy . 4
5.3 Organizational roles, responsibilities and authorities. 5
5.3.1 General. 5
5.3.2 Management responsibilities . 6
5.3.3 Operational responsibilities . 7
6 Planning . 7
6.1 Actions to address risks and opportunities . 7
6.2 Records objectives and plans to achieve them . 9
7 Support .10
7.1 Resources .10
7.2 Competence .11
7.3 Awareness and training .12
7.4 Communication .13
7.5 Documentation .14
7.5.1 General.14
7.5.2 Control of documentation .15
8 Operation .16
8.1 Operational planning and control .16
8.2 Design of records processes .16
8.3 Implementation of records systems .19
9 Performance evaluation .21
9.1 Monitoring, measurement, analysis and evaluation .21
9.1.1 Determining what and how to monitor, measure, analyse and evaluate .21
9.1.2 Evaluation of the performance of records processes, systems and the
effectiveness of the MSR .22
9.1.3 Assessing effectiveness .22
9.2 Internal system audit .23
9.3 Management review .24
10 Improvement .25
10.1 Nonconformity control and corrective actions .25
10.2 Continual improvement .26
Annex A (informative) Examples of sources of information and requirements supporting
the analysis of organizational context .27
Bibliography .30
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 46, Information and documentation,
Subcommittee SC 11, Archives/records management.
iv © ISO 2015 – All rights reserved
Introduction
ISO 30302 is part of a series of International Standards, under the general title Information and
documentation — Management systems for records:
— ISO 30300, Information and documentation — Management systems for records — Fundamentals
and vocabulary
— ISO 30301, Information and documentation — Management systems for records — Requirements
— ISO 30302, Information and documentation — Management systems for records — Guidelines for
implementation
ISO 30300 specifies the terminology for the Management systems for records (MSR) series of standards
and the objectives and benefits of a MSR; ISO 30301 specifies the requirements for a MSR where an
organization needs to demonstrate its ability to create and control records from its business activities
for as long as they are required; ISO 30302 provides guidance for the implementation of a MSR.
The purpose of this International Standard is to provide practical guidance on how to implement a
management system for records (MSR) within an organization in accordance with ISO 30301. This
International Standard covers what is needed to establish and maintain a MSR.
The implementation of a MSR is generally executed as a project. A MSR can be implemented in
organizations with existing records systems or programmes to review and improve the management
of those systems or programmes or in organizations planning to implement a systematic and verifiable
approach to records creation and control for the first time. Guidance described in this International
Standard can be used in both situations.
It is assumed that organizations that decide to implement a MSR have made a preliminary assessment of
their existing records and records systems and have identified risks to be addressed and opportunities
for major improvements. For example, the decision to implement a MSR can be taken as a risk-reduction
measure for undertaking a major information technology platform change or outsourcing business
processes identified as high risk. Alternatively, the MSR can provide a standardized management
framework for major improvements such as integrating records processes with specific business
processes or improving control and management of records of online transactions or business use of
social media.
The use of this guidance is necessarily flexible. It depends on the size, nature and complexity of the
organization and the level of maturity of the MSR if one is already in place. Each organization’s context
and complexity is unique and its specific contextual requirements will drive the MSR implementation.
Smaller organizations will find that the activities described in this International Standard can be
simplified. Large or complex organizations might find that a layered management system is needed to
implement and manage the activities in this International Standard effectively.
Guidance in this International Standard follows the same structure as ISO 30301, describing the
activities to be undertaken to meet the requirements of ISO 30301 and how to document those activities.
Clause 4 deals with how to perform the analysis needed to implement a MSR. From this analysis, the
scope of the MSR is defined and the relationship between implementing a MSR and other management
systems is identified.
Clause 5 explains how to gain the commitment of top management. The commitment is expressed in a
records policy, the assignment of responsibilities, planning the implementation of the MSR and adopting
records objectives.
Clause 6 deals with planning, which is informed by high-level risk analysis, the contextual analysis (see
Clause 4), and the resources available (see Clause 7). Clause 7 outlines the support needed for the MSR,
such as resources, competence, training and communication, and documentation.
Clause 8 deals with defining or reviewing and planning the records processes to be implemented. It
draws on the contextual requirements and scope (see Clause 4) and is based on the records policy
(see 5.2), the risk analysis (see 6.1) and resources needed (see 7.1) to meet the records objectives
(see 6.2) in the planned implementation. Clause 8 explains what records processes and systems need to
be implemented for a MSR.
Clauses 9 and 10 deal with performance evaluation and improvement against planning, objectives and
requirements defined in ISO 30301.
For each of ISO 30301:2011, Clauses 4 to 10 , this International Standard provides the following:
a) the activities necessary to meet the requirements of ISO 30301 – activities can be done sequentially,
while some will need to be done simultaneously using the same contextual analysis;
b) inputs to the activities – these are the starting points and can be outputs from previous activities;
c) outputs of the activities – these are the results or deliverables on completion of the activities.
This International Standard is intended to be used by those responsible for leading the implementation
and maintenance of the MSR. It can also help top management in making decisions on the establishment,
scope and implementation of management systems in their organization. It is to be used by people
responsible for leading the implementation and maintenance of the MSR. The concepts of how to
design the operational records processes are based on the principles established by ISO 15489-1. Other
International Standards and Technical Reports developed by ISO/TC 46/SC 11 are the principal tools
for designing, implementing, monitoring and improving records processes, controls and systems, and
can be used in conjunction with this International Standard for implementing the detailed operational
elements of the MSR.
Organizations that have already implemented ISO 15489-1 can use this International Standard to
develop an organizational infrastructure for managing records under the systematic and verifiable
approach of the MSR.
vi © ISO 2015 – All rights reserved
INTERNATIONAL STANDARD ISO 30302:2015(E)
Information and documentation — Management systems
for records — Guidelines for implementation
1 Scope
This International Standard gives guidance for the implementation of a MSR in accordance with
ISO 30301. This International Standard is intended to be used in conjunction with ISO 30300 and
ISO 30301. This International Standard does not modify and/or reduce the requirements specified in
ISO 30301. It describes the activities to be undertaken when designing and implementing a MSR.
This International Standard is intended to be used by any organization implementing a MSR. It is
applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit
organizations) of all sizes.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 30300, Information and documentation — Management systems for records — Fundamentals and
vocabulary
ISO 30301:2011, Information and documentation — Management systems for records — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 30300 apply.
4 Context of the organization
4.1 Understanding of the organization and its context
The context of the organization should determine and drive the implementation and improvement of
a MSR. The requirements of this Clause are intended to ensure the organization has considered its
context and needs as part of the implementation of a MSR. These requirements are met by analysing
the organization’s context. This analysis should be performed as the first step of the implementation to
a) identify internal and external factors (see 4.1),
b) identify business, legal and other requirements (see 4.2), and
c) define the scope of the MSR (see 4.3) and identify risks (see Clause 6).
NOTE 1 When the scope of the MSR is stated by top management at the starting point, before identifying
factors and the need for records, the extent of the contextual analysis is defined by the scope as stated.
NOTE 2 This MSS approach for context analysis and identification of requirements is compatible with the
analysis process (appraisal) proposed by ISO 15489-1 which also includes elements of planning (see Clause 6)
and identification of needs of records (see Clause 8).
Contextual information needs to be from a reliable source, accurate, up to date and complete. Regular
review of the sources of this information ensures the accuracy and reliability of the contextual analysis.
A.1 provides examples of sources of information about the organization’s internal and external context
and examples of potential stakeholders.
In identifying how the context affects the MSR, examples of important factors can be
1) how a competitive market affects the need to demonstrate efficient processes,
2) how external stakeholders’ values or perceptions affect records retention decisions or information
access decisions,
3) how the information technology infrastructure and information architecture can affect the
availability of records systems or records,
4) how the skills and competencies within the organization can affect the need for training or
external assistance,
5) how legislative instruments, policies, standards and codes affect the design of records processes
and controls,
6) how the organizational culture can affect compliance with the requirements of the MSR, and
7) how the complexity of the organization’s structure, business and legislative environment will affect
records policy, processes and controls (e.g. in a multi-jurisdictional environment).
Depending on the organization, the identification of internal and external factors may have been
performed for other purposes, including the implementation of other management system standards.
In such cases, a new analysis may not be needed and an adaptation will suffice.
The contextual analysis is a continual process. It informs the establishment and systematic evaluation
of the MSR (see Clause 9) and supports the cycle of continuous improvement (see Clause 10).
Output
Documented evidence that the analysis has been undertaken is a requirement of ISO 30301. Examples
are as follows:
— a list of internal and external factors to take into account;
— a chapter in a manual or project plan for implementing a MSR;
— a formal report on the analysis of the organization’s internal and external context and how it affects
and is affected by the MSR;
— a series of documents about the context of the organization.
4.2 Business, legal and other requirements
Using the result of the analysis described in 4.1 as the starting point, the legal, business and other
requirements are assessed in relation to the business activities and documented. The business
activities are the first elements that are analysed to identify the requirements that affect records
creation and control.
Identifying business requirements should take the following into account:
a) the nature of the activities of the organization (e.g. mining, financial advice, providing public
services, manufacturing, pharmaceutical, personal services, non-profit, community services);
b) the particular form or ownership of the organization (e.g. a trust, company or government
organization);
c) the particular sector to which the organization belongs (i.e. public or private sector, non-profit);
d) the jurisdiction(s) in which the organization operates.
2 © ISO 2015 – All rights reserved
Business requirements should be identified from the performance of current business processes and
also from the perspective of future planning and development. Special attention is needed when the
organization is implementing automated or digital business processes. In these cases, requirements can
change and need to be discussed with the people responsible for the development and implementation
of the proposed new processes.
Activities to determine all the mandatory legal and regulatory instruments applicable to the
organization include the following:
1) reviewing compliance requirements for sector-related legislation;
2) reviewing compliance for privacy and other records/data management legislation.
A.2 provides examples of the business, legal and other requirements relating to the creation and control
of records and for sources of expert assistance in identifying business, legal and other requirements.
Output
Documentation of the identification of the business, legal and other requirements is mandatory in order
to comply with ISO 30301. Requirements can be documented all together or in separate documents by
type of requirement. Examples of the kind of documentation are as follows:
— a list of requirements identified by type (e.g. business, legislative);
— a chapter in a manual or project plan for implementing a MSR;
— A formal report on identification of requirements for the MSR;
— a list of all laws and other codified regulatory or mandatory instruments that apply to the
organization relating to the creation and control of records;
— a Precedents Profile (a set of legal precedents on particular subject matters relevant to the
organization).
4.3 Defining the scope of the MSR
The scope of the MSR is a decision made by top management and clearly outlines the boundaries,
inclusions, exclusions, roles and relationships of the component parts of the MSR.
The scope can be defined as a result of the contextual analysis, taking into account identified factors
(see 4.1) and requirements (see 4.2) but also can be stated by top management from the starting point
before identifying factors and requirements.
The scope includes the following:
a) identification of what parts or functions of the organization are included. It can be the whole
organization, an area or department, a specific function or business process or a group of them;
b) identification of what parts or functions of other (related) organizations are included and the
relationships between them;
c) description of how the MSR integrates with the overall management system and with other
specific management systems implemented by the organization (e.g. ISO 9000, ISO 14000 and
ISO/IEC 27000);
d) identification of any processes that affect the MSR that are outsourced and the controls for the
entities responsible for the outsourced process.
Output
A documented statement defining the scope of the MSR is a requirement of the MSR. This statement can
be a single document or be included in other MSR documents such as the records policy (see 5.2) or in
manuals or project plans to implement the MSR.
5 Leadership
5.1 Management commitment
The commitment of top management to implementing the MSR is stated as explicitly and at the same
level of detail as for any other management systems implemented by the organization and as for its
other assets, e.g. human resources, finances and infrastructure. The requirement to demonstrate top
management commitment does not require a specific activity to be performed but is essential for
the success of the MSR. Commitment is also implicit in other requirements of ISO 30301 relating to
resources (see 7.1), communication (see 7.4) and management review (see 9.3).
Output
It is not mandatory to document top management’s commitment to the MSR, except in the records
policy (see 5.2), which can be considered as evidence of that commitment. Commitment can also be
demonstrated by actions or statements but depending on the nature and complexity of the organization,
evidence of commitment should be documented in addition to the records policy. Examples can be
found in the following:
— minutes of Boards of Directors or Boards of Management;
— statements in strategic and business plans;
— management resolutions and directives;
— budgets, business cases;
— communication plans.
5.2 Policy
The strategic direction of the organization, as defined by top management, is the basis for the records
policy. The records policy is established by top management as the driver for implementing and improving
an organization’s MSR and providing the benchmark for assessing the performance of the MSR.
Directions from top management need to be stated in a formal document. The document is not
normally drafted by top management but requires top management’s formal approval, independent of
the authors. Depending on the organization, top management can be identified by different positions
but the records policy should be endorsed by the person in the position recognized as the most senior.
The records policy contains the overall direction on how records creation and control meet the
organizational goals and provides the principles for action. It can be integrated into an overarching
management policy where more than one management systems standard are implemented. In this case,
the records policy does not require separate management endorsement.
Inputs to the records policy include the following:
a) analysis of the organizational context and identification of the requirements (see 4.1 to 4.2);
b) organizational goals and strategies;
c) influence of, or relationship of the policy to other organizational policies;
d) scope of the MSR (see 4.3);
4 © ISO 2015 – All rights reserved
e) organizational structure and delegations.
The records policy is a statement of intent and includes, for example,
1) purpose,
2) high-level directions for the creation and control of records,
3) high-level responsibilities or commitment for the creation and control of records,
4) indication of how the policy is to be implemented, and
5) definitions.
The records policy should be drafted in a form that all people affected by the MSR can readily
understand. In the implementation of records processes and systems, some technical documents
including decisions are called policies. When implementing ISO 30301, the records policy should be
unique and short document as a declaration from top management and does not include a description of
objectives, actions or records processes.
To communicate records policy, the organization can use the methods in 7.4.
Output
An authorized records policy is required as a formal document when implementing a MSR. This formal
document should be controlled and distributed throughout the organization. The records policy is the
overarching document for all other documents developed for the implementation of a MSR.
5.3 Organizational roles, responsibilities and authorities
5.3.1 General
MSR responsibilities and authorities are defined and assigned to appropriate roles. They are
communicated at all levels of the organization so that it is clear who is responsible for taking the
necessary action for the design, implementation and maintenance of the MSR. Apart from the formal
appointment of the management and operational representatives outlined in the following clauses, to
implement a MSR, top management should assign responsibilities for
a) policy development and approval,
b) resource allocation,
c) development of procedures and processes and their approvals,
d) systems design,
e) training and guidance,
f) implementation and maintenance of policy, procedures and processes,
g) audit/monitoring of compliance, and
h) performance management.
These responsibilities can be assigned to different roles in the organization. The following statements
can be used as guidelines for the assignment of responsibilities.
1) Top management is responsible for authorizing and supporting the application of the records policy
throughout the organization.
2) Leadership responsibility and accountability for the MSR is assigned to (a specific role) within
top management.
3) Business unit managers are responsible for ensuring that employees in their units create and
manage records in accordance with the records policy.
4) Records professionals are responsible for the design of records processes and controls, the
implementation and maintenance of records systems, and for training of persons in records
processes and controls and in the use of records systems, as they affect individual practices.
5) Systems administrators are responsible for ensuring that records systems are reliable, secure,
compliant, comprehensive and manage records in a systematic manner, including during
migration and changes.
6) Information technology employees are responsible for implementing and maintaining the
technological aspects required for managing records on a continuous and reliable basis including
the migration of systems when needed.
7) All employees are responsible and accountable for creating and managing records of their
activities according to the records policy, through use of the organization’s records systems,
processes and controls.
Requirements in this Clause are closely related to requirements in 7.2 and 7.3 and should be implemented
at the same time.
Output
Assignment of responsibilities is part of the documented information required when implementing a
MSR. It can be documented in different forms. The following are some examples:
— high-level responsibilities reflected in the records policy (see 5.2);
— documentation of the appointment of the management representative and the operational
representative;
— job descriptions or similar statements;
— formal delegations of responsibilities;
— a chapter in a manual or project plan relating to responsibilities for implementing a MSR.
5.3.2 Management responsibilities
The role and responsibilities of the management representative are assigned and clearly defined.
This role has overall responsibility for leading the implementation and maintenance of the MSR. The
management representative should be part of the top management of the organization. Depending on
the complexity of the organization and the MSR to be implemented, leadership should be complemented
by an operational representative (as defined in 5.3.3).
Responsibilities of the top management representative should include the following:
a) approving the formal documentation of planning, design, maintenance and evaluation of the MSR
and MSR projects, where required;
b) approving the allocation of resources necessary to implement and maintain the MSR;
c) approving the assignment of one or more roles to implement and maintain the MSR. Roles can be
assigned to a specific position or to a designated group as appropriate to the complexity and size of
the organization;
d) promoting compliant MSR behaviour through methods such as communication (see 7.4) and
employee participation, empowerment, motivation, recognition and rewards;
e) defining competencies required for persons (employees or contractors) assigned roles in
implementing and maintaining the MSR.
6 © ISO 2015 – All rights reserved
The scope, nature and documentation of responsibilities are outlined in 5.3.1.
Output
— As for 5.3.1.
5.3.3 Operational responsibilities
An operational representative is assigned responsibility for designing and directing the activities
required for the operational implementation of, and reporting to top management on the MSR. The
operational representative can be an employee or a contractor.
The operational representative should have specific records competencies as defined in 7.2.
The scope, nature and documentation of responsibilities are outlined in 5.3.1.
Tasks to be directed by the operational representative are based mainly on those identified in
ISO 30301:2011, Clause 8 and Annex A.
An operational representative can coordinate the activities of one or more MSR teams to implement
and maintain the MSR at the operational level and undertake performance improvements.
The operational representative should provide reports, with supporting documentation, to top
management or the management representative on the implementation and effectiveness of the MSR
and recommendations for process-related improvements. Reports can be delivered at regular scheduled
intervals, or stages, according to the organization’s requirements. Reports are records and should be
managed in accordance with the records processes and controls in ISO 30301:2011, Annex A.
Liaison with external parties on MSR matters are also part of the operational representative’s
responsibilities. They can include, but are not limited to
a) seeking advice from legal and regulatory experts,
b) complying with the requirements or directions of audit and quality control specialists,
c) directing and negotiating with suppliers of products or services (e.g. software suppliers,
implementation consultants), and
d) acquiring additional skills and assistance from human resources or information technology
contractors.
The roles of the management representative and operational representative can be performed by the
same person or group depending on the complexity and size of the organization and the scope of the MSR.
Output
— As for 5.3.1.
6 Planning
6.1 Actions to address risks and opportunities
This Clause focuses on planning around the strategic risks associated with ensuring the MSR achieves
its intended outcome. Successful implementation of a MSR requires risks to be identified, analysed
and evaluated as part of planning for the MSR implementation. The analysis of factors (see 4.1) and
requirements (see 4.2) should be completed in conjunction with a risk assessment. This is used to
define the records objectives (see 6.2) and identify what actions are needed to achieve those objectives.
These actions are incorporated into MSR processes (see Clause 8).
Establishing a MSR assists organizations to manage the effect of uncertainty on its business objectives.
Failing to create and keep adequate records can create business uncertainty and have a negative
impact on the ability to achieve organizational objectives. Establishing a MSR assists organizations
in managing that uncertainty and impact. In this sense, a MSR is a risk treatment. The strategic
opportunities associated with a MSR can be considered as the positives or the strengths underpinning
the implementation of the management system. These may be associated with increasing organizational
transparency and accountability, improving business processes, cost effectiveness and efficiency, and
strengthening stakeholder and client relationships. A MSR may provide the opportunity to correct
areas of weakness in practices and protect against business threats brought about by changes to the
external operating environment or context. Identification, analysis and evaluation of this kind of risks
and opportunities are normally done before the decision to implement a MSR as part of a general risk
management framework.
When implementing a MSR, uncertainties in regard to achieving objectives need to be identified as
risks. This risk assessment can also provide opportunities to improve business processes and have a
positive influence on business objectives. The purpose of the requirements in this Clause is to address
the assessment of those risks and opportunities relating to the objectives of a MSR. This is part of the
planning of the MSR. Organizations can decide what kind of risk management methodology they are
going to use and how the actions to mitigate risks are identified and put in place.
In addition, there are also risks related to the records themselves and the records systems in which they
reside. These are operational risks, and as such, should be assessed during operational planning (see 8.1).
Depending on the nature of the risks and opportunities, different types and levels of treatments and
actions are needed. The key determining factor is whether the risks and opportunities are related to
objectives of the MSR or operational in nature. While the requirements for both are in different clauses
of ISO 30301, they can be addressed as a single activity.
Where an organization has established a formal risk management framework, planning for the MSR
should be included in the risk identification, analysis and evaluation process of that framework.
Areas of uncertainty which could pose risks need to be considered in the strategic planning for a MSR.
They can include the following:
a) contextual change, such as legal and regulatory change, change to the economic or political
environment, structural change;
b) systems and processes involved in creating and controlling evidence to support the organization’s
achievement of its mission and goals;
c) human resources and skills to implement and maintain the MSR;
d) budgetary or financial implications and changes;
e) measurement and evaluation of achievement of policies, objectives and strategies;
f) relationships with other management systems already implemented.
Identification of strategic risks and opportunities and formulating records objectives can be mutually
influential. Therefore, this is not to be treated as a linear sequence of actions.
The identification of risk at this level should be linked to the MSR in general, or to a specific objective.
For example, risks related to “human resources and skills” mentioned above as an area of uncertainty
may be related to the MSR itself or to a records objective.
With the MSR itself, a risk may be that managers misunderstand the management system’s purpose and
its potential impact on business processes and objectives and just focus on the certification processes
associated with MSR implementation.
For example, if a records objective states the need for a specific system for capturing electronic
records in customer-related processes, a risk is that employees will be resistant to change and will
use alternative technologies (e.g. keeping records of business decisions in email applications instead of
using the designated system for keeping those records).
8 © ISO 2015 – All rights reserved
Actions to address risks and opportunities are specific for each organization. They are also specific to
each risk or opportunity identified. They should be included in actions to achieve objectives and in the
design of records processes.
Output
There is no specific requirement to document this aspect of the planning process. The risk approach
can be included in plans to achieve objectives (see 6.2) or be documented as a separate part of the
planning. Examples are
— any output of applying risk assessment tools (IEC 31010, Annex B includes a range of such tools and
ISO/TR 18128 includes some examples), and
— documentation of actions to be taken to address risks and opportunities.
6.2 Records objectives and plans to achieve them
Objectives of the implementation of a MSR, or records objectives, are defined according to the
organization’s context, requirements and priorities. The actions to achieve them are identified and
the objectives and plan are communicated throughout the organization in accordance with the
scope of the MSR.
Inputs to the definition of the records objectives include
a) the analysis of the organization’s context and identification of requirements (see Clause 4),
b) the records policy (see 5.2),
c) the risk analysis and actions and priority areas identified to address those risks (see 6.1), and
d) review of existing records processes.
Records objectives are specific to the organization [informed by the contextual analysis (see Clause 4)
and risk analysis (see 6.1)], aligned with its strategies and goals, and able to be measured.
In defining records objectives, the organization should take in account the adequacy of the existing
records and records systems as reviewed, the risks identified as having priority for treatment, and the
key areas for improvement from which the organization can gain most benefit.
Changes in the organizational context (e.g. legislative changes), in the records policy, in risk assessments
or outcomes of performance evaluation, require review of the records objectives to update or modify if
necessary. Records objectives should be communicated using the methods in 7.4.
Actions to achieve the records objectives are to be identified. Each objective can be related to one or
more actions. Actions identified need to be planned by
1) defining what outcomes are expe
...
NORME ISO
INTERNATIONALE 30302
Première édition
2015-10-15
Information et documentation —
Système de gestion des documents
d’activité — Lignes directrices de
mise en oeuvre
Information and documentation — Management systems for records
— Guidelines for implementation
Numéro de référence
©
ISO 2015
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2015, Publié en Suisse
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni utilisée
sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie, l’affichage sur
l’internet ou sur un Intranet, sans autorisation écrite préalable. Les demandes d’autorisation peuvent être adressées à l’ISO à
l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2015 – Tous droits réservés
Sommaire Page
Avant-propos .iv
Introduction .v
1 Domaine d’application . 1
2 Références normatives . 1
3 Termes et définitions . 1
4 Contexte de l’organisme . 1
4.1 Compréhension de l’organisme et de son contexte . 1
4.2 Exigences opérationnelles, légales et d’autres natures . 2
4.3 Détermination du domaine d’application du SGDA . 3
5 Responsabilité de la direction . 4
5.1 Engagement de la direction . 4
5.2 Politique . 4
5.3 Rôles, responsabilités et habilitations au sein de l’organisme . 5
5.3.1 Généralités . 5
5.3.2 Responsabilités de la direction. 7
5.3.3 Responsabilités opérationnelles . 7
6 Planification . 8
6.1 Actions à mener pour prendre en compte les risques et opportunités . 8
6.2 Objectifs à atteindre en matière de gestion des documents d’activité et moyens à
mettre en œuvre .10
7 Support .11
7.1 Ressources .11
7.2 Compétences .12
7.3 Sensibilisation et formation.13
7.4 Communication .14
7.5 Documentation .15
7.5.1 Généralités .15
7.5.2 Contrôle de la documentation .17
8 Réalisation .17
8.1 Planification et contrôle de la réalisation .17
8.2 Conception des processus liés aux documents d’activité .18
8.3 Mise en œuvre des systèmes documentaires .21
9 Évaluation de la performance .23
9.1 Surveillance, mesure, analyse et évaluation de la performance .23
9.1.1 Détermination de l’objet et du mode de contrôle, de mesure, d’analyse et
d’évaluation de la performance .23
9.1.2 Évaluation de la performance des processus et des systèmes
documentaires ainsi que de l’efficacité du SGDA .24
9.1.3 Évaluation de l’efficacité du SGDA .24
9.2 Audit interne du système .25
9.3 Revue de direction .26
10 Amélioration .27
10.1 Contrôle des non-conformités et actions correctives .27
10.2 Amélioration continue .29
Annexe A (informative) Exemples de sources d’informations et d’exigences étayant
l’analyse du contexte organisationnel . .30
Bibliographie .33
Avant-propos
L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes
nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est
en général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude
a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,
gouvernementales et non gouvernementales, en liaison avec l’ISO participent également aux travaux.
L’ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui
concerne la normalisation électrotechnique.
Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier de prendre note des différents
critères d’approbation requis pour les différents types de documents ISO. Le présent document a été
rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir www.
iso.org/directives).
L’attention est appelée sur le fait que certains des éléments du présent document peuvent faire l’objet de
droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable
de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant
les références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de
l’élaboration du document sont indiqués dans l’Introduction et/ou dans la liste des déclarations de
brevets reçues par l’ISO (voir www.iso.org/brevets).
Les appellations commerciales éventuellement mentionnées dans le présent document sont données
pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer
un engagement.
Pour une explication de la signification des termes et expressions spécifiques de l’ISO liés à
l’évaluation de la conformité, ou pour toute information au sujet de l’adhésion de l’ISO aux principes
de l’OMC concernant les obstacles techniques au commerce (OTC), voir le lien suivant: Avant-propos —
Informations supplémentaires.
Le comité chargé de l’élaboration du présent document est l’ISO/TC 46, Information et documentation,
sous-comité SC 11, Archives/Gestion des documents d’activité.
iv © ISO 2015 – Tous droits réservés
Introduction
L’ISO 30302 fait partie d’une série de Normes internationales présentées sous le titre général Information
et documentation — Systèmes de gestion des documents d’activité:
— ISO 30300, Information et documentation — Systèmes de gestion des documents d’activité — Principes
essentiels et vocabulaire
— ISO 30301, Information et documentation — Systèmes de gestion des documents d’activité — Exigences
— ISO 30302, Information et documentation — Systèmes de gestion des documents d’activité — Lignes
directrices de mise en œuvre
L’ISO 30300 spécifie la terminologie employée dans la série de normes relatives aux systèmes de gestion
des documents d’activité (SGDA), ainsi que les objectifs et les avantages d’un tel système. L’ISO 30301
spécifie les exigences relatives à un système de gestion des documents d’activité lorsqu’un organisme
démontre son aptitude à créer et à contrôler les documents de ses activités aussi longtemps que ces
documents sont nécessaires. L’ISO 30302 fournit des lignes directrices relatives à la mise en œuvre d’un
système de gestion des documents d’activité.
La présente Norme internationale a pour objet de fournir des lignes directrices pratiques sur la
manière de mettre en œuvre au sein d’un organisme un système de gestion des documents d’activité
(SGDA) conforme aux exigences de l’ISO 30301. La présente Norme internationale traite des aspects
nécessaires à l’élaboration et à la maintenance d’un SGDA.
La mise en œuvre d’un SGDA est généralement réalisée sous forme de projet. Un SGDA peut être mis
en œuvre dans des organismes possédant déjà des systèmes ou des programmes documentaires pour
revoir et améliorer la gestion de ces systèmes ou de ces programmes, ou bien dans des organismes
qui entendent mettre en œuvre pour la première fois une méthode systématique et vérifiable de
création et de contrôle de documents d’activité. Les lignes directrices décrites dans la présente Norme
internationale peuvent être utilisées dans ces deux cas.
Il est tenu pour acquis que les organismes qui décident de mettre en œuvre un SGDA ont procédé à une
évaluation préliminaire de leurs documents d’activité et de leurs systèmes documentaires existants et
qu’ils ont identifié les risques devant être traités et les opportunités d’améliorations significatives. Par
exemple, la décision de mettre en œuvre un SGDA peut constituer une mesure de réduction d’un risque
engendré par la modification significative d’une plateforme informatique ou par l’externalisation de
processus d’activité identifiés comme présentant un risque élevé. Le SGDA peut également fournir un
cadre de gestion normalisé pour la mise en œuvre d’améliorations significatives comme l’intégration
des processus documentaires à des processus opérationnels spécifiques ou l’amélioration du contrôle et
de la gestion des documents d’activité liés aux transactions en ligne ou à l’utilisation des médias sociaux.
L’utilisation de ces lignes directrices laisse nécessairement place à une certaine souplesse. Elle est
fonction de la taille, de la nature et de la complexité de l’organisme, ainsi que du degré de maturité
du SGDA éventuellement déjà en place. Le contexte et la complexité de chaque organisme sont uniques
et les exigences contextuelles spécifiques à l’organisme conditionneront la mise en œuvre du SGDA.
Les organismes de petite taille s’apercevront que les activités décrites dans la présente Norme
internationale peuvent être simplifiées. Les organismes de grande taille ou complexes peuvent être
amenés à constater qu’un système de gestion à couches multiples s’avère nécessaire pour mettre en
œuvre et gérer efficacement les activités prévues dans la présente Norme internationale.
Les lignes directrices de la présente Norme internationale suivent la même structure que celle de
l’ISO 30301, pour décrire les activités à entreprendre en vue de répondre aux exigences de l’ISO 30301
et la façon de documenter ces activités.
L’Article 4 explique comment réaliser l’analyse nécessaire à toute mise en œuvre d’un SGDA. Cette
analyse permet de définir le domaine d’application du SGDA et de déterminer les relations entre la mise
en œuvre d’un SGDA et les autres systèmes de management.
L’Article 5 explique comment obtenir l’engagement de la direction. Cet engagement s’exprime par une
politique relative aux documents d’activité, l’attribution des responsabilités, la planification de la mise
en œuvre du SGDA et l’adoption d’objectifs en matière de documents d’activité.
L’Article 6 traite de la planification, qui prend en compte l’analyse du risque de niveau élevé, l’analyse
contextuelle (voir l’Article 4) et les ressources disponibles (voir l’Article 7). L’Article 7 décrit le
support dont doit disposer un SGDA, par exemple les ressources, les compétences, la formation et la
communication et la documentation.
L’Article 8 traite de la définition ou de la revue et de la planification des processus documentaires à
mettre en œuvre. Il respecte les exigences contextuelles et le domaine d’application (voir l’Article 4) et
repose sur la politique des documents d’activité (voir 5.2), l’analyse du risque (voir 6.1) et les ressources
nécessaires (voir 7.1) pour répondre aux objectifs associés aux documents d’activité (voir 6.2) dans le
cadre de la mise en œuvre planifiée. L’Article 8 donne des explications sur les processus et les systèmes
documentaires devant être mis en œuvre dans le cadre d’un SGDA.
Les Articles 9 et 10 traitent de l’évaluation et de l’amélioration de la performance par rapport à la
planification, aux objectifs et aux exigences définis dans l’ISO 30301.
Pour chacun des articles 4 à 10 de l’ISO 30301:2011, la présente Norme internationale décrit les
éléments suivants:
a) les activités nécessaires pour répondre aux exigences de l’ISO 30301:— ces activités peuvent être
réalisées l’une après l’autre, tandis que certaines nécessiteront d’être menées simultanément en
utilisant la même analyse contextuelle;
b) les éléments d’entrée des activités – ils constituent les points de départ et peuvent correspondre
aux éléments de sortie d’activités antérieures;
c) les éléments de sortie des activités – il s’agit des résultats ou des livrables obtenus à l’achèvement
des activités.
La présente Norme internationale est destinée à être utilisée par les personnes responsables de la mise
en œuvre et de la maintenance des systèmes de gestion de l’organisme. Elle aide également la direction
à prendre des décisions en matière d’instauration, de définition du domaine d’application et de mise en
œuvre des systèmes de gestion de l’organisme. Elle doit être utilisée par les personnes responsables de
la mise en œuvre et de la maintenance du SGDA. Les éléments de conception des processus opérationnels
liés aux documents d’activité reposent sur les principes énoncés par l’ISO 15489-1. Les autres Normes
internationales et Rapports techniques rédigés par l’ISO/TC 46/SC 11 constituent les principaux outils
de conception, de mise en œuvre, de surveillance et d’amélioration des processus, des contrôles et des
systèmes documentaires, et peuvent être utilisés conjointement avec la présente Norme internationale
pour la mise en œuvre des éléments opérationnels précis du SGDA.
Les organismes ayant déjà mis en œuvre l’ISO 15489-1 peuvent utiliser la présente Norme internationale
pour élaborer une infrastructure organisationnelle de gestion des documents d’activité dans le cadre
de la méthode systématique et vérifiable du SGDA.
vi © ISO 2015 – Tous droits réservés
NORME INTERNATIONALE ISO 30302:2015(F)
Information et documentation — Système de gestion des
documents d’activité — Lignes directrices de mise en oeuvre
1 Domaine d’application
La présente Norme internationale fournit des lignes directrices pour la mise en œuvre d’un Système de
Gestion des Documents d’Activité (SGDA) conforme à l’ISO 30301. La présente Norme internationale est
destinée à être utilisée conjointement avec l’ISO 30300 et l’ISO 30301. La présente Norme internationale
ne modifie pas et/ou ne restreint pas les exigences spécifiées dans l’ISO 30301. Elle décrit les activités à
entreprendre pour concevoir et mettre en œuvre un SGDA.
La présente Norme internationale est destinée à être utilisée par tout organisme mettant en œuvre
un SGDA. Elle est applicable à tous les types d’organismes (par exemple: entreprises commerciales,
organismes publics, organismes à but non lucratif) de toutes tailles.
2 Références normatives
Les documents ci-après, dans leur intégralité ou non, sont des références normatives indispensables à
l’application du présent document. Pour les références datées, seule l’édition citée s’applique. Pour les
références non datées, la dernière édition du document de référence s’applique (y compris les éventuels
amendements).
ISO 30300, Information et documentation — Systèmes de gestion des documents d’activité — Principes
essentiels et vocabulaire
ISO 30301:2011, Information et documentation — Systèmes de gestion des documents d’activité — Exigences
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions donnés dans l’ISO 30300 s’appliquent.
4 Contexte de l’organisme
4.1 Compréhension de l’organisme et de son contexte
Il convient que le contexte de l’organisme détermine et conditionne la mise en œuvre et l’amélioration
d’un SGDA. Les exigences du présent article visent à vérifier que l’organisme prend en compte le contexte
et les besoins qui lui sont propres dans le cadre de la mise en œuvre d’un SGDA. Ces exigences sont
satisfaites en analysant le contexte de l’organisme. Il convient que cette analyse constitue la première
étape de la mise en œuvre, afin de:
a) déterminer les facteurs internes et externes (voir 4.1),
b) déterminer les exigences opérationnelles, légales et d’autres natures (voir 4.2), et
c) définir le domaine d’application du SGDA (voir 4.3) et identifier les risques (voir l’Article 6).
NOTE 1 Lorsque le domaine d’application du SGDA est formulé par la direction au point de départ, avant la
détermination des facteurs et des besoins en documents d’activité, l’étendue de l’analyse contextuelle est définie
par le domaine d’application formulé.
NOTE 2 L’approche des NSM (normes de systèmes de management) en matière d’analyse contextuelle et
d’identification des exigences est compatible avec le processus d’analyse (évaluation) proposé par l’ISO 15489-1
qui intègre également des éléments de planification (voir l’Article 6) et d’identification de besoins en documents
d’activité (voir l’Article 8).
Il est nécessaire que les informations contextuelles proviennent d’une source fiable, qu’elles soient
exactes, à jour et exhaustives. Une revue régulière des sources de ces informations garantit l’exactitude
et la fiabilité de l’analyse contextuelle.
L’Article A.1 présente des exemples de sources d’information sur le contexte interne et externe d’un
organisme et des exemples de possibles parties intéressées.
Voici des exemples possibles de facteurs significatifs à prendre en compte lors de la détermination de la
façon dont le contexte influe sur le SGDA:
1) la façon dont un marché concurrentiel influe sur la nécessité de démontrer l’efficacité de ses processus,
2) la façon dont les valeurs ou les perceptions des parties prenantes externes influent sur les décisions
de conservation des documents d’activité ou sur les décisions d’accès à l’information,
3) la façon dont l’infrastructure informatique et l’architecture de l’information peuvent influer sur la
disponibilité des systèmes documentaires ou des documents d’activité,
4) la façon dont les qualifications et les compétences au sein de l’organisme peuvent influer sur les
besoins en formation ou en assistance externe,
5) la façon dont les instruments législatifs, les politiques, les normes et les codes influent sur la
conception des processus et des contrôles documentaires,
6) la façon dont la culture organisationnelle peut influer sur la conformité aux exigences du SGDA, et
7) la façon dont la complexité de la structure de l’organisme, de son environnement opérationnel et
législatif peut influer sur la politique, les processus et les contrôles documentaires (par exemple,
dans un environnement plurijuridictionnel).
En fonction de l’organisme, l’identification des facteurs internes et externes peut avoir été réalisée à
d’autres fins, notamment la mise en œuvre d’autres normes de systèmes de management. Dans ces cas-
là, une nouvelle analyse peut ne pas être nécessaire et une adaptation suffira.
L’analyse contextuelle est un processus continu. Elle influence l’établissement et l’évaluation
systématique du SGDA (voir l’Article 9) et étaye le cycle d’amélioration continue (voir l’Article 10).
Éléments de sortie
L’ISO 30301 exige des preuves documentées que l’analyse a été entreprise. En voici des exemples:
— une liste des facteurs internes et externes à prendre en compte;
— un chapitre d’un manuel ou d’un plan de projet consacré à la mise en œuvre d’un SGDA;
— un rapport formel sur l’analyse du contexte interne et externe de l’organisme et sur la façon dont il
influe sur le SGDA et dont il est influencé par celui-ci;
— un ensemble de documents sur le contexte de l’organisme.
4.2 Exigences opérationnelles, légales et d’autres natures
En utilisant le résultat de l’analyse décrite en 4.1 comme point de départ, les exigences opérationnelles,
légales et d’autres natures sont évaluées par rapport aux activités opérationnelles et sont documentées.
Les activités opérationnelles sont les premiers éléments qui sont analysés en vue d’identifier les
exigences qui influent sur la création et le contrôle des documents d’activité.
2 © ISO 2015 – Tous droits réservés
Il convient que l’identification des exigences opérationnelles prenne en compte les éléments suivants:
a) la nature des activités de l’organisme (par exemple, exploitation minière, conseil financier,
prestations de services collectifs, fabrication, industrie pharmaceutique, services à la personne,
services bénévoles (d’intérêt général));
b) la forme particulière de l’organisme ou sa propriété (par exemple, société fiduciaire, entreprise ou
organisme gouvernemental);
c) le secteur particulier dont relève l’organisme (c’est-à-dire secteur public ou privé, à but non lucratif);
d) la ou les juridictions dans le cadre desquelles l’organisme exerce son activité.
Il convient d’identifier les exigences opérationnelles à partir de la performance des processus
opérationnels en cours et également sous l’angle de la planification et du développement envisagés. Il
est nécessaire d’accorder une attention particulière aux situations dans lesquelles l’organisme met en
œuvre des processus opérationnels automatisés ou numériques. Dans ce type de situations, les exigences
peuvent changer et nécessiter d’être débattues avec les personnes responsables de l’élaboration et de la
mise en œuvre des nouveaux processus proposés.
Les activités permettant de déterminer tous les instruments juridiques et réglementaires obligatoires
applicables à l’organisme incluent les suivantes:
1) une revue des exigences de conformité à la législation associée au secteur concerné;
2) une revue de la conformité à la législation sur la protection des données personnelles et la gestion
des documents d’activité/autres données.
L’Article A.2 fournit des exemples d’exigences opérationnelles, légales et d’autres natures se rapportant
à la création et au contrôle des documents d’activité, ainsi que des sources d’assistance spécialisée pour
identifier les exigences opérationnelles, légales et d’autres natures.
Éléments de sortie
Pour être en conformité avec l’ISO 30301, il est obligatoire de procéder à la documentation de la phase
d’identification des exigences opérationnelles, légales et d’autres natures. Les exigences peuvent être
documentées en un seul ensemble ou dans des documents distincts par type d’exigence. Des exemples
de types de documents incluent les suivants:
— une liste des exigences identifiées par type (par exemple opérationnelles, législatives);
— un chapitre d’un manuel ou d’un plan de projet consacré à la mise en œuvre d’un SGDA;
— un rapport formel sur l’identification des exigences relatives au SGDA;
— une liste de toutes les lois et autres instruments codifiés réglementaires ou obligatoires qui
s’appliquent à l’organisme et se rapportent à la création et au contrôle des documents d’activité;
— une jurisprudence (un ensemble de précédents juridiques sur des problématiques spécifiques
pertinentes pour l’organisme).
4.3 Détermination du domaine d’application du SGDA
Le domaine d’application du SGDA relève d’une décision prise par la direction et expose clairement le
périmètre, les inclusions, les exclusions, les rôles et les relations entre les parties constituantes du SGDA.
Le domaine d’application peut être déterminé à la suite de l’analyse contextuelle, en prenant en compte
les facteurs identifiés (voir 4.1) et les exigences (voir 4.2) mais peut être également formulé par la
direction dès le début, avant l’identification des facteurs et des exigences.
Le domaine d’application inclut les éléments suivants:
a) l’identification des parties ou des fonctions de l’organisme concernées. Ce peut être l’organisme
dans son ensemble, une zone ou un service, une fonction spécifique ou un processus opérationnel,
ou un ensemble de ces éléments;
b) l’identification des parties ou des fonctions d’autres organismes (associés) concernés et les
relations entre elles;
c) la description de la façon dont le SGDA s’incorpore au système de management général et à d’autres
systèmes de management spécifiques mis en œuvre par l’organisme (par exemple l’ISO 9000,
l’ISO 14000 et l’ISO/IEC 27000);
d) l’identification de tout processus externalisé influant sur le SGDA, ainsi que les contrôles des entités
responsables du processus externalisé.
Éléments de sortie
La production d’une déclaration documentée définissant le domaine d’application du SGDA constitue
une exigence du SGDA. Cette déclaration peut revêtir la forme d’un document unique ou être intégrée
aux autres documents du SGDA, comme la politique concernant les documents d’activité (voir 5.2) ou
aux manuels ou plans de projet destinés à la mise en œuvre du SGDA.
5 Responsabilité de la direction
5.1 Engagement de la direction
L’engagement de la direction à mettre en œuvre le SGDA est exprimé aussi clairement et avec le même
niveau de détail que pour tout autre système de management mis en œuvre par l’organisme et que pour
ses autres actifs, par exemple ses ressources humaines, ses finances et son infrastructure. L’exigence de
démonstration de l’engagement de la direction ne nécessite pas la réalisation d’une activité spécifique.
Elle est néanmoins essentielle à la réussite du SGDA. L’engagement est également implicite dans les
autres exigences de l’ISO 30301 se rapportant aux ressources (voir 7.1), à la communication (voir 7.4) et
à la revue de direction (voir 9.3).
Éléments de sortie
Il n’est pas obligatoire de documenter l’engagement de la direction envers le SGDA, hormis dans la
politique concernant les documents d’activité (voir 5.2), qui peut être considérée comme une preuve
de cet engagement. L’engagement peut également être démontré par des actions ou des déclarations,
mais, en fonction de la nature et de la complexité de l’organisme, il convient de documenter les preuves
de l’engagement au-delà de la politique concernant les documents d’activité. On peut en trouver des
exemples dans:
— les comptes rendus du conseil d’administration ou du conseil de direction;
— des déclarations figurant dans les plans stratégiques et opérationnels;
— les décisions et les directives de la direction;
— les budgets, dossier d’affaires;
— les plans de communication.
5.2 Politique
L’orientation stratégique de l’organisme, telle que définie par la direction, constitue le fondement même
de la politique concernant les documents d’activité. La politique concernant les documents d’activité est
rédigée par la direction et constitue le moteur de la mise en œuvre et de l’amélioration du SGDA d’un
organisme, fournissant le référentiel d’évaluation de sa performance.
4 © ISO 2015 – Tous droits réservés
Les orientations de la direction nécessitent d’être exposées dans un document formel. En général, ce
document n’est pas rédigé par la direction, mais il requiert son approbation formelle, quels qu’en soient les
auteurs. En fonction de l’organisme, la direction peut relever de différents postes, mais il convient que la
politique soit assumée par la personne dont le poste est reconnu comme étant le plus élevé de l’organisme.
La politique concernant les documents d’activité contient les orientations générales sur la façon dont
la création des documents d’activité et leur contrôle répondent aux objectifs opérationnels et présente
les principes d’action. Elle peut être intégrée à une politique de management générale, dans laquelle
plusieurs normes de systèmes de management sont mises en œuvre. Dans ce cas, la politique concernant
les documents d’activité ne nécessite pas d’engagement dissocié de la direction.
Les éléments d’entrée de la politique concernant les documents d’activité incluent les suivants:
a) l’analyse du contexte organisationnel et l’identification des exigences (voir 4.1 à 4.2);
b) les objectifs et les stratégies organisationnels;
c) l’influence de la politique sur les autres politiques organisationnelles ou ses relations avec ces
autres politiques;
d) le domaine d’application du SGDA (voir 4.3);
e) la structure organisationnelle et les délégations.
La politique concernant les documents d’activité est une déclaration d’intention et comporte par exemple:
1) un objet,
2) des orientations de haut niveau en matière de création et de contrôle des documents d’activité,
3) des responsabilités ou un engagement de haut niveau en matière de création et de contrôle des
documents d’activité,
4) des indications sur la façon dont la politique doit être mise en œuvre, et
5 des définitions.
Il convient que la politique concernant les documents d’activité soit rédigée sous une forme aisément
compréhensible par toutes les personnes concernées par le SGDA. Dans la mise en œuvre des processus
et des systèmes documentaires, certains documents techniques comportant des décisions sont
appelés « politiques ». Dans le cadre de la mise en œuvre de l’ISO 30301, il convient que la politique
concernant les documents d’activité soit une déclaration de la direction présentée sous la forme d’un
document unique, succinct, qui ne comporte pas de description d’objectifs, d’actions ou de processus
documentaires.
Pour communiquer la politique concernant les documents d’activité, l’organisme peut utiliser les
méthodes présentées en 7.4.
Éléments de sortie
Dans le cadre de la mise en œuvre d’un SGDA, il est exigé de disposer d’un document formel constituant
la politique autorisée en matière de documents d’activité. Il convient que ce document soit contrôlé et
diffusé dans l’ensemble de l’organisme. La politique concernant les documents d’activité est le document
chapeautant tous les autres documents élaborés pour la mise en œuvre d’un SGDA.
5.3 Rôles, responsabilités et habilitations au sein de l’organisme
5.3.1 Généralités
Les responsabilités et les habilitations en matière de SGDA sont définies et attribuées à des personnes
ayant les rôles appropriés au sein de l’organisme. Tous les niveaux de l’organisme en sont informés, de
sorte que tout le monde sait clairement qui est chargé de prendre les mesures nécessaires en matière
de conception, de mise en œuvre et de maintenance du SGDA. Hormis la nomination officielle des
représentants de la direction et des services opérationnels exposée dans les articles suivants, il convient,
pour mettre en œuvre un SGDA, que la direction assigne les responsabilités relatives en matière de:
a) rédaction et approbation de la politique,
b) attribution des ressources,
c) élaboration des procédures et des processus, et leur approbation,
d) conception des systèmes,
e) formation et conseils,
f) mise en œuvre et maintenance de la politique, des procédures et processus,
g) audit/ surveillance de la conformité, et
h) gestion de la performance.
Ces responsabilités peuvent être attribuées à des personnes ayant différents rôles au sein de l’organisme.
Les précisions ci-après peuvent être utilisées comme lignes directrices en matière d’attribution de
responsabilités.
1) La direction est chargée d’autoriser et de soutenir l’application de la politique concernant les
documents d’activité dans l’ensemble de l’organisme.
2) L’obligation de rendre compte et la responsabilité de la direction en matière de SGDA sont attribuées
(à une personne ayant un rôle spécifique) au sein de la direction.
3) Les responsables des unités opérationnelles sont chargés de s’assurer que leurs collaborateurs créent
les documents d’activité et les gèrent conformément à la politique concernant les documents d’activité.
4) Les responsables des documents d’activité sont chargés de la conception des processus et des
contrôles documentaires, de la mise en œuvre et de la maintenance des systèmes documentaires et
de la formation des personnes aux processus et aux contrôles documentaires, ainsi qu’à l’utilisation
des systèmes documentaires, car ceux-ci influent sur les pratiques individuelles.
5) Les administrateurs systèmes sont chargés de s’assurer que les systèmes documentaires
sont fiables, sûrs, conformes, exhaustifs et qu’ils gèrent les documents d’activité de manière
systématique, y compris pendant les modifications et les migrations.
6) Le personnel des services informatiques est chargé de la mise en œuvre et de la maintenance
des éléments technologiques nécessaires à la gestion des documents d’activité de façon fiable et
continue, y compris de la migration des systèmes le cas échéant.
7) Tous les collaborateurs sont responsables et rendent compte de la création et de la gestion des
documents liés à leurs activités conformément à la politique concernant les documents d’activité,
en utilisant les systèmes, les processus et les contrôles documentaires de l’organisme.
Les exigences du présent article sont étroitement liées aux exigences des paragraphes 7.2 et 7.3. Il
convient qu’elles soient mises en œuvre en même temps.
Éléments de sortie
L’attribution des responsabilités fait partie des informations documentées requises dans le cadre de la
mise en œuvre d’un SGDA. Elle peut être documentée sous différentes formes. Des exemples incluent
les suivants:
— responsabilités de haut niveau exprimées dans la politique concernant les documents d’activité
(voir 5.2);
— documents de nomination du représentant de la direction et du représentant opérationnel;
6 © ISO 2015 – Tous droits réservés
— descriptions de postes ou documents similaires;
— délégations formelles de responsabilités;
— un chapitre d’un manuel ou d’un plan de projet concernant les responsabilités dans le cadre de la
mise en œuvre d’un SGDA.
5.3.2 Responsabilités de la direction
Le rôle et les responsabilités du représentant de la direction sont attribués et clairement définis. Ce
rôle revient à assumer l’entière responsabilité de la mise en œuvre et de la maintenance du SGDA. Il
convient que le représentant de la direction fasse partie de la direction de l’organisme. En fonction
de la complexité de l’organisme et du SGDA à mettre en œuvre, il convient que la responsabilité de la
direction soit attribuée à un représentant opérationnel (tel que défini en 5.3.3).
Il convient que les responsabilités du représentant de la direction englobent les suivantes:
a) l’approbation de la documentation formelle en matière de planification, de conception, de
maintenance et d’évaluation du SGDA et des projets liés au SGDA, si nécessaire;
b) l’approbation de l’attribution des ressources nécessaires à la mise en œuvre et à la maintenance du
SGDA;
c) l’approbation de l’attribution d’un ou de plusieurs rôles pour la mise en œuvre et la maintenance du
SGDA. Les rôles peuvent être attribués à un poste spécifique ou à un groupe désigné en fonction de
la complexité et de la taille de l’organisme;
d) mise en œuvre de mesures suscitant un comportement respectueux du SGDA par le biais de
méthodes telles que: la communication (voir 7.4) et la participation des collaborateurs, la
responsabilisation, la motivation, les marques de reconnaissance et les récompenses;
e) la définition des compétences requises pour les rôles attribués aux personnes (collaborateurs ou
sous-traitants) en matière de mise en œuvre et de maintenance du SGDA.
La portée, la nature et la documentation des responsabilités sont exposées en 5.3.1.
Éléments de sortie
— Les mêmes qu’en 5.3.1.
5.3.3 Responsabilités opérationnelles
Un représentant opérationnel se voit confier la responsabilité de concevoir et de diriger les activités
nécessaires à la mise en œuvre opérationnelle du SGDA, ainsi que d’en rendre compte à la direction. Le
représentant opérationnel peut être un collaborateur ou un sous-traitant.
Il convient que le représentant opérationnel possède les compétences spécifiques définies en 7.2 en
matière de documents d’activité.
La portée, la nature et la documentation des responsabilités sont exposées en 5.3.1.
Les travaux que le représentant opérationnel doit diriger reposent pour l’essentiel sur les tâches
identifiées à l’Article 8 et à l’Annexe A de l’ISO 30301:2011.
Un représentant opérationnel peut coordonner les activités d’une ou plusieurs équipes de SGDA
chargées de mettre en œuvre et de maintenir le SGDA au niveau opérationnel, ainsi que d’entreprendre
des améliorations de sa performance.
Il convient que le représentant opérationnel présente à la direction ou au représentant de la direction
des rapports étayés par une documentation sur la mise en œuvre et l’efficacité du SGDA, ainsi que des
recommandations d’amélioration des processus. Les rapports peuvent être soumis à des intervalles de
temps programmés et réguliers, ou à des étapes, en fonction des exigences de l’organisme. Les rapports
constituent des documents d’activité et il convient de les gérer conformément aux processus et aux
contrôles documentaires figurant à l’Annexe A: de l’ISO 30301:2011.
Assurer les liaisons avec les parties externes sur des questions relatives au SGDA entre également dans
le cadre des responsabilités du représentant opérationnel. Ces responsabilités peuvent inclure, sans
toutefois s’y limiter:
a) la consultation de spécialistes des questions juridiques et réglementaires,
b) la conformité aux exigences ou aux orientations des spécialistes des audits et du contrôle qualité,
c) la négociation avec les fournisseurs de produits ou de services et la délivrance d’instructions à leur
attention (par exemple, fournisseurs informatiques, conseillers en mise en œuvre); et
d) la recherche de qualifications supplémentaires et d’assistance auprès des ressources humaines ou
des sous-traitants informatiques.
Les rôles du représentant de la direction et du représentant opérationnel peuvent être remplis par
la même personne ou le même groupe de personnes en fonction de la complexité et de la taille de
l’organisme ainsi que du domaine d’application du SGDA.
Éléments de sortie
— Les mêmes qu’en 5.3.1.
6 Planification
6.1 Actions à mener pour prendre en compte les risques et opportunités
Le présent article met l’accent sur la planification des risques stratégiques associés aux actions
entreprises pour s’assurer que le SGDA produit le résultat escompté. Une mise en œuvre réussie d’un
SGDA exige d’identifier les risques, de les analyser et de les évaluer dans le cadre de la planification de
la mise en œuvre du SGDA. Il convient que l’analyse des facteurs (voir 4.1) et des exigences (voir 4.2)
soit réalisée parallèlement à une appréciation du risque. Celle-ci sert à définir les objecti
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...