Document management — Trustworthy storage system (TSS) — Functional and technical requirements

This document specifies the functional, technology-neutral requirements for trustworthy storage systems (TSS) that ensure storing and managing electronically stored information (ESI) in a protected and secure fashion during the lifecycle of the information. The TSS as specified in this document is storage technology neutral and accordingly does not specify any specific storage media types or configurations. This document is applicable to all information systems in which users and applications must manage the protection, preservation and security of stored ESI throughout its entire lifecycle to meet organizational and regulatory requirements to enforce: — immutability, authenticity and trustworthiness of the stored ESI; — protection of application managed ESI and other stored ESI against tampering, malicious acts and ransomware; — organizational ESI preservation and retention policies; — protection for unstructured and unmanaged data.

Gestion des documents — Système de stockage fiable (TSS) — Exigences fonctionnelles et techniques

General Information

Status
Published
Publication Date
25-Aug-2022
Current Stage
6060 - International Standard published
Start Date
26-Aug-2022
Due Date
14-Apr-2024
Completion Date
26-Aug-2022
Ref Project

Buy Standard

Technical specification
ISO/TS 18759:2022 - Document management — Trustworthy storage system (TSS) — Functional and technical requirements Released:26. 08. 2022
English language
32 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
REDLINE ISO/PRF TS 18759 - Document management — Trustworthy storage system (TSS) — Functional and technical requirements Released:5/11/2022
English language
32 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/PRF TS 18759 - Document management — Trustworthy storage system (TSS) — Functional and technical requirements Released:5/11/2022
English language
32 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

TECHNICAL ISO/TS
SPECIFICATION 18759
First edition
2022-08
Document management —
Trustworthy storage system
(TSS) — Functional and technical
requirements
Gestion des documents — Système de stockage fiable (TSS) —
Exigences fonctionnelles et techniques
Reference number
ISO/TS 18759:2022(E)
© ISO 2022

---------------------- Page: 1 ----------------------
ISO/TS 18759:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
  © ISO 2022 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TS 18759:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 S c op e . 1
2 Nor m at i ve r ef er enc e s . 1
3 Terms and definitions . 1
4 T SS concepts and functional requirements . 4
4 .1 O ver v iew . 4
4 . 2 T S S c onc ep t s . 5
4.2.1 General . 5
4.2.2 I mmutable ESI . . 5
4.2.3 C hangeable ESI . 5
4.3 E SI preservation . 6
4.4 I mmutable ESI preservation period . 6
4 .4 .1 O ver v iew . 6
4 . 5 E S I dele t ion . 7
4.6 T SS functional requirements . 8
5 TSS ESI lifecycle management technical requirements .10
5.1 G eneral . 10
5.2 T SS ESI security, protection and hold restrictions requirements . 11
5.2.1 G eneral . 11
5.2.2 TSS ESI security requirements . 11
5.2.3 TSS ESI hold restriction requirements .12
5.2.4 TSS ESI protection requirements . 15
5.2.5 TSS ESI deletion requirements . 16
5.3 C hangeable ESI requirements . 16
5.4 T SS immutable ESI requirements . 17
5.5 T SS retained ESI requirements . . 18
5.6 T SS expired-ESI requirements . 19
5.7 I mmutable ESI retention period . 19
5.7.1 General . 19
5.7.2 Immutable ESI retention period requirements. 19
5.7.3 I mmutable ESI permanent retention period . 20
5.7.4 Immutable ESI fixed retention period . 20
5.7.5 I mmutable ESI hybrid retention period . 21
5.7.6 I mmutable ESI indefinite retention period .22
6 TSS integration and management interfaces .22
7 TSS integrity, auditing, security requirements .23
7.1 S torage security . 23
7.2 E SI encryption . 23
7.3 S ecure delete and erasure .23
7.4 I mmutable ESI integrity checks . 24
7.5 R edundancy and replication . 24
7.6 S torage migration and upgrades . 24
7.7 A uditability . 24
7.7.1 General . 24
7.7.2 TSS audit capabilities .25
7.7.3 T SS audit trail . 25
8 T SS technical methods for trusted storage .25
8.1 General . 25
8.2 S ecurity . 25
8.3 V alidate and detect corruption . 26
iii
© ISO 2022 – All rights reserved

---------------------- Page: 3 ----------------------
ISO/TS 18759:2022(E)
8.4 Ransomware protection .26
8 . 5 E r r or c or r e c t ion . 26
8.6 M onitoring, notifications and alerts . 26
8.7 Encryption . 27
8 . 8 Per m i s s ion s . 28
8.9 I ntegrity of storage devices and media .28
9 T SS requirements and mitigating technical methods .28
9.1 M igration of information between media .28
9.2 T echnical obsolescence .28
9.3 D iscovery requests .29
9.4 A ddressing ad hoc deletion requests .29
9.5 E SI degradation . 30
9.6 M alicious actions by employees or outside parties .30
9.7 E SI store errors .30
9.8 T SS hardware controls . 30
9.9 A ccidental or premature deletion of ESI . 31
Bibliography .32
iv
  © ISO 2022 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/TS 18759:2022(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 171, Document management applications,
Subcommittee SC 2, Document file formats, EDMS systems and authenticity of information.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
© ISO 2022 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/TS 18759:2022(E)
Introduction
The trustworthy storage system (TSS) provides a secure storage framework to preserve and
protect all types of electronically stored information (ESI) independent of the application and is not
intended to be limited to the use cases of content and records management applications. It provides
a unified tamper-resistant storage repository for the preservation and protection of ESI for various
environments. In a digital world where information is created, authored and captured electronically,
the TSS provides the vital security, protection and preservation of ESI against an ever-growing list of
evolving vulnerabilities including accidental and malicious acts, malware and ransomware as well as
operational and application errors.
Organizations designing and implementing information and content management systems
need guidance on how to select and implement a trustworthy storage system to safeguard the
trustworthiness, reliability, authenticity, integrity and immutability of ESI throughout its entire
lifecycle. A trusted system needs a TSS in order to maintain ESI trustworthiness ensuring chain of
custody, compliance with organizational mandates, legal and regulatory requirements and admissibility
standards, including enforcement of retention requirements and deletion-holds. The TSS also benefits
organizations that do not have a formal records programme or application, but are responsible for
protecting, managing and securing information for their organization.
Readers are advised to use this document taking into account their local jurisdictions and applicable
liabilities, paying special attention to legal, regulatory and other organizational requirements,
obligations and expectations.
vi
  © ISO 2022 – All rights reserved

---------------------- Page: 6 ----------------------
TECHNICAL SPECIFICATION ISO/TS 18759:2022(E)
Document management — Trustworthy storage system
(TSS) — Functional and technical requirements
1 S cope
This document specifies the functional, technology-neutral requirements for trustworthy storage
systems (TSS) that ensure storing and managing electronically stored information (ESI) in a protected
and secure fashion during the lifecycle of the information. The TSS as specified in this document is
storage technology neutral and accordingly does not specify any specific storage media types or
configurations.
This document is applicable to all information systems in which users and applications must manage
the protection, preservation and security of stored ESI throughout its entire lifecycle to meet
organizational and regulatory requirements to enforce:
— immutability, authenticity and trustworthiness of the stored ESI;
— protection of application managed ESI and other stored ESI against tampering, malicious acts and
ransomware;
— organizational ESI preservation and retention policies;
— protection for unstructured and unmanaged data.
2 Normat ive references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 12651-1, Electronic document management — Vocabulary — Part 1: Electronic document imaging
ISO 13008, Information and documentation — Digital records conversion and migration process
ISO 14641, Electronic document management — Design and operation of an information system for the
preservation of electronic documents — Specifications
ISO 15489-1, Information and documentation — Records management — Part 1: Concepts and principles
ISO/TR 15801, Document management — Electronically stored information — Recommendations for
trustworthiness and reliability
ISO 18829, Document management — Assessing ECM/EDRM implementations — Trustworthiness
ISO/TR 22957, Document management — Analysis, selection and implementation of enterprise content
management (ECM) systems
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 12651-1, ISO 14641,
ISO 15489-1 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
1
© ISO 2022 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/TS 18759:2022(E)
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
trusted system
information technology system with the capability of managing electronically stored information (ESI)
(3.2) in a trustworthy manner
Note 1 to entry: A trusted system demonstrates authenticity, integrity and availability of ESI over time.
3.2
electronically stored information
ESI
information created, used, edited, modified and stored in digital form
Note 1 to entry: Electronically stored information (ESI) includes documents and records (unstructured and
structured data) created or managed by the organization in the course of business and requiring a computer or
other device for access.
3.2.1
changeable electronically stored information
changeable ESI
writeable ESI
electronically stored information (ESI) (3.2) stored on a trustworthy storage system (TSS) without
any write-once immutable protection, allowing all changes to electronically stored information (ESI)
(contents, size, properties, attributes and checksums)
3.2.2
immutable electronically stored information
immutable ESI
electronically stored information (ESI) on a trustworthy storage system (TSS) with write-once
immutable protection that permanently prevents changes to ESI (contents, size, properties, attributes
and checksums)
3.2.3
immutable ESI preservation period
immutable ESI retention period
period that defines the length of time for which an immutable ESI (electronically stored information)
(3.2.2) in a trustworthy storage system (TSS) is to be preserved, prohibiting its deletion
3.2.4
retained ESI
preservation state of an immutable ESI (electronically stored information) (3.2.2) in a trustworthy
storage system (TSS) that has been assigned a preservation target expiration date and time, which has
not lapsed and is therefore ineligible for deletion
3.2.5
expired ESI
preservation state of an immutable ESI (electronically stored information) (3.2.2) in a trustworthy
storage system (TSS) that has been assigned a preservation target expiration date and time, which has
lapsed and expired and is therefore eligible for deletion
3.2.6
preservation expiration date and time
retention expiration date and time
preservation date and time that the immutable ESI (electronically stored information) (3.2.2) be retained
and preserved at a minimum prohibiting deletion
Note 1 to entry: The immutable ESI (electronically stored information) minimum retention expiration date and
time may be increased but can never be reduced.
2
  © ISO 2022 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/TS 18759:2022(E)
3.2.7
preservation target expiration date and time
immutable ESI (electronically stored information) (3.2.2) in a trustworthy storage system (TSS) assigned
preservation target expiration date and time that is used by the TSS to determine eligibility for deletion
Note 1 to entry: The immutable ESI (3.2.2) is eligible for deletion any time after the assigned preservation target
expiration date and time has lapsed, provided that the immutable ESI (3.2.2) does not have a deletion hold (3.3).
The assigned preservation target expiration date and time can never be reduced.
Note 2 to entry: Alternatively, reference preservation target expiration date and time or retention period target
expiration date and time.
3.3
deletion-hold
trustworthy storage system (TSS) preventing the destruction of any specific electronically stored
information (ESI) within a TSS
3.4
access-hold
trustworthy storage system (TSS) preventing the access of any specific electronically stored
information (ESI) within a TSS
3.5
modification-hold
trustworthy storage system (TSS) preventing the modification of any specific changeable electronically
stored information within a TSS
3.6
application
system for collecting, saving, processing, and presenting data by means of a computer
[SOURCE: ISO/IEC/IEEE 24765:2017, 3.167, definition 1]
3.7
legal hold
litigation hold
operation that tags or otherwise cues special access management and destruction suspension for record
[electronically stored information (ESI)] entries deemed relevant, consistent with organization policy
under the legal doctrine of “duty to preserve”, also notifying records ESI owners and other designated
parties of the special data controls on access, retention, and destruction processes
Note 1 to entry: The Add Legal Hold Record ESI Lifecycle Event occurs when an agent causes the system to tag
or otherwise indicate special access management and suspension of ESI entry deletion or destruction, if deemed
relevant to a lawsuit or which are reasonably anticipated to be relevant to fulfil organizational policy under the
legal doctrine of “duty to preserve”.
[SOURCE: ISO/TS 21089:2018(en), 3.82, modified — added electronically stored information (ESI) to
the definition.]
3.8
ransomware
malicious software that infects computer systems, restricts access to the victim’s data and requires a
ransom
[SOURCE: ITU-T X.1215 (01/2019), 7.1]
3
© ISO 2022 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/TS 18759:2022(E)
4 T SS concepts and functional requirements
4.1 Overview
The trustworthy storage system (TSS) in conformity with the technical and functional requirements of
this document provides a storage environment capable of ensuring and maintaining the trustworthiness
and reliability of electronically stored information (ESI) throughout its lifecycle independent of the
application or the underlying storage technology. The primary purpose of a TSS is to protect and
preserve ESI in a manner that reliably ensures security, immutability, integrity and authenticity. The
TSS maintains and safeguards ESI against tampering and corruption in conformity with relevant
laws, regulations and business requirements as well as with international standards associated with
trustworthy storage environments (ISO/TR 15801, ISO/TR 22957, ISO 18829, ISO 14641, ISO 15489-1
and other related standards).
A TSS is the key component of any trusted environment that manages and maintains the trustworthiness
of ESI from creation to deletion. The TSS is designed to enforce provable immutability, integrity,
authenticity, retention, security, privacy, tamper-evident protection, enforcing destruction and access
holds. The TSS allows the deletion of TSS-stored ESI based on determining deletion eligibility.
Using a non-TSS platform leaves the ESI at risk since the integrity and viability of the entire lifecycle
of the ESI cannot be independently secured and protected with provable immutability. There are
fundamental limitations to the extent any individual component of a trusted environment can address
the requirements without employing the immutability protection and the deletion restrictions of a TSS.
Application-defined security controls are limited to the context of operations performed within the
internal components of the application. Modifications to application-managed ESI executed outside the
context of the application-defined security can jeopardize the trustworthiness of the entire solution.
In a non-TSS platform, any privileged user or privileged process may directly modify, encrypt or delete
application-managed ESI bypassing all the security provisions of the application-defined security.
Applications cannot prevent, prohibit, inhibit or detect any changes to application-managed ESI on non-
TSS storage.
For example, malicious users or malware can manipulate, corrupt or destroy the application-managed
ESI without the application’s knowledge by simply bypassing the application and modifying the
application-managed ESI on a non-TSS platform.
To compensate for the application-managed ESI security and protection, the operating system standard
access controls and permissions shall be used. Though deemed a necessity in the context of any trusted
environment, operating system enforced access controls and permissions are limited to enforcing
privileges without taking into consideration the status of the ESI and associated requirements of
a TSS. Without a TSS to protect and safeguard the trustworthiness of ESI, an authenticated process,
a privileged user, rogue administrator or anything executing in their context, whether ransomware,
malicious code, or any accidental act, can destroy, encrypt and modify any application-managed ESI.
In the age of ransomware, malicious and accidental acts, a TSS should be included when implementing
any trusted environment to ensure the trustworthiness of ESI and protection of its authenticity and
immutability against internal and external vulnerabilities and exploits that can compromise ESI in a
non-TSS or application-managed environment.
In many instances, an application can contain many different types of applications within it, or share
ESI with other applications and organizational entities, resulting in a complex schema of controls
on individual ESI. In such situations, the TSS provides an additional leve
...

Style Definition
...

Style Definition
...
Style Definition
...
Style Definition

...
Style Definition
...
ISO TC 171/SC 2
Style Definition
...
Date: 2022-03-2505-10
Style Definition
...
ISO/TS 18759:2022
Style Definition
...
ISO TC 171/SC 2/WG 11
Style Definition
...
Style Definition
Secretariat: ANSI .
Style Definition
...
Document management — Trustworthy storage system (TSS) functional— Functional and
technical requirements
Style Definition
...
Style Definition
Gestion des documents — Système de stockage fiable (TSS) — Exigences fonctionnelles et techniques du
...
système de stockage fiable (TSS)
Style Definition
...
Style Definition

...
Style Definition
...

Style Definition
...

Style Definition
...

Style Definition
...

Style Definition
...
© ISO 2022
Style Definition
...
Style Definition
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no .
part of this publication may be reproduced or utilized otherwise in any form or by any means,
Style Definition
...
electronic or mechanical, including photocopying, or posting on the internet or an intranet, without
Style Definition
...
prior written permission. Permission can be requested from either ISO at the address below or
Formatted
ISO's member body in the country of the requester. .
Formatted
...
ISO Copyright Office
Formatted
...
CP 401 • CH-1214 Vernier, Geneva Formatted
...
Formatted
...
Phone: + 41 22 749 01 11
Formatted
...
Fax: + 41 22 749 09 47 Formatted
...
Formatted
...
Email: copyright@iso.org
Formatted
...
Email: copyright@iso.org Formatted
...
Formatted
...
Website: www.iso.orgwww.iso.org
Formatted
...
Published in Switzerland.
Formatted
...
Formatted
...

Formatted
...
Formatted
...
Formatted
...
Formatted
...
Formatted
...
Formatted
...

---------------------- Page: 1 ----------------------
ISO/DIS 18759:2018(E)
Contents Page
Foreword . iv
Introduction . v
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
3.1 . 6
trusted system . 6
3.2 Terms related to electronically stored information (ESI) . 7
electronically stored information (ESI). 7
3.2.1 . 7
changeable electronically stored information . 7
3.2.2 . 7
immutable electronically stored information . 7
3.2.3 . 7
immutable-ESI preservation period immutable-ESI retention period . 7
3.2.4 . 7
retained-ESI . 7
3.2.5 . 7
expired-ESI . 7
3.2.6 . 7
retention expiration date and time preservation expiration date and time . 7
3.2.7 . 8
retention preservation target expiration date and time . 8
3.3 . 8
deletion-hold . 8
3.4 . 8
access-hold . 8
3.5 . 8
modification-hold . 8
3.6 . 8
application . 8
3.7 . 8
legal hold litigation hold . 8
3.8 . 8
ransomware . 8
4 TSS concepts and functional requirements . 9
4.1 Overview . 9
4.2 TSS concepts . 10
4.2.1 General . 10
4.2.2 Immutable-ESI . 10
4.2.3 Changeable-ESI . 10
4.3 ESI preservation . 11
4.4 Immutable-ESI preservation period. 11
4.4.1 Overview . 11
4.5 ESI deletion. 12
4.6 TSS functional requirements . 13
5 TSS ESI lifecycle management technical requirements. 15
5.1 General . 15
5.2 TSS ESI security, protection and hold restrictions requirements . 16
5.2.1 General . 16
5.2.2 TSS ESI security requirements . 16
5.2.3 TSS ESI hold restriction requirements . 17
5.2.4 TSS ESI protection requirements (Optional) . 19
5.2.5 TSS ESI deletion requirements . 20
5.3 Changeable-ESI (writeable-ESI) requirements . 20
5.4 TSS immutable-ESI requirements . 21
5.5 TSS retained-ESI requirements . 22
5.6 TSS expired-ESI requirements . 23
ii © ISO 2018 – All rights reserved

---------------------- Page: 2 ----------------------
5.7 Immutable-ESI retention period . 23
5.7.1 General . 23
5.7.2 Immutable-ESI retention period requirements . 23
5.7.3 Immutable-ESI permanent-retention period . 24
5.7.4 Immutable-ESI fixed-retention period . 24
5.7.5 Immutable-ESI hybrid-retention period . 25
5.7.6 Immutable-ESI indefinite-retention period . 26
6 TSS integration and management interfaces . 27
7 TSS integrity, auditing, security requirements . 27
7.1 Storage security . 27
7.2 ESI encryption . 28
7.3 Secure delete and erasure . 28
7.4 Immutable-ESI integrity checks . 28
7.5 Redundancy and replication . 28
7.6 Storage migration and upgrades . 29
7.7 Auditability. 29
7.7.1 General . 29
7.7.2 TSS audit capabilities . 29
7.7.3 TSS audit trail . 29
8 TSS technical methods for trusted storage . 30
8.1 General . 30
8.2 Security . 30
8.3 Validate and detect corruption . 30
8.4 Ransomware protection . 31
8.5 Error correction . 31
8.6 Monitoring, notifications and alerts . 31
8.7 Encryption . 31
8.8 Permissions . 32
8.9 Integrity of storage devices and media . 32
9 TSS compliance requirements and mitigating technical methods . 32
9.1 Migration of information between media . 32
9.2 Technical obsolescence . 33
9.3 Discovery requests . 33
9.4 Addressing ad-hoc deletion requests . 33
9.5 ESI degradation . 34
9.6 Malicious actions by employees or outside parties . 34
9.7 ESI store errors . 35
9.8 TSS hardware controls . 35
9.9 Accidental or premature deletion of ESI . 35
Bibliography . 36


DRAFT
© ISO 2021 – All rights reserved iii
SUBMISSION

---------------------- Page: 3 ----------------------
ISO/DIS 18759:2018(E)

iv © ISO 2018 – All rights reserved

---------------------- Page: 4 ----------------------
Contents
Foreword . v
Introduction . vi
1 Scope . 10
2 Normative references . 10
3 Terms and definitions . 10
4 TSS concepts and functional requirements . 13
4.1 Overview . 13
4.2 TSS concepts . 14
4.2.1 General. 14
4.2.2 Immutable ESI . 15
4.2.3 Changeable ESI . 15
4.3 ESI preservation . 15
4.4 Immutable ESI preservation period . 16
4.4.1 Overview . 16
4.5 ESI deletion . 17
4.6 TSS functional requirements . 18
5 TSS ESI lifecycle management technical requirements . 20
5.1 General . 20
5.2 TSS ESI security, protection and hold restrictions requirements . 22
5.2.1 General. 22
5.2.2 TSS ESI security requirements . 22
5.2.3 TSS ESI hold restriction requirements . 23
5.2.4 TSS ESI protection requirements . 27
5.2.5 TSS ESI deletion requirements . 28
5.3 Changeable ESI requirements . 28
5.4 TSS immutable ESI requirements . 29
5.5 TSS retained ESI requirements . 30
5.6 TSS expired-ESI requirements . 31
5.7 Immutable ESI retention period . 31
5.7.1 General. 31
5.7.2 Immutable ESI retention period requirements . 32
5.7.3 Immutable ESI permanent retention period . 32
5.7.4 Immutable ESI fixed retention period . 32
5.7.5 Immutable ESI hybrid retention period . 33
5.7.6 Immutable ESI indefinite retention period . 34
6 TSS integration and management interfaces . 35
7 TSS integrity, auditing, security requirements . 36
7.1 Storage security . 36
7.2 ESI encryption . 36
7.3 Secure delete and erasure . 36
7.4 Immutable ESI integrity checks . 36
7.5 Redundancy and replication . 37
7.6 Storage migration and upgrades . 37
7.7 Auditability. 37
7.7.1 General. 37
7.7.2 TSS audit capabilities . 37
7.7.3 TSS audit trail . 38
8 TSS technical methods for trusted storage .
...

TECHNICAL ISO/TS
SPECIFICATION 18759
First edition
Document management —
Trustworthy storage system
(TSS) — Functional and technical
requirements
Gestion des documents — Système de stockage fiable (TSS) —
Exigences fonctionnelles et techniques
PROOF/ÉPREUVE
Reference number
ISO/TS 18759:2022(E)
© ISO 2022

---------------------- Page: 1 ----------------------
ISO/TS 18759:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
PROOF/ÉPREUVE © ISO 2022 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TS 18759:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 S c op e . 1
2 Nor m at i ve r ef er enc e s . 1
3 Terms and definitions . 1
4 T SS concepts and functional requirements . 4
4 .1 O ver v iew . 4
4 . 2 T S S c onc ep t s . 5
4.2.1 General . 5
4.2.2 I mmutable ESI . . 5
4.2.3 C hangeable ESI . 5
4.3 E SI preservation . 6
4.4 I mmutable ESI preservation period . 6
4 .4 .1 O ver v iew . 6
4 . 5 E S I dele t ion . 7
4.6 T SS functional requirements . 8
5 TSS ESI lifecycle management technical requirements .10
5.1 G eneral . 10
5.2 T SS ESI security, protection and hold restrictions requirements . 11
5.2.1 G eneral . 11
5.2.2 TSS ESI security requirements . 11
5.2.3 TSS ESI hold restriction requirements .12
5.2.4 TSS ESI protection requirements . 15
5.2.5 TSS ESI deletion requirements . 16
5.3 C hangeable ESI requirements . 16
5.4 T SS immutable ESI requirements . 17
5.5 T SS retained ESI requirements . . 18
5.6 T SS expired-ESI requirements . 19
5.7 I mmutable ESI retention period . 19
5.7.1 General . 19
5.7.2 Immutable ESI retention period requirements. 19
5.7.3 I mmutable ESI permanent retention period . 20
5.7.4 Immutable ESI fixed retention period . 20
5.7.5 I mmutable ESI hybrid retention period . 21
5.7.6 I mmutable ESI indefinite retention period .22
6 TSS integration and management interfaces .22
7 TSS integrity, auditing, security requirements .23
7.1 S torage security . 23
7.2 E SI encryption . 23
7.3 S ecure delete and erasure .23
7.4 I mmutable ESI integrity checks . 24
7.5 R edundancy and replication . 24
7.6 S torage migration and upgrades . 24
7.7 A uditability . 24
7.7.1 General . 24
7.7.2 TSS audit capabilities .25
7.7.3 T SS audit trail . 25
8 T SS technical methods for trusted storage .25
8.1 General . 25
8.2 S ecurity . 25
8.3 V alidate and detect corruption . 26
iii
© ISO 2022 – All rights reserved PROOF/ÉPREUVE

---------------------- Page: 3 ----------------------
ISO/TS 18759:2022(E)
8.4 Ransomware protection .26
8 . 5 E r r or c or r e c t ion . 26
8.6 M onitoring, notifications and alerts . 26
8.7 Encryption . 27
8 . 8 Per m i s s ion s . 28
8.9 I ntegrity of storage devices and media .28
9 T SS requirements and mitigating technical methods .28
9.1 M igration of information between media .28
9.2 T echnical obsolescence .28
9.3 D iscovery requests .29
9.4 A ddressing ad hoc deletion requests .29
9.5 E SI degradation . 30
9.6 M alicious actions by employees or outside parties .30
9.7 E SI store errors .30
9.8 T SS hardware controls . 30
9.9 A ccidental or premature deletion of ESI . 31
Bibliography .32
iv
PROOF/ÉPREUVE © ISO 2022 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/TS 18759:2022(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 171, Document management applications,
Subcommittee SC 2, Document file formats, EDMS systems and authenticity of information.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
© ISO 2022 – All rights reserved PROOF/ÉPREUVE

---------------------- Page: 5 ----------------------
ISO/TS 18759:2022(E)
Introduction
The trustworthy storage system (TSS) provides a secure storage framework to preserve and
protect all types of electronically stored information (ESI) independent of the application and is not
intended to be limited to the use cases of content and records management applications. It provides
a unified tamper-resistant storage repository for the preservation and protection of ESI for various
environments. In a digital world where information is created, authored and captured electronically,
the TSS provides the vital security, protection and preservation of ESI against an ever-growing list of
evolving vulnerabilities including accidental and malicious acts, malware and ransomware as well as
operational and application errors.
Organizations designing and implementing information and content management systems
need guidance on how to select and implement a trustworthy storage system to safeguard the
trustworthiness, reliability, authenticity, integrity and immutability of ESI throughout its entire
lifecycle. A trusted system needs a TSS in order to maintain ESI trustworthiness ensuring chain of
custody, compliance with organizational mandates, legal and regulatory requirements and admissibility
standards, including enforcement of retention requirements and deletion-holds. The TSS also benefits
organizations that do not have a formal records programme or application, but need to protect, manage
and secure information important to their organization.
Readers are advised to use this document taking into account their local jurisdictions and applicable
liabilities, paying special attention to legal, regulatory and other organizational requirements,
obligations and expectations.
vi
PROOF/ÉPREUVE © ISO 2022 – All rights reserved

---------------------- Page: 6 ----------------------
TECHNICAL SPECIFICATION ISO/TS 18759:2022(E)
Document management — Trustworthy storage system
(TSS) — Functional and technical requirements
1 S cope
This document specifies the functional, technology-neutral requirements for trustworthy storage
systems (TSS) that ensure storing and managing electronically stored information (ESI) in a protected
and secure fashion during the lifecycle of the information. The TSS as specified in this document is
storage technology neutral and accordingly does not specify any specific storage media types or
configurations.
This document is applicable to all information systems in which users and applications must manage
the protection, preservation and security of stored ESI throughout its entire lifecycle to meet
organizational and regulatory requirements to enforce:
— immutability, authenticity and trustworthiness of the stored ESI;
— protection of application managed ESI and other stored ESI against tampering, malicious acts and
ransomware;
— organizational ESI preservation and retention policies;
— protection for unstructured and unmanaged data.
2 Normat ive references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 12651-1, Electronic document management — Vocabulary — Part 1: Electronic document imaging
ISO 13008, Information and documentation — Digital records conversion and migration process
ISO 14641, Electronic document management — Design and operation of an information system for the
preservation of electronic documents — Specifications
ISO 15489-1, Information and documentation — Records management — Part 1: Concepts and principles
ISO/TR 15801, Document management — Electronically stored information — Recommendations for
trustworthiness and reliability
ISO 18829, Document management — Assessing ECM/EDRM implementations — Trustworthiness
ISO/TR 22957, Document management — Analysis, selection and implementation of enterprise content
management (ECM) systems
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 12651-1, ISO 14641,
ISO 15489-1 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
1
© ISO 2022 – All rights reserved PROOF/ÉPREUVE

---------------------- Page: 7 ----------------------
ISO/TS 18759:2022(E)
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
trusted system
information technology system with the capability of managing electronically stored information (ESI)
(3.2) in a trustworthy manner
Note 1 to entry: A trusted system demonstrates authenticity, integrity and availability of ESI over time.
3.2
electronically stored information
ESI
information created, used, edited, modified and stored in digital form
Note 1 to entry: Electronically stored information (ESI) includes documents and records (unstructured and
structured data) created or managed by the organization in the course of business and requiring a computer or
other device for access.
3.2.1
changeable electronically stored information
changeable ESI
writeable ESI
electronically stored information (ESI) (3.2) stored on a trustworthy storage system (TSS) without
any write-once immutable protection, allowing all changes to electronically stored information (ESI)
(contents, size, properties, attributes and checksums)
3.2.2
immutable electronically stored information
immutable ESI
electronically stored information (ESI) on a trustworthy storage system (TSS) with write-once
immutable protection that permanently prevents changes to ESI (contents, size, properties, attributes
and checksums)
3.2.3
immutable ESI preservation period
immutable ESI retention period
period that defines the length of time for which an immutable ESI (electronically stored information)
(3.2.2) in a trustworthy storage system (TSS) is to be preserved, prohibiting its deletion
3.2.4
retained ESI
preservation state of an immutable ESI (electronically stored information) (3.2.2) in a trustworthy
storage system (TSS) that has been assigned a preservation target expiration date and time, which has
not lapsed and is therefore ineligible for deletion
3.2.5
expired ESI
preservation state of an immutable ESI (electronically stored information) (3.2.2) in a trustworthy
storage system (TSS) that has been assigned a preservation target expiration date and time, which has
lapsed and expired and is therefore eligible for deletion
3.2.6
preservation expiration date and time
retention expiration date and time
preservation date and time that the immutable ESI (electronically stored information) (3.2.2) be retained
and preserved at a minimum prohibiting deletion
Note 1 to entry: The immutable ESI (electronically stored information) minimum retention expiration date and
time may be increased but can never be reduced.
2
PROOF/ÉPREUVE © ISO 2022 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/TS 18759:2022(E)
3.2.7
preservation target expiration date and time
immutable ESI (electronically stored information) (3.2.2) in a trustworthy storage system (TSS) assigned
preservation target expiration date and time that is used by the TSS to determine eligibility for deletion
Note 1 to entry: The immutable ESI (3.2.2) is eligible for deletion any time after the assigned preservation target
expiration date and time has lapsed, provided that the immutable ESI (3.2.2) does not have a deletion hold (3.3).
The assigned preservation target expiration date and time can never be reduced.
Note 2 to entry: Alternatively, reference preservation target expiration date and time or retention period target
expiration date and time.
3.3
deletion-hold
trustworthy storage system (TSS) preventing the destruction of any specific electronically stored
information (ESI) within a TSS
3.4
access-hold
trustworthy storage system (TSS) preventing the access of any specific electronically stored
information (ESI) within a TSS
3.5
modification-hold
trustworthy storage system (TSS) preventing the modification of any specific changeable electronically
stored information within a TSS
3.6
application
system for collecting, saving, processing, and presenting data by means of a computer
[SOURCE: ISO/IEC/IEEE 24765:2017, 3.167, definition 1]
3.7
legal hold
litigation hold
operation that tags or otherwise cues special access management and destruction suspension for record
[electronically stored information (ESI)] entries deemed relevant, consistent with organization policy
under the legal doctrine of “duty to preserve”, also notifying records ESI owners and other designated
parties of the special data controls on access, retention, and destruction processes
Note 1 to entry: The Add Legal Hold Record ESI Lifecycle Event occurs when an agent causes the system to tag
or otherwise indicate special access management and suspension of ESI entry deletion or destruction, if deemed
relevant to a lawsuit or which are reasonably anticipated to be relevant to fulfil organizational policy under the
legal doctrine of “duty to preserve”.
[SOURCE: ISO/TS 21089:2018(en), 3.82, modified — added electronically stored information (ESI) to
the definition.]
3.8
ransomware
malicious software that infects computer systems, restricts access to the victim’s data and requires a
ransom
[SOURCE: ITU-T X.1215 (01/2019), 7.1]
3
© ISO 2022 – All rights reserved PROOF/ÉPREUVE

---------------------- Page: 9 ----------------------
ISO/TS 18759:2022(E)
4 T SS concepts and functional requirements
4.1 Overview
The trustworthy storage system (TSS) in conformity with the technical and functional requirements of
this document provides a storage environment capable of ensuring and maintaining the trustworthiness
and reliability of electronically stored information (ESI) throughout its lifecycle independent of the
application or the underlying storage technology. The primary purpose of a TSS is to protect and
preserve ESI in a manner that reliably ensures security, immutability, integrity and authenticity. The
TSS maintains and safeguards ESI against tampering and corruption in conformity with relevant
laws, regulations and business requirements as well as with international standards associated with
trustworthy storage environments (ISO/TR 15801, ISO/TR 22957, ISO 18829, ISO 14641, ISO 15489-1
and other related standards).
A TSS is the key component of any trusted environment that manages and maintains the trustworthiness
of ESI from creation to deletion. The TSS is designed to enforce provable immutability, integrity,
authenticity, retention, security, privacy, tamper-evident protection, enforcing destruction and access
holds. The TSS allows the deletion of TSS-stored ESI based on determining deletion eligibility.
Using a non-TSS platform leaves the ESI at risk since the integrity and viability of the entire lifecycle
of the ESI cannot be independently secured and protected with provable immutability. There are
fundamental limitations to the extent any individual component of a trusted environment can address
the requirements without employing the immutability protection and the deletion restrictions of a TSS.
Application-defined security controls are limited to the context of operations performed within the
internal components of the application. Modifications to application-managed ESI executed outside the
context of the application-defined security can jeopardize the trustworthiness of the entire solution.
In a non-TSS platform, any privileged user or privileged process may directly modify, encrypt or delete
application-managed ESI bypassing all the security provisions of the application-defined security.
Applications cannot prevent, prohibit, inhibit or detect any changes to application-managed ESI on non-
TSS storage.
For example, malicious users or malware can manipulate, corrupt or destroy the application-managed
ESI without the application’s knowledge by simply bypassing the application and modifying the
application-managed ESI on a non-TSS platform.
To compensate for the application-managed ESI security and protection, the operating system standard
access controls and permissions shall be used. Though deemed a necessity in the context of any trusted
environment, operating system enforced access controls and permissions are limited to enforcing
privileges without taking into consideration the status of the ESI and associated requirements of
a TSS. Without a TSS to protect and safeguard the trustworthiness of ESI, an authenticated process,
a privileged user, rogue administrator or anything executing in their context, whether ransomware,
malicious code, or any accidental act, can destroy, encrypt and modify any application-managed ESI.
In the age of ransomware, malicious and accidental acts, a TSS should be included when implementing
any trusted environment to ensure the trustworthiness of ESI and protection of its authenticity and
immutability against internal and external vulnerabilities and exploits that can compromise ESI in a
non-TSS or application-managed environment.
In many instances, an application can contain many different types of applications within it, or share
ESI with other applications and organizational entities, resulting in a c
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.