ISO/TS 7538:2024

Technical
Specification
ISO/TS 7538
First edition
Functional requirements for
2024-08
disposition of records
Exigences fonctionnelles pour le sort final des documents
d'activité
Reference number
© ISO 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Purpose and benefits . 2
5 Principles . 2
6 Disposition requirements . 3
6.1 General .3
6.2 Governance of disposition .3
6.2.1 General .3
6.2.2 Authorization of disposition .3
6.2.3 Reviewing and updating disposition authorities .4
6.3 Disposition policies .5
6.4 Disposition processes .5
6.4.1 General .5
6.4.2 Processes .5
6.4.3 Documenting disposition . . .6
6.4.4 Disposition actions .6
6.5 Exceptional circumstances and their implications for disposition .8
6.5.1 General .8
6.5.2 Disposition due to exceptional events.8
6.5.3 Disposition holds .8
7 Performance evaluation and improvement . 9
7.1 General .9
7.2 Monitoring, measurement, analysis and evaluation . .9
Annex A (informative) Disposition challenges . 10
Bibliography . 14

iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 46, Information and documentation,
Subcommittee SC 11, Archives/records management.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

iv
Introduction
Disposition is an integral part of records management and allows organizations to reduce storage costs and
save unnecessary time and expense managing records that are no longer required. Proper disposition also
helps to ensure compliance, reduce risks, and preserve corporate and societal memory.
Disposition is the “range of records processes associated with implementing records retention, destruction
or transfer decisions which are documented in disposition authorities or other instruments”. Disposition
can be implemented:
a) on the receipt or creation of a record;
b) when the status of a record changes;
c) when records no longer have any administrative, legislative, historical, or cultural value; or
d) for long term preservation and archival purposes.
As set out in ISO 15489-1, taking a managed and documented approach to the disposition of records is
an important aspect of the efficient and accountable management of records, and is part of a structured
approach to records management.
Such an approach is normally considered during appraisal, subsequent retention schedule development, and
records systems design. In best practice, disposition is part of business activities, rather than an ad hoc
activity, and is done regularly according to records requirements.
Planning for, and having efficient and authorized systems and processes in place to guide disposition
supports accountability, efficiency, and good governance, while ensuring that records are controlled in an
appropriate manner for a range of purposes.
This document assumes that requirements related to the disposition of records are identified during
appraisal, as described in ISO/TR 21946.
Appraisal is the process of analysing and evaluating business functions and processes, business context,
and risk to determine records requirements. Results of the appraisal can be used in disposition decisions.
Appraisal decisions should be implemented through processes documented in disposition authorities or
other instruments.
This document is not intended to give guidance on how the appraisal process is designed, implemented, or
undertaken. Guidance on appraisal can be found in ISO/TR 21946.
Implementing a disposition authority involves carrying out the disposition actions identified through the
appraisal process. It is a process that includes:
— reviewing whether it is permitted for records to be disposed of;
— undertaking the disposition action;
— documenting that the disposition has taken place.
Disposition actions are usually undertaken on a regular and routine basis. However, some disposition actions
can require a one-off or ad hoc process. For example, when a record is sold to a third party for commercial
purposes or when an organizational function is transferred to another agency. In these circumstances, the
implementation of disposition is appropriate to the disposition action and risk management considerations.
This document also supports organizations in implementing disposition by design, which involves analysing
disposition requirements and implementing measures at early stages of the design and development of
products, processes, systems or services that involve handling records.

v
Technical Specification ISO/TS 7538:2024(en)
Functional requirements for disposition of records
1 Scope
This document identifies the purpose and benefits of disposition and provides organizations with guidance
about how to manage disposition-related processes. In particular, it:
— specifies responsibilities for records disposition processes;
— provides guidance on the key areas against which records disposition processes can be assessed;
— provides requirements and guidance for those implementing disposition processes; and
— provides guidance on how to integrate records disposition processes into an organization’s operations.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 15489-1, Information and documentation — Records management — Part 1: Concepts and principles
ISO 18128, Information and documentation — Records risks — Risk assessment for records management
ISO 16175-1:2020, Information and documentation — Processes and functional requirements for software for
managing records — Part 1: Functional requirements and associated guidance for any applications that manage
digital records
ISO 30300, Information and documentation — Records management — Core concepts and vocabulary
ISO 31000, Risk management — Guidelines
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 30300 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
disposition action
action taken to dispose of a record in response to the applicable disposition authority
Note 1 to entry: individual entry in the disposition authority usually includes a disposition action along with a
retention period and an event from which the disposal date should be calculated.
3.2
disposition trigger
event that triggers the start of the retention period or the execution of the disposition action

4 Purpose and benefits
Disposition supports effective business, compliance and mitigation of security and privacy risks. Examples
of benefits of disposition are listed below.
From a business point of view:
— cost reduction, workload reduction, release of resources and storage (including cloud);
— reduction of the cost of supporting legacy infrastructure;
— enhancement of operating efficiency (e.g. search efficiency);
— elimination of health hazards (e.g. mould or pest infestation); and
— management of corporate data, information, records, and knowledge (including rearrangement,
archiving).
From a societal point of view:
— preservation of memory and knowledge of permanent value; and
— reduction of the environmental impact of storage and management to support action on climate change.
From a legal point of view:
— compliance (e.g. with archival law, privacy laws); and
— enhancement of legal and evidentiary value of digital copies by disposing of paper-based originals, after
following the guidelines for digitization of records as described in ISO/TR 13028
From a risk management point of view:
— reduction of the risk of security incidents, such as disclosure of sensitive and confidential information; and
— reduction of the risks to the business that can occur when records retention is not managed in accordance
with business requirements.
Disposition benefits should be considered along with the relevant costs and risks.
5 Principles
The organization shall comply with the following principles when performing disposition:
— legality: decisions about disposition of records are based on applicable legal requirements;
— authority: disposition of records shall be authorized by top management or delegate;
— accountability: top management shall be accountable for the disposition of records for which they are
responsible;
— informed decision making: disposition actions shall be based on an informed decision-making process;
— justification: disposition actions and retention periods for the records shall be justified;
— planning: disposition of records shall be planned and undertaken according to any existing external and
internal requirements and integrated into the organization's business processes and programs;
— timeliness: records shall be disposed of in a timely manner;
— security: disposition of records shall be undertaken using a secure method so that the content is protected
and is not inadvertently released or lost;

— by design: disposition of records shall be considered from the first stages of systems and processes
design; and
— sustainability: disposition of records shall be undertaken in accordance with sustainability requirements.
6 Disposition requirements
6.1 General
Disposition is an integral part of records management. Organizations shall consider decisions about
disposition throughout the records management process. The development of disposition authorities,
including retention schedules, and determination of whether records should be destroyed at the end of their
life-cycle or transferred to another entity are informed by the results of the appraisal process. Consideration
of disposition processes can also help prevent the imposition of legal or regulatory sanctions.
It is important to recognize disposition as a part of good records management processes, controls, and
systems. Effective disposition requires records to be managed in accordance with ISO 15489-1. Disposition
is part of a management system for records as described in ISO 30301.
Records systems and processes shall be designed to support disposition.
In cases where records are created within a business system, incorporating disposition by design as an
integral component of systems architecture is particularly important. This integration enables the efficient
and effective disposition of records when the time is right. By integrating disposition considerations during
the design phase, organizations can ensure the appropriate management and disposition of records in
compliance with legal and operational requirements.
When the records system and process are designed, it is important to consider data, information, and/or
records disposition issues from the early stages of their development. Such an approach follows the principle
of disposition by design, and covers:
— the disposition-related functionality in systems;
— the defining and assigning tasks and responsibilities as part of disposition processes; and
— the information architecture of the solutions (e.g. database structures).
Implementing disposition by design means adhering to the following principles:
— integrating disposition requirements into the design of systems and processes; and
— proactive implementation of disposition measures to anticipate risks and prevent negative events.
6.2 Governance of disposition
6.2.1 General
Regular and routine disposition begins with a records management framework, including procedures for
the creation and classification of records, and is supported by appropriate technical and personnel support.
Staff undertaking disposition shall have an appropriate knowledge of the value of the records and the
organizational policies and procedures relevant to the disposition activities that they carry out.
It is important that disposition is appropriately authorized.
6.2.2 Authorization of disposition
Disposition authorities are instruments that define and prescribe the disposition actions for different
record groups or classes. They support organizational accountability by providing evidence of decisions and
justification of actions, in the event that they are challenged.

Disposition authorities shall be based on the analysis of the legal, regulatory, policy, business, and societal
requirements that impact different record types. This means that the level of detail shall match the nature of
the records being disposed of and the contingent risks. The decision makers shall be confident that there is
no legitimate operational, legal or audit need for the organization to retain the records. This means that the
nature of the records being disposed of shall determine the appropriate level of organizational authorization.
For example, disposition of ephemeral or facilitative records may be authorized by an organizational
policy and implemented by the records’ creator. Disposition of core operational records, however, shall be
documented with the appropriate detail, and then approved by an appropriate person(s) who can ensure
that there is no legitimate operational, legal or audit need for the records to be further retained.
Disposition authorities should be concise and easy to understand and use.
In public organizations, disposition authorities can be authorized by an external archive authority or
regulator. However, private organizations can also develop disposition authorities based on their own
business needs and regulatory requirements.
The development of disposition authorities is described in ISO 15489-1.
Disposition shall be undertaken as set out in authorised disposition authorities. Some disposition authorities
can cover the whole organization where others can represent different functions or parts of the organization.
Care shall be taken to ensure that all relevant disposition authorities are taken into account (and reconciled
where appropriate) in the framework of an organisation’s disposition program. This is particularly so in
organizations that operate across multiple jurisdictions.
It is also possible that some records are covered by several disposition authorities or parts of disposition
authorities. In such cases, they shall be retained until the longest retention period elapses.
From a records management point of view, an entry in a disposition authority typically defines:
— the records covered;
— the status of a record;
— relevant legislative and regulatory references;
— references to other relevant disposition authorities;
— the disposition trigger initiating the retention period;
— retention periods;
— disposition actions;
— due diligence (see 6.4.2); and
— roles and responsibilities for managing the disposition.
6.2.3 Reviewing and updating disposition authorities
Context changes can affect records management requirements in ways that require a revision of the original
appraisal decision or the application of a disposition authority. These can include:
— ongoing business needs;
— the need to retain records for foreseeable, pending, or actual legal action or investigations;
— changes to legislative or regulatory requirements;
— administrative changes affecting an organization’s functions or business activities; and
— changes in societal expectations for the disposition of records.

It is important that the organization regularly reviews and, when necessary, updates disposition authorities
so that they are aligned with their current environment. Superseded versions of disposition authorities shall
be retained to demonstrate the legality and consistency of past disposition actions.
6.3 Disposition policies
Disposition shall be supported by policies stating the organization’s commitment to a compliant, equitable
and efficient approach. The policy shall also clearly define relevant responsibilities and identify relevant
stakeholders. Documenting disposition policies supports organizational accountability by providing
evidence of recognition and response to organizational change. This enables organizations to defend their
disposition decisions and actions if challenged.
Organizations shall document disposition policies and consider the following:
— the legislative framework under which it operates;
— the interests of relevant stakeholders, including other organizations;
— how the organization manages its records in relation to its functions; and
— the level of documentation that is required to be created or maintained.
The policies shall be reassessed in the event of substantial contextual changes.
This recommendation shall be understood and implemented in line with routine business practices and
available resources. This means that the level of detail in the policies shall reflect the nature of the records
being disposed of and the contingent risks.
6.4 Disposition processes
6.4.1 General
All aspects of disposition
...