ISO/TR 15801:2009

TECHNICAL ISO/TR
REPORT 15801
Second edition
2009-10-15
Document management — Information
stored electronically —
Recommendations for trustworthiness
and reliability
Images électroniques — Stockage électronique d'informations —
Recommandations pour les informations de valeur et leur fiabilité

Reference number
©
ISO 2009
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2009 – All rights reserved

Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Terms and definitions .1
3 Document management policy .1
3.1 General .1
3.2 Document Management Policy Document .2
4 Duty of care.4
4.1 General .4
4.2 Information security management.5
4.3 Business continuity planning .7
4.4 Consultations.7
5 Procedures and processes .8
5.1 General .8
5.2 Procedures Manual .8
5.3 Information capture.10
5.4 Document image capture .12
5.5 Data capture.17
5.6 Indexing.18
5.7 Authenticated output procedures.19
5.8 File transmission.20
5.9 Document retention.21
5.10 Information preservation .22
5.11 Information destruction .22
5.12 Backup and system recovery.22
5.13 System maintenance.23
5.14 Security and protection .24
5.15 Use of contracted services.24
5.16 Workflow .26
5.17 Date and time stamps .27
5.18 Version control .27
5.19 Maintenance of documentation .28
6 Enabling technologies .28
6.1 General .28
6.2 System Description Manual .29
6.3 Storage media and sub-system considerations .29
6.4 Access levels .30
6.5 System integrity checks .30
6.6 Image processing.31
6.7 Compression techniques .32
6.8 Form overlays and form removal.33
6.9 Environmental considerations.33
6.10 Migration .33
6.11 Information deletion and/or expungement .34
7 Audit trails.34
7.1 General .34
7.2 System.37
7.3 Stored information .37
Bibliography.41
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
In exceptional circumstances, when a technical committee has collected data of a different kind from that
which is normally published as an International Standard (“state of the art”, for example), it may decide by a
simple majority vote of its participating members to publish a Technical Report. A Technical Report is entirely
informative in nature and does not have to be reviewed until the data it provides are considered to be no
longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TR 15801 was prepared by Technical Committee ISO/TC 171, Document management applications,
Subcommittee SC 3, General issues.
This second edition cancels and replaces the first edition (ISO/TR 15801:2004) which has been technically
revised.
iv © ISO 2009 – All rights reserved

Introduction
This Technical Report defines recommended practices for electronic storage of business or other information
in an electronic form. As such, complying with its recommendations is of value to organizations even when the
trustworthiness of the stored information is not being challenged.
Information, in the form of digital objects, originates from many sources. This Technical Report covers digital
objects in any form, from the traditional scanned images, word processed documents and spreadsheets to the
more “modern” forms which include e-mail, web content, instant messages, CAD drawing files, blogs, wikis,
etc.
Users of this Technical Report should be aware that the implementation of these recommendations does not
automatically ensure acceptability of the evidence encapsulated by the information. Where stored electronic
information might be required in court, implementers of this Technical Report are advised to seek legal advice
to ascertain the precise situation within their relevant legal environment.
This Technical Report describes means by which it can be demonstrated, at any time, that the contents of a
specific electronic object created or existing within a computer system have not changed since it was created
within the system or imported into it.
Regardless of the original format, it will be possible to demonstrate that information stored in a trustworthy
system can be reliably reproduced in a consistent manner and accurately reflects what was originally stored
without any material modification.
Other versions of the information might legitimately develop, e.g. revision of a contract. In these cases the
new versions are treated as new electronic objects. The same principle can be applied when a significant
change is made to a document in a workflow environment.
Document management systems can store, in an electronic form, both documents and records (as defined in
ISO 15489-1). This Technical Report describes means for storing all types of electronic information in a
trustworthy and reliable manner. Where records are stored, the requirements of this Technical Report can be
used in conjunction with those specified in ISO 15489-1 to ensure that the policies and procedures described
in this Technical Report work in conjunction with those specified in ISO 15489-1.
Readers are advised to use this Technical Report in conjunction with other local sources, particularly with
relevance to governmental and legal requirements in their respective jurisdictions.

TECHNICAL REPORT ISO/TR 15801:2009(E)

Document management — Information stored electronically —
Recommendations for trustworthiness and reliability
1 Scope
This Technical Report describes the implementation and operation of document management systems that
can be considered to store electronic information in a trustworthy and reliable manner.
This Technical Report is for use by any organization that uses a document management system to store
authentic, reliable and usable/readable electronic information over time. Such systems incorporate policies,
procedures, technology and audit requirements that ensure that the integrity of the electronic information is
maintained during storage.
This Technical Report does not cover processes used to evaluate whether information can be considered to
be authentic prior to it being stored or imported into the system. However, it can be used to demonstrate that,
once the information is stored, output from the system will be a true and accurate reproduction of the original.
Where, in this Technical Report, the term “system” is used, it should be taken as meaning the document
management system that is being reviewed, unless otherwise stated.
2 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 12651 and the following apply.
2.1
information type
groups of related documents
NOTE In specific applications, “groups” can be identified as “sets”, “files”, “collections” or other similar terms.
EXAMPLES Invoices, financial documents, data sheets, correspondence.
2.2
trusted system
〈document management〉 system used to store electronic information in an accurate, reliable and
usable/readable manner, ensuring integrity over time
3 Document management policy
3.1 General
Information is one of the most important assets that any organization has at its disposal. Everything an
organization does involves using information in some way. The quantity of information can be vast, and there
are many different ways of representing and storing it. The value of information used and the manner in which
it is applied and moved within and between organizations can determine the success or failure of those
organizations.
Information, like any other asset, needs to be classified, structured, validated, valued, secured, monitored,
measured and managed efficiently and effectively.
This clause describes documentation that states the organization's policy for the management of information.
Additionally, this clause provides guidance to organizations with respect to the level of documentation required
to enable an organization to clearly establish how the information contained in a trusted document
management system is reliable, accurate and trustworthy. Availability of this documentation can also be used
to demonstrate that document management is part of normal business procedures.
Where a system stores information that can be used as evidence in any legal or business process, one's legal
advisors should be consulted (see 4.4) to ensure that one complies with relevant legal or regulatory
requirements. As legal and regulatory requirements vary from country to country (and sometimes within a
country), the legal advice one obtains should cover all relevant jurisdictions.
3.2 Document Management Policy Document
3.2.1 Contents
A Document Management Policy Document (the Policy Document) should be produced, documenting the
organization's policy on document management and storage, as applicable to the trusted document
management system.
The Policy Document should contain sections which:
⎯ specify what information is covered (see 3.2.2);
⎯ state policy regarding storage media (see 3.2.3);
⎯ state policy regarding electronic object file formats and version control (see 3.2.4);
⎯ state policy regarding relevant document management standards (see 3.2.5);
⎯ define retention and destruction policies (see 3.2.6);
⎯ define responsibilities for document management functions (see 3.2.7);
⎯ define responsibilities for monitoring compliance with this policy (see 3.2.8).
The Policy Document should be approved by senior management of the organization, and should be reviewed
at regular intervals.
Essential to this Technical Report is the agreement and implementation of a Retention Schedule for stored
information. Where reference is made to the Policy Document in the rest of this Technical Report, the
Retention Schedule is included in such a reference.
3.2.2 Information covered
In order to define the organization's document management policy, information should be grouped into types,
the policy for all information within a type being consistent. For example, information types can be specified
either by reference to application (e.g. financial projections, invoices, customer address list), by association
with a specific business process (e.g. applications, complaints, renewals) or by reference to generic groups
(e.g. accounting data, customer documents, manufacturing documents).
During the drafting of the Policy Document, specific information might need to be regrouped to ensure
consistency of Policy within an information type.
The Policy Document should list all types of information that are to be stored. The Policy Document should
include, as an information type, all documents produced in compliance with the Policy.
2 © ISO 2009 – All rights reserved

3.2.3 Storage media
Different types of media have different long-term storage characteristics. Most organizations will store
information on a variety of media types: paper, microform, electronic (write-once and rewritable/erasable) or
optical (write-once and rewritable/erasable). In some applications, specific pieces of information can,
throughout their retention period, be stored on different media types at different times.
The organization should have policies regarding the use of specific types of media for different information
storage requirements (e.g. access requirements, retention periods and security requirements). These policies
should be detailed in the Policy Document.
The media type on which each information type (see 3.2.2) can be stored should be specified.
Where copies of electronic objects exist, it might be important to be able to demonstrate that no changes have
occurred to any purported copy. In the case of electronic objects that exist in different versions, for the
purposes of this Technical Report each version should be treated as a new source or original object.
The policy for the management of copies of electronic objects should be detailed in the Policy Document.
3.2.4 Data file formats and compression
The Policy Document should contain details of the approved data file formats that can be used for each
information type.
All information stored on a computer system requires software for retrieval and display. This software is
subject to change, either by the implementation of new releases, or by changes to operating systems and/or
hardware. By implementing a policy of approved data file formats and compression technologies (where
utilized), the necessary data migration or alternative procedures can be implemented satisfactorily to ensure
long-term retrieval of the stored information.
Where compression techniques are available, policy on their use should be documented.
Where multiple versions of a document can be stored, a policy is required which ensures that all relevant
versions are stored, and their relationship maintained. The Policy Document should contain details of policy
on the storage of versions of documents.
For additional information on this, see 5.5.2, 5.10, 6.10 and 7.2.3.
3.2.5 Standards related to document management
Where the organization operates a quality management system (such as the ISO 9000 series), whose scope
includes part or all of the trusted document management system, all relevant procedural documentation
should be included in the quality system.
Where national or international regulatory requirements are mandatory, or where national or International
Standards are applicable, they should be complied with.
3.2.6 Retention and disposal schedules
A retention schedule should be established for each information type.
Retention periods should be agreed by all relevant departments and personnel within the organization.
Retention periods should be agreed upon after taking relevant advice to ensure that legal or regulatory issues,
or both, are resolved.
All relevant system and procedural documentation that is produced should be covered by the retention
schedule.
The retention schedule should include the organization's policy for its periodic review.
The retention schedule should include the organization's policy for the controlled destruction of information.
3.2.7 Document management responsibilities
Individual or job function responsibilities for the Policy Document should be defined in the Policy Document.
Individual or job function responsibilities for each information type should be identified and included in the
Policy Document.
Individual or job function responsibilities should include the need to seek relevant advice when creating or
updating the contents of the Policy Document.
3.2.8 Compliance with policy
Where it is important that compliance with the Policy Document can be demonstrated, the individual or job
function responsibilities for obtaining and maintaining such compliance should be identified and defined.
4 Duty of care
4.1 General
4.1.1 Trusted system
A trusted document management system is one that ensures that all electronically stored information can be
considered to be a true and accurate copy of the original information, regardless of the original format. Trusted
document management systems need to include the following as a minimum:
⎯ the creation of at least one copy of the stored information on to media that protects the stored information
from modification, inappropriate additions or deletion throughout its approved lifecycle; this copy needs to
be stored and maintained in a safe location that is separate from the other copy of the stored information;
⎯ the utilization of hardware and storage media that protect the stored information from modification,
inappropriate additions or deletion throughout its approved lifecycle (see also 6.3);
⎯ the ability to verify through independent audit processes of the software, hardware and/or storage media
methodology(ies) that the original stored information can be rendered accurately throughout its approved
lifecycle.
A trusted document management system utilizes a combination of organizational policies, operational
procedures and appropriately installed and managed technologies as described in this Technical Report that
will enable an organization to demonstrate trustworthiness and reliability.
4.1.2 Controls
It is essential that the organization be aware of the importance of designing and maintaining all aspects of the
trusted document management system and that it execute its responsibilities under the duty of care principle.
To fulfil this objective, the organization needs to:
⎯ establish a chain of accountability and assign responsibility for activities involving management of
electronic information at all levels;
⎯ be aware of legislative and regulatory bodies pertinent to its business;
4 © ISO 2009 – All rights reserved

⎯ keep abreast of technical, procedural, regulatory and legislative developments by maintaining contact
with the appropriate bodies and organizations;
⎯ implement an Information Security Policy.
4.1.3 Segregation of roles
The segregation of roles is a fundamental aspect of duty of care. It provides a check on errors and on the
deliberate falsification of records (in this respect separation of roles is particularly important in systems where
there is risk of fraud or other malicious action).
There are several aspects of document management where a segregation of roles is considered:
⎯ input reconciliation (see 5.4.3);
⎯ quality control (see 5.4.6);
⎯ data entry (see 5.6);
⎯ information deletion (see 5.11);
⎯ information security (see 4.2).
It is also important to ensure that the physical and managerial segregations that exist around a system are
mirrored by the logical access controls within it.
The segregation of roles between initial operations and checking should be reviewed and implemented where
appropriate.
4.2 Information security management
4.2.1 Information Security Policy
All information, irrespective of the media on which it is stored, is vulnerable to loss or change, whether
accidental or malicious. To protect information stored electronically, security measures need to be developed
and implemented to reduce the risk of a successful challenge to its authenticity. These security measures
need to be aligned to any information classification categories that are used.
Traditionally, information security is considered a matter of confidentiality, to ensure that information is not
accessible outside the requirements of the organization. However, whilst this is important (in some cases vital)
to the operation of the organization, it is not the most important security issue relevant to this Technical
Report.
A key objective of the Information Security Policy is to ensure the protection of the integrity of stored
information. When developing security measures, it is necessary to compare the risk of integrity being
compromised with the cost of implementation of such measures. Security measures need to include backup
and other copies of stored information, as their integrity is of importance in circumstances where they have
been used as replacements for live data.
Also of importance is availability. In some cases, it might be necessary to be able to demonstrate that all
information on a specific topic is available for review at any time. In this category, topics such as indexing
accuracy and business continuity planning are key.
Security is not singularly a concern of computer systems. Security and availability of the operating
environment (including buildings, temperature controls, network links, etc.) and the auditable implementation
of procedures by all staff are both key elements.
The organization should adopt an Information Security Policy, covering all elements of the trusted document
management system.
Where the organization has an Information Security Policy for other systems, then the use of the trusted
document management system should be incorporated within its scope.
The Information Security Policy Document should contain, as a minimum:
⎯ scope of policy;
⎯ statement of management objectives in respect of security;
⎯ specific policy statements;
⎯ requirements for different information classification categories;
⎯ definition and allocation of information security responsibilities;
⎯ policy for dealing with breaches of security;
⎯ policy regarding compliance with relevant standards.
The Information Security Policy Document should be approved by the organization's senior management.
That approval should be documented.
The organization should agree and document appropriate levels of security for managing its information, in
compliance with its Information Security Policy Document.
Consideration should be given to compliance with ISO 27001. With reference to the trusted document
management system, the requirements of this Technical Report should be taken into consideration when
developing the required controls for ISO 27001 compliance.
4.2.2 Risk assessment
Security measures are often developed using an ad hoc approach, reacting to security incidents or to
available computer software tools. Such procedures frequently leave gaps in security, which are only filled at
some later date. A more structured approach is to review the information assets of the organization, and
assign risk factors (based on asset value, system vulnerability and likelihood of attack). An Information
Security Policy can then be produced and approved, against which security measures can be audited.
The organization should undertake an information security risk analysis, and document the results obtained.
Of particular importance are the security measures implemented to control the information storage media,
both the live media and the backup media. The risk analysis needs to include vulnerability risk factors
consistent with the type of media being used (e.g. WORM or rewritable).
Where different types of storage media are used, their impact on the risk analysis results should be reviewed.
Once the risk analysis has been completed, it needs to be acted upon as part of a review of implemented
security measures. Factors such as the balance between the cost of implementation, security achieved and
risk evaluation need to be taken into consideration during the review process.
Based on the results of the risk analysis, existing security measures should be reviewed for effectiveness.
Where the review indicates that changes to security procedures are appropriate, the changes should be
implemented.
6 © ISO 2009 – All rights reserved

4.2.3 Information security framework
A management framework should be established to initiate and control the implementation of information
security within the organization. The framework should have as its objectives:
⎯ approval and review of the Information Security Policy;
⎯ monitoring of threats to information security;
⎯ monitoring and review of security breaches;
⎯ approval of major initiatives to enhance information security.
4.3 Business continuity planning
From time to time, problems arise with trusted document management systems which require emergency
procedures to be implemented, to recover from the problem. Such procedures might involve the temporary
use of additional or third-party resources. In order to ensure that the integrity of information is not
compromised during these operations, an agreed and approved Business Continuity Plan (sometimes known
as a Disaster Recovery Plan) can be implemented.
Procedures to be used in cases of major equipment, environmental or personnel failure should be developed,
tested and maintained. Such procedures should ensure that the integrity of stored information is not
compromised during their implementation.
4.4 Consultations
The implications of using trusted document management systems can be significant to other organizations,
such as:
⎯ regulatory bodies;
⎯ government bodies;
⎯ external audit bodies;
⎯ legal advisors (such as the organization's lawyers).
The organization should consult with relevant organizations that are concerned with the authenticity, reliability
and integrity of stored information prior to implementing the Document Management Policy Document.
These can include the following:
⎯ national and international law;
⎯ industry sector;
⎯ community;
⎯ organization;
⎯ department;
⎯ individual.
The organization should consult with relevant organizations prior to implementing the Document Management
Policy Document.
These consultations can include the following topics:
⎯ legal issues;
⎯ government regulations;
⎯ financial regulations (such as payment of taxes);
⎯ special regulations (applicable to particular sectors).
The results of all consultations, including actions agreed, planned or implemented, should be referenced or
included in the Policy Document.
Where appropriate regulations and/or laws exist, they should be complied with.
The Policy Document should state whether all or part of any relevant national or international standards
should be complied with.
Where the organization complies with relevant national or international standards, such compliance should
include the trusted document management system.
5 Procedures and processes
5.1 General
This clause deals with procedures relating to the operation of a trusted document management system.
5.2 Procedures Manual
5.2.1 Documentation
The organization should maintain a Procedures Manual for each trusted document management system.
Where, in this section, documentation is required, this documentation can either be included in the Procedures
Manual, or referenced by it. This manual can include references to other controlled documentation as
appropriate.
The relevant procedures detailed in, or referenced by, the Procedures Manual should be readily accessible to
all appropriate users of the system.
5.2.2 Content
The Procedures Manual should include or reference procedures for the operation of the trusted document
management system and should include the following:
⎯ information capture (see 5.3);
⎯ document image capture (see 5.4);
⎯ data capture (see 5.5);
⎯ indexing (see 5.6);
⎯ authenticated output procedures (see 5.7);
⎯ file transmission (see 5.8);
8 © ISO 2009 – All rights reserved

⎯ document retention (see 5.9);
⎯ information preservation (see 5.10);
⎯ information destruction (see 5.11);
⎯ backup and system recovery (see 5.12);
⎯ system maintenance (see 5.13);
⎯ security and protection (see 5.14);
⎯ use of contracted services (see 5.15);
⎯ workflow (see 5.16);
⎯ date and time stamps (see 5.17);
⎯ version control (see 5.18);
⎯ maintenance of documentation (see 5.19).
For convenience, the Procedures Manual can be maintained as a number of separate physical documents,
relating to different document management areas.
Where the organization has multiple trusted document management systems, the documentation can
comprise a single Procedures Manual or multiple Procedures Manuals.
5.2.3 Compliance with procedures
In order to be able to comply with the procedures detailed in the Procedures Manual, staff need to be aware of
them, and have the ability to follow them. This situation is frequently achieved by training, either by specific
courses or during day-to-day working.
Procedures should be implemented that ensure that all staff who operate the system adhere to requirements.
5.2.4 Updating and reviews
It is important to ensure that the procedures implemented at any time during the storage life of any specific
piece of information can be determined. This is achieved by ensuring that the Procedures Manual is kept up to
date, and that all previous versions are kept in compliance with the Policy Document.
Any changes to operational procedures should be documented. This documentation should include details of
any change control procedures used, and procedures to ensure that the new procedures are implemented.
Where changes are being implemented, they should be checked to ensure that operational requirements and
the requirements of the Policy Document are not compromised.
Superseded versions of the Procedures Manual should be kept in compliance with the Policy Document.
To confirm that documentation is up to date, regular reviews are necessary. Such reviews might also be
necessary where legal or regulatory changes are relevant.
A review should be carried out at least annually to ensure that any changes to procedures or technology are
reflected in the Procedures Manual.
The results of periodic reviews should be documented and approved by the person responsible for the
operation of the appropriate part of the system.
5.3 Information capture
5.3.1 General
Where the trusted document management system is used for storing electronic objects, the procedures
involved in the capture of those objects should be documented.
These procedures can include:
⎯ electronic object capture;
⎯ document preparation;
⎯ document batching;
⎯ photocopying;
⎯ scanning;
⎯ image quality control.
Documents can include paper documents or microform documents.
Subclause 5.4 contains further details on the procedures relevant to document scanning.
5.3.2 Information loss
Where electronic objects are stored in a trusted document management system, potentially there is the
possibility of loss of some of the information. For example, when scanning a paper document, resolution might
be such that small characters are illegible on the digital image; or, where a digital document is converted from
one format to another, some metadata can be lost.
Where storage media is changed, physical evidence (such as fingerprints on paper documents or CD media)
might not be reproduced within the electronic object. In such cases, the organization should review any
potential loss of information, and make a decision as to whether this loss is acceptable to the business
process. If such a loss is unacceptable, steps should be taken to ensure that the information is captured
and/or retained.
5.3.3 Creation and importing
Electronic information can be created within a trusted document management system, or imported into it. The
authenticity of the documents at the time they are created or imported is of critical importance, as the trusted
document management system will consistently reproduce whatever information has been stored.
Electronic information can be stored in two forms, either in image or data format. In either form, they can be
imported into the trusted document management system in a variety of formats.
Image formats are typically obtained from:
⎯ paper documents (originals, photocopies, faxes);
⎯ automatic facsimile entry (via a fax server);
⎯ capturing screen shots where multiple pieces of information are being displayed simultaneously (also
referred to as compound transient documents);
⎯ microfilm and microfiche.
10 © ISO 2009 – All rights reserved

Image formats are typically bit maps of an original analog document. Image formats can also be obtained from
digital documents. Details of procedures for capturing analog documents in image format are discussed in 5.4.
Data formats store information in “native” format, maybe requiring the original software to retrieve the
information contained. There are a number of “standard” formats that can be retrieved by many software
packages (e.g. text files, comma-separated delimited files). Examples of data formats are:
⎯ office systems such as word processors, spreadsheets, etc.;
⎯ CAD drawings;
⎯ e-mail messages;
⎯ Electronic Data Interchange (EDI) files;
⎯ instant messages;
⎯ XML messages;
⎯ screen shots (for example, for transient documents).
In all cases, the information contained in the data can be accessed through the use of an appropriate software
application. Details of procedures for capturing analog documents in data format are discussed in 5.5.
NOTE It is also possible to have digital documents in mixed image and data formats (for example, a letter in Word
format with an embedded bit-mapped signature).
Where information to be stored in the trusted document management system originates from outside the
boundaries of control of the organization employing the trusted document management system, there might
be little or no control over, or knowledge of, the procedures or processes involved in the production or
authorization of that information. In these circumstances, the organization will need to take care that the
information is what it purports to be, that it has not been tampered with and that the identity of the originator is
genuine. The level of checking of these criteria will depend upon the nature of the particular information in
question.
Such boundary situations can also exist within an organization. In these circumstances, the part of the
organization with the trusted document management system should not assume that an image or data file is
what it purports to be, simply because it came from another part of the same organization.
5.3.4 Metadata
When digital and/or analog documents are created or imported, care should be taken to ensure that all the
relevant metadata are also transferred. Care should be taken to ensure that all necessary metadata are
captured, to ensure that the digital and/or analog documents have the correct interpretation placed on them.
The content of metadata information might need to be reviewed for completeness and appropriateness. The
availability of a full metadata set, with an appropriate content, will increase the evidential value of the
information to which it pertains. The use of an appropriate metadata schema should be considered.
5.4 Document image capture
5.4.1 General
This subclause includes recommendations relating to the procedures relevant to the creation of digital images
from analog documents. Recommendations in this subclause are for users whose trusted document
management systems include the capture and storage of analog documents in digital form by the use of
scanners. These recommendations cover procedures for:
⎯ preparation of documents;
⎯ document batching;
⎯ photocopying;
⎯ scanning;
⎯ image processing.
5.4.2 Preparation of paper documents
All paper documents need to be examined prior to the scanning process, to ensure that a successful image is
obtained. Attributes such as paper size, weight and binding, paper and print colour can all affect the physical
scanning process.
Paper documents should be examined prior to the scanning process, to ensure their suitability for scanning.
Procedures for this examination process should be documented.
Factors such as their physical state (thin paper, creased, stapled, etc.), and the attributes of the information
(black-and-white, colour, tonal range, etc.) should be considered.
Where paper documents are found that are
...