SIST-TP ISO/TR 21946:2021
(Main)Information and documentation -- Appraisal for managing records
Information and documentation -- Appraisal for managing records
This document provides guidance on how to carry out appraisal for managing records. It describes some of the products and outcomes that can be delivered using the results of appraisal. As such, this document describes a practical application of the concept of appraisal outlined in ISO 15489-1.
This document:
a) lists some of the main purposes for appraisal;
b) describes the importance of establishing scope for appraisal;
c) explains how to analyse business functions and develop an understanding of their context;
d) explains how to identify records requirements;
e) describes the relationships between records requirements, business functions and work processes;
f) explains how to use risk assessment for making decisions related to records;
g) lists options for documenting the results of appraisal;
h) describes possible uses for the results of appraisal; and
i) explains the importance of monitoring and review of the execution of appraisal decisions.
This document can be used by all organizations regardless of size, nature of their business activities, or the complexity of their functions and structure.
Information et documentation -- Evaluation dans le cadre de (pour) la gestion des documents d'activité
Le pr�sent document fournit des recommandations concernant la mani�re de r�aliser une �valuation dans le cadre de la gestion des documents d'activit�. Il d�crit certains des produits et r�sultats qu'il est possible de mettre en œuvre dans le sillage de l'�valuation. Ainsi, le pr�sent document d�crit une application pratique du concept d'�valuation d�crit dans l'ISO 15489‑1.
Le pr�sent document:
a) �tablit une liste des principaux objectifs de l'�valuation;
b) d�crit l'importance de l'�tablissement du p�rim�tre de l'�valuation;
c) explique comment analyser les fonctions de chaque activit� et comprendre leur contexte;
d) explique comment identifier les exigences relatives aux documents d'activit�;
e) d�crit les relations entre les exigences relatives aux documents d'activit�, les fonctions et les processus de travail;
f) explique comment utiliser l'appr�ciation des risques pour prendre des d�cisions li�es aux documents d'activit�;
g) �tablit la liste des options de documentation des r�sultats de l'�valuation;
h) d�crit les utilisations possibles des r�sultats de l'�valuation; et
i) explique l'importance de la surveillance et de la revue de la mise en pratique des d�cisions suite � l'�valuation.
Le pr�sent document peut �tre utilis� par tous les organismes, ind�pendamment de leur taille, de la nature de leurs activit�s ou de la complexit� de leurs fonctions et de leur structure.
Informatika in dokumentacija - Ocenjevanje upravljanja zapisov
General Information
Buy Standard
Standards Content (Sample)
SLOVENSKI STANDARD
SIST-TP ISO/TR 21946:2021
01-februar-2021
Informatika in dokumentacija - Ocenjevanje upravljanja zapisov
Information and documentation -- Appraisal for managing records
Information et documentation -- Evaluation dans le cadre de (pour) la gestion des
documents d'activité
Ta slovenski standard je istoveten z: ISO/TR 21946:2018
ICS:
01.140.20 Informacijske vede Information sciences
SIST-TP ISO/TR 21946:2021 en,fr
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST-TP ISO/TR 21946:2021
---------------------- Page: 2 ----------------------
SIST-TP ISO/TR 21946:2021
TECHNICAL ISO/TR
REPORT 21946
First edition
2018-11
Information and documentation —
Appraisal for managing records
Information et documentation — Evaluation dans le cadre de (pour)
la gestion des documents d'activité
Reference number
ISO/TR 21946:2018(E)
©
ISO 2018
---------------------- Page: 3 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved
---------------------- Page: 4 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Appraisal process . 2
5 Information gathering and analysis . 3
5.1 General . 3
5.2 Determining the scope of appraisal . 4
5.3 Determining who to involve in the appraisal process . 4
5.4 Information gathering . 5
5.5 Analysis of the business context . 6
5.6 Analysis of the technological context . 6
5.7 Functional analysis . 7
5.8 Sequential analysis . 7
5.9 Identification of agents . 7
5.10 Identification of business critical areas . 8
5.11 Determining records requirements . 9
5.11.1 General. 9
5.11.2 Business needs for records . 9
5.11.3 Legal and regulatory requirements for records .10
5.11.4 Community or societal expectations for records .10
6 Assessment and implementation .11
6.1 General .11
6.2 Linking records requirements to business functions and work processes .11
6.3 Assessment and treatment of risks associated with the implementation of records
requirements .13
6.4 Documentation of the appraisal process .15
6.5 Using the results of the appraisal process .16
7 Monitoring .17
8 Review and corrective action .17
Bibliography .18
© ISO 2018 – All rights reserved iii
---------------------- Page: 5 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 46, Information and documentation,
Subcommittee SC 11, Archives/records management.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO 2018 – All rights reserved
---------------------- Page: 6 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
Introduction
Appraisal for managing records is the recurrent process of evaluating business activities to determine
which records need to be created and captured as well as how and how long the records need to be
kept. It combines an understanding of business activities and their contexts with
— the identification of business needs, regulatory requirements and societal expectations relating to
records, and
— the assessment of opportunities and risks associated with the creation and management records.
Regular, systematic appraisal for managing records has a range of benefits, including:
— compliance with legal/regulatory requirements for records;
— satisfaction of business needs in managing records, and providing for timely disposition of records;
— identification of requirements for continuing retention of records as archives;
— implementation of measures to protect and manage records according to their level of criticality for
the organization and/or their retention requirements;
— improvement of organizational efficiency through proper use of resources;
— the effective management of risk related to records;
— greater accountability for decisions about the creation, capture and management of records.
In some records and archives management traditions, appraisal for managing records is solely used as
an instrument to identify retention requirements for records or to create a disposition authority. The
concept of appraisal as described in ISO 15489-1 is, however, meant to be used in a broader way. It can
be used to identify different types of requirements related to creating, capturing and managing records
over time and to implement them in ways that are suited to changing contexts. In this way, appraisal
can support accountability and more efficient business.
The results of appraisal can be used in the development of policies, systems and processes, as well as to
develop a range of records controls. These controls include metadata schemas, business classification
schemes, access and permissions rules and disposition authorities. In some jurisdictions, appraisal for
managing records, or parts of it, can be required by law or regulation as a precursor to the development
of such tools.
Appraisal is a strategic and proactive approach to the creation, capture and management of records,
rather than a reactive one.
Appraisal is accountable and consultative, and, in certain cases, should be conducted in partnership
with stakeholders with interests in the creation, capture and management of particular classes of
records.
The advice on appraisal for managing records in this document can be used if an organization is
implementing a management system for records (MSR) following ISO 30301. In the management
system standards approach, appraisal can help to meet requirements related to the “Context of the
organization” and “Operational planning”.
© ISO 2018 – All rights reserved v
---------------------- Page: 7 ----------------------
SIST-TP ISO/TR 21946:2021
---------------------- Page: 8 ----------------------
SIST-TP ISO/TR 21946:2021
TECHNICAL REPORT ISO/TR 21946:2018(E)
Information and documentation — Appraisal for
managing records
1 Scope
This document provides guidance on how to carry out appraisal for managing records. It describes
some of the products and outcomes that can be delivered using the results of appraisal. As such, this
document describes a practical application of the concept of appraisal outlined in ISO 15489-1.
This document:
a) lists some of the main purposes for appraisal;
b) describes the importance of establishing scope for appraisal;
c) explains how to analyse business functions and develop an understanding of their context;
d) explains how to identify records requirements;
e) describes the relationships between records requirements, business functions and work processes;
f) explains how to use risk assessment for making decisions related to records;
g) lists options for documenting the results of appraisal;
h) describes possible uses for the results of appraisal; and
i) explains the importance of monitoring and review of the execution of appraisal decisions.
This document can be used by all organizations regardless of size, nature of their business activities, or
the complexity of their functions and structure.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 15489-1, Information and documentation — Part 1: Concepts and principles
3 Terms and definitions
For the purposes of this document, terms and definitions given in ISO 15489-1 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
© ISO 2018 – All rights reserved 1
---------------------- Page: 9 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
4 Appraisal process
Appraisal for managing records involves analysis of context(s) in which business activities occur, in
order to
— determine records requirements,
— understand which areas of business are regarded, by stakeholders, as critical to achieving agreed
goals in an organizations, and
— identify and assess risks related to records.
The results of the appraisal process should be used to proactively design records controls and processes
to best support business activities and technologies in order to ensure agreed records requirements
are met over time.
Appraisal for managing records considers the needs of the agents directly involved in the business
activities, but also related internal and external stakeholders and wider societal needs. In this way,
management of records for both business and other purposes can be designed cohesively.
The context in which business is conducted, the business activities themselves as well as their records
requirements, and risk identification will change over time. As a result, appraisal for managing records
is a necessarily recurrent activity.
The representation of appraisal activities shown in Figure 1 reflects the continuous cycle of this work, as
needs and circumstances affecting the creation, capture and management of records change over time.
NOTE Appraisal for managing records is a continuous improvement cycle.
Figure 1 — Recurrent appraisal for managing records
The results of the appraisal process can be used to achieve benefits in a variety of areas, such as in
legal compliance, risk management, information security, protection of privacy, reuse of information
or the protection of archival records. It could also be used as a means to determine which records can
be made available to the public, in support of the implementation of public information disclosure laws
and regulations.
2 © ISO 2018 – All rights reserved
---------------------- Page: 10 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
Certain events could trigger appraisal for managing records.
For example, when there are new
— entities being established,
— legal and regulatory requirements, changes in legal practice and law enforcement, or contractual
obligations,
— technologies and systems, or
— arrangements for managing records such as cross jurisdictional collaborations on shared projects.
Or, changes such as
— organizational structures or mergers,
— new or altered regulatory requirements,
— new or altered business functions or activities, or
— changes in public expectations regarding the management of records of the organization concerned,
including new expectations regarding access and usability.
Issues relating to the creation and management of records, such as missing records (which should
have been created), unauthorized access to records, or unauthorized disposal of records could also be
triggers for a process of appraisal.
The frequency and scale in which appraisal for managing records is carried out will vary from one case
to the next. For example, an organization with a very stable regulatory framework and business that
rarely change could conduct appraisal less frequently than one that is subject to frequent change. The
appraisal process can be modified in scale or scope, depending on the desired outcome (see 5.2).
Appraisal for managing records is conducted in a consistent and accountable way. This means:
— conducting appraisal with a clear mandate and authorization;
— keeping documentation of the research, analysis and consultation with stakeholders done as part of
the process, as records;
— being consistent in decisions, and using past decisions to check precedents;
— justifying decisions made and keeping documentation of such justifications.
5 Information gathering and analysis
5.1 General
The appraisal process comprises a number of types of analysis, which can be carried out consecutively
or simultaneously. They include the following:
— achieving an understanding of the context in which the appraisal work is being conducted, including
organizational, technological and business-related features;
— analysis of the business functions themselves;
— analysis of requirements for records from a business, legal and societal point of view;
— identification and analysis of risks that are associated with the creation, capture and management
of records.
© ISO 2018 – All rights reserved 3
---------------------- Page: 11 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
Some types of analysis, such as an analysis of the business context, may already have been carried
out by other disciplines in the organization, such as information security. It is recommended to check
whether the required analysis has been carried out already and whether the results obtained can be
reused for the purpose of appraisal.
It is important to note that the identification of risk occurs throughout the appraisal process in three
different ways:
— when looking at the organizational context in which the process is occurring, internal and external
risks affecting the organization and its stakeholders can be identified;
— during the analysis of business activity in relation to particular functions, activities or work
processes during the analysis of business activity. For example, the risks associated with poor
management of records of citizen-centric public services or with personally identifiable information
could be greater than those associated with other administrative activities;
— during the identification of the risks that could be managed through meeting identified records
requirements.
After the identification of risks, an analysis and evaluation should be done (in accordance with risk
management practices of the organization, if these exist). This assists in making decisions about how
requirements should be met, and the appropriate investment of resources to do so. This aspect of the
assessment and treatment of risk is further described in 6.3.
The results of analysis conducted in appraisal for managing records can be used to develop other tools
and resources that are valuable in the creation, capture and management of records (see 6.5).
5.2 Determining the scope of appraisal
Each time an appraisal process is commenced, its scope needs to be clearly defined. The events
triggering appraisal and the role and responsibility of the person(s) doing the appraisal will directly
influence its scope. In turn, the scope of appraisal will influence the kind of agents involved in the
process. For instance, a scope with a strong societal focus will require a larger involvement of external
agents in comparison to a scope with a strong business focus alone, which would require expanded
involvement of business representatives. The scope of appraisal may change in terms of the business
functions and activities it covers, or the parts of the analysis that receive the greatest attention.
EXAMPLE 1 An appraisal process could be carried out by a manager responsible for a business system that is
being replaced. The system supports a single function but one that is performed by a number of organizational
entities, working collaboratively online. Here, the scope is limited to the one function but considers the contexts
of each of the participating organizational entities, their risks and requirements.
EXAMPLE 2 In the process of a merger, an organization’s functions are analysed in order to make decisions
regarding migration of records to new systems and other matters such as the integration of disposition
authorities. The scope of the appraisal process here would need to cover the business functions of both entities.
EXAMPLE 3 An appraisal process that is being carried out with a view to defining records requirements for
inclusion in the specifications of a new business system would involve a greater emphasis on the analysis of the
business functions supported by the system, as opposed to appraisal that is done with a view to developing a
disposition authority that covers all of an organization’s business.
EXAMPLE 4 An appraisal process that is carried out in order to develop disposition rules across an entire
jurisdiction, with a view to the identification of classes of records to be retained as archives, will have a broad
scope encompassing a high level analysis of business context, functions and activities, requirements and risk
across the entire jurisdiction. This is to ensure consistency in decisions made. In some cases, such appraisal is
carried out in one stage covering the entire jurisdiction, and in others in multiple stages, in conjunction with
organizations within the jurisdiction.
5.3 Determining who to involve in the appraisal process
Appraisal for managing records is fundamental to the work of records professionals, making them the
most appropriate group to plan and lead appraisal activities.
4 © ISO 2018 – All rights reserved
---------------------- Page: 12 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
Other individuals or groups should be involved in one or more steps of the appraisal process. The
involvement of others will depend on the purpose and scope of the appraisal process, and the focus of
the analysis. These will include internal agents and stakeholders, such as
— business representatives,
— legal representatives,
— senior/top management,
— governance bodies such as boards of directors or audit boards,
— allied information management professionals such as privacy officers, librarians, preservation
specialists or those responsible for data and transparency,
— communications professionals, and/or
— information technology specialists.
External agents and stakeholders should also be consulted or involved as appropriate. These may
include people and groups such as
— shareholders,
— customers or clients,
— external audit or regulatory authorities,
— subject matter experts, members of professional associations or academics,
— representatives of archival institutions,
— transparency advocates,
— privacy experts,
— information security experts,
— people or groups affected by government or corporate activities, and/or
— individuals who are the subjects of records, such as individuals who have been under the care of the
state when they were children, or individuals who have received aid and services from governments.
5.4 Information gathering
Appraisal for managing records relies on the identification of stakeholders and other sources of
information which contain information on the business and technological context, business functions,
risks and requirements. Such sources and stakeholders should be recorded as they are identified, as
part of an accountable, well-documented appraisal process.
Documentary sources relating to, as well as stakeholders in the business functions should be identified,
as these are sources of information for the analysis. Such sources and stakeholders should be used
for various types of analysis conducted throughout an appraisal process. Examples of documentary
sources include
— structural charts,
— risk registers,
— enterprise architecture documents,
— reports to governing authorities or stakeholders,
— systems documentation,
© ISO 2018 – All rights reserved 5
---------------------- Page: 13 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
— audit reports,
— records of interviews with business representatives or other stakeholders,
— media reporting, and/or
— inventories of existing systems used for managing records.
Examples of stakeholders could include:
— the groups and individuals identified as needing to be involved in the appraisal for managing records
process (see 5.3),
— managers, information technology professionals and organizational staff directly involved in the
business that is in scope, or
— customers/clients affected by the business that is in scope.
5.5 Analysis of the business context
In appraisal for managing records, analysis is done to gain understanding of the business context in
which business activity takes place. Documentary sources and interviews with the stakeholders that
have been identified as part of the information gathering should be used as the basis for the analysis.
Specific subjects of analysis should be the internal and external factors affecting the operations of the
organization, and could include:
— the behaviour and strategic directions of the business entity;
— the operational, legal and other requirements which apply to it;
— its resourcing;
— stakeholder requirements;
— broad risks that it should manage;
— at a high level, the functions and work processes that it performs.
The outcomes of the analysis of the business context should be documented and reviewed periodically
to ensure that changes in the environment are identified and assessed. Source documents for the
analysis and any authorizations should be retained as records, as such documentation supports and
provides justification for appraisal decision-making.
5.6 Analysis of the technological context
An analysis of existing technologies in use provides a view of the opportunities and constraints
for future methods and tools for creating and managing records, and should assist in making
implementable appraisal decisions. It can also inform design and implementation choices for the tools
and resources developed using the results of appraisal (see 6.5). Using the documentary sources and
stakeholders identified to be relevant for this purpose, the following factors could be taken into account
to understand the existing technological environment:
— technologies that are maintained solely by the organization, as well as technologies used for
collaboration with other parties;
— use of existing (legacy) systems;
— use of outsourced services, such as cloud-based technologies;
— technical standards required to be implemented, or preferred;
6 © ISO 2018 – All rights reserved
---------------------- Page: 14 ----------------------
SIST-TP ISO/TR 21946:2021
ISO/TR 21946:2018(E)
— the range of formats that information, including records, is processed and retained in;
— available knowledge of existing technologies, systems and standards, used both within the
organization and out
...
TECHNICAL ISO/TR
REPORT 21946
First edition
2018-11
Information and documentation —
Appraisal for managing records
Information et documentation — Evaluation dans le cadre de (pour)
la gestion des documents d'activité
Reference number
ISO/TR 21946:2018(E)
©
ISO 2018
---------------------- Page: 1 ----------------------
ISO/TR 21946:2018(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/TR 21946:2018(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Appraisal process . 2
5 Information gathering and analysis . 3
5.1 General . 3
5.2 Determining the scope of appraisal . 4
5.3 Determining who to involve in the appraisal process . 4
5.4 Information gathering . 5
5.5 Analysis of the business context . 6
5.6 Analysis of the technological context . 6
5.7 Functional analysis . 7
5.8 Sequential analysis . 7
5.9 Identification of agents . 7
5.10 Identification of business critical areas . 8
5.11 Determining records requirements . 9
5.11.1 General. 9
5.11.2 Business needs for records . 9
5.11.3 Legal and regulatory requirements for records .10
5.11.4 Community or societal expectations for records .10
6 Assessment and implementation .11
6.1 General .11
6.2 Linking records requirements to business functions and work processes .11
6.3 Assessment and treatment of risks associated with the implementation of records
requirements .13
6.4 Documentation of the appraisal process .15
6.5 Using the results of the appraisal process .16
7 Monitoring .17
8 Review and corrective action .17
Bibliography .18
© ISO 2018 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/TR 21946:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 46, Information and documentation,
Subcommittee SC 11, Archives/records management.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO 2018 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/TR 21946:2018(E)
Introduction
Appraisal for managing records is the recurrent process of evaluating business activities to determine
which records need to be created and captured as well as how and how long the records need to be
kept. It combines an understanding of business activities and their contexts with
— the identification of business needs, regulatory requirements and societal expectations relating to
records, and
— the assessment of opportunities and risks associated with the creation and management records.
Regular, systematic appraisal for managing records has a range of benefits, including:
— compliance with legal/regulatory requirements for records;
— satisfaction of business needs in managing records, and providing for timely disposition of records;
— identification of requirements for continuing retention of records as archives;
— implementation of measures to protect and manage records according to their level of criticality for
the organization and/or their retention requirements;
— improvement of organizational efficiency through proper use of resources;
— the effective management of risk related to records;
— greater accountability for decisions about the creation, capture and management of records.
In some records and archives management traditions, appraisal for managing records is solely used as
an instrument to identify retention requirements for records or to create a disposition authority. The
concept of appraisal as described in ISO 15489-1 is, however, meant to be used in a broader way. It can
be used to identify different types of requirements related to creating, capturing and managing records
over time and to implement them in ways that are suited to changing contexts. In this way, appraisal
can support accountability and more efficient business.
The results of appraisal can be used in the development of policies, systems and processes, as well as to
develop a range of records controls. These controls include metadata schemas, business classification
schemes, access and permissions rules and disposition authorities. In some jurisdictions, appraisal for
managing records, or parts of it, can be required by law or regulation as a precursor to the development
of such tools.
Appraisal is a strategic and proactive approach to the creation, capture and management of records,
rather than a reactive one.
Appraisal is accountable and consultative, and, in certain cases, should be conducted in partnership
with stakeholders with interests in the creation, capture and management of particular classes of
records.
The advice on appraisal for managing records in this document can be used if an organization is
implementing a management system for records (MSR) following ISO 30301. In the management
system standards approach, appraisal can help to meet requirements related to the “Context of the
organization” and “Operational planning”.
© ISO 2018 – All rights reserved v
---------------------- Page: 5 ----------------------
TECHNICAL REPORT ISO/TR 21946:2018(E)
Information and documentation — Appraisal for
managing records
1 Scope
This document provides guidance on how to carry out appraisal for managing records. It describes
some of the products and outcomes that can be delivered using the results of appraisal. As such, this
document describes a practical application of the concept of appraisal outlined in ISO 15489-1.
This document:
a) lists some of the main purposes for appraisal;
b) describes the importance of establishing scope for appraisal;
c) explains how to analyse business functions and develop an understanding of their context;
d) explains how to identify records requirements;
e) describes the relationships between records requirements, business functions and work processes;
f) explains how to use risk assessment for making decisions related to records;
g) lists options for documenting the results of appraisal;
h) describes possible uses for the results of appraisal; and
i) explains the importance of monitoring and review of the execution of appraisal decisions.
This document can be used by all organizations regardless of size, nature of their business activities, or
the complexity of their functions and structure.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 15489-1, Information and documentation — Part 1: Concepts and principles
3 Terms and definitions
For the purposes of this document, terms and definitions given in ISO 15489-1 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
© ISO 2018 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/TR 21946:2018(E)
4 Appraisal process
Appraisal for managing records involves analysis of context(s) in which business activities occur, in
order to
— determine records requirements,
— understand which areas of business are regarded, by stakeholders, as critical to achieving agreed
goals in an organizations, and
— identify and assess risks related to records.
The results of the appraisal process should be used to proactively design records controls and processes
to best support business activities and technologies in order to ensure agreed records requirements
are met over time.
Appraisal for managing records considers the needs of the agents directly involved in the business
activities, but also related internal and external stakeholders and wider societal needs. In this way,
management of records for both business and other purposes can be designed cohesively.
The context in which business is conducted, the business activities themselves as well as their records
requirements, and risk identification will change over time. As a result, appraisal for managing records
is a necessarily recurrent activity.
The representation of appraisal activities shown in Figure 1 reflects the continuous cycle of this work, as
needs and circumstances affecting the creation, capture and management of records change over time.
NOTE Appraisal for managing records is a continuous improvement cycle.
Figure 1 — Recurrent appraisal for managing records
The results of the appraisal process can be used to achieve benefits in a variety of areas, such as in
legal compliance, risk management, information security, protection of privacy, reuse of information
or the protection of archival records. It could also be used as a means to determine which records can
be made available to the public, in support of the implementation of public information disclosure laws
and regulations.
2 © ISO 2018 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/TR 21946:2018(E)
Certain events could trigger appraisal for managing records.
For example, when there are new
— entities being established,
— legal and regulatory requirements, changes in legal practice and law enforcement, or contractual
obligations,
— technologies and systems, or
— arrangements for managing records such as cross jurisdictional collaborations on shared projects.
Or, changes such as
— organizational structures or mergers,
— new or altered regulatory requirements,
— new or altered business functions or activities, or
— changes in public expectations regarding the management of records of the organization concerned,
including new expectations regarding access and usability.
Issues relating to the creation and management of records, such as missing records (which should
have been created), unauthorized access to records, or unauthorized disposal of records could also be
triggers for a process of appraisal.
The frequency and scale in which appraisal for managing records is carried out will vary from one case
to the next. For example, an organization with a very stable regulatory framework and business that
rarely change could conduct appraisal less frequently than one that is subject to frequent change. The
appraisal process can be modified in scale or scope, depending on the desired outcome (see 5.2).
Appraisal for managing records is conducted in a consistent and accountable way. This means:
— conducting appraisal with a clear mandate and authorization;
— keeping documentation of the research, analysis and consultation with stakeholders done as part of
the process, as records;
— being consistent in decisions, and using past decisions to check precedents;
— justifying decisions made and keeping documentation of such justifications.
5 Information gathering and analysis
5.1 General
The appraisal process comprises a number of types of analysis, which can be carried out consecutively
or simultaneously. They include the following:
— achieving an understanding of the context in which the appraisal work is being conducted, including
organizational, technological and business-related features;
— analysis of the business functions themselves;
— analysis of requirements for records from a business, legal and societal point of view;
— identification and analysis of risks that are associated with the creation, capture and management
of records.
© ISO 2018 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/TR 21946:2018(E)
Some types of analysis, such as an analysis of the business context, may already have been carried
out by other disciplines in the organization, such as information security. It is recommended to check
whether the required analysis has been carried out already and whether the results obtained can be
reused for the purpose of appraisal.
It is important to note that the identification of risk occurs throughout the appraisal process in three
different ways:
— when looking at the organizational context in which the process is occurring, internal and external
risks affecting the organization and its stakeholders can be identified;
— during the analysis of business activity in relation to particular functions, activities or work
processes during the analysis of business activity. For example, the risks associated with poor
management of records of citizen-centric public services or with personally identifiable information
could be greater than those associated with other administrative activities;
— during the identification of the risks that could be managed through meeting identified records
requirements.
After the identification of risks, an analysis and evaluation should be done (in accordance with risk
management practices of the organization, if these exist). This assists in making decisions about how
requirements should be met, and the appropriate investment of resources to do so. This aspect of the
assessment and treatment of risk is further described in 6.3.
The results of analysis conducted in appraisal for managing records can be used to develop other tools
and resources that are valuable in the creation, capture and management of records (see 6.5).
5.2 Determining the scope of appraisal
Each time an appraisal process is commenced, its scope needs to be clearly defined. The events
triggering appraisal and the role and responsibility of the person(s) doing the appraisal will directly
influence its scope. In turn, the scope of appraisal will influence the kind of agents involved in the
process. For instance, a scope with a strong societal focus will require a larger involvement of external
agents in comparison to a scope with a strong business focus alone, which would require expanded
involvement of business representatives. The scope of appraisal may change in terms of the business
functions and activities it covers, or the parts of the analysis that receive the greatest attention.
EXAMPLE 1 An appraisal process could be carried out by a manager responsible for a business system that is
being replaced. The system supports a single function but one that is performed by a number of organizational
entities, working collaboratively online. Here, the scope is limited to the one function but considers the contexts
of each of the participating organizational entities, their risks and requirements.
EXAMPLE 2 In the process of a merger, an organization’s functions are analysed in order to make decisions
regarding migration of records to new systems and other matters such as the integration of disposition
authorities. The scope of the appraisal process here would need to cover the business functions of both entities.
EXAMPLE 3 An appraisal process that is being carried out with a view to defining records requirements for
inclusion in the specifications of a new business system would involve a greater emphasis on the analysis of the
business functions supported by the system, as opposed to appraisal that is done with a view to developing a
disposition authority that covers all of an organization’s business.
EXAMPLE 4 An appraisal process that is carried out in order to develop disposition rules across an entire
jurisdiction, with a view to the identification of classes of records to be retained as archives, will have a broad
scope encompassing a high level analysis of business context, functions and activities, requirements and risk
across the entire jurisdiction. This is to ensure consistency in decisions made. In some cases, such appraisal is
carried out in one stage covering the entire jurisdiction, and in others in multiple stages, in conjunction with
organizations within the jurisdiction.
5.3 Determining who to involve in the appraisal process
Appraisal for managing records is fundamental to the work of records professionals, making them the
most appropriate group to plan and lead appraisal activities.
4 © ISO 2018 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/TR 21946:2018(E)
Other individuals or groups should be involved in one or more steps of the appraisal process. The
involvement of others will depend on the purpose and scope of the appraisal process, and the focus of
the analysis. These will include internal agents and stakeholders, such as
— business representatives,
— legal representatives,
— senior/top management,
— governance bodies such as boards of directors or audit boards,
— allied information management professionals such as privacy officers, librarians, preservation
specialists or those responsible for data and transparency,
— communications professionals, and/or
— information technology specialists.
External agents and stakeholders should also be consulted or involved as appropriate. These may
include people and groups such as
— shareholders,
— customers or clients,
— external audit or regulatory authorities,
— subject matter experts, members of professional associations or academics,
— representatives of archival institutions,
— transparency advocates,
— privacy experts,
— information security experts,
— people or groups affected by government or corporate activities, and/or
— individuals who are the subjects of records, such as individuals who have been under the care of the
state when they were children, or individuals who have received aid and services from governments.
5.4 Information gathering
Appraisal for managing records relies on the identification of stakeholders and other sources of
information which contain information on the business and technological context, business functions,
risks and requirements. Such sources and stakeholders should be recorded as they are identified, as
part of an accountable, well-documented appraisal process.
Documentary sources relating to, as well as stakeholders in the business functions should be identified,
as these are sources of information for the analysis. Such sources and stakeholders should be used
for various types of analysis conducted throughout an appraisal process. Examples of documentary
sources include
— structural charts,
— risk registers,
— enterprise architecture documents,
— reports to governing authorities or stakeholders,
— systems documentation,
© ISO 2018 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/TR 21946:2018(E)
— audit reports,
— records of interviews with business representatives or other stakeholders,
— media reporting, and/or
— inventories of existing systems used for managing records.
Examples of stakeholders could include:
— the groups and individuals identified as needing to be involved in the appraisal for managing records
process (see 5.3),
— managers, information technology professionals and organizational staff directly involved in the
business that is in scope, or
— customers/clients affected by the business that is in scope.
5.5 Analysis of the business context
In appraisal for managing records, analysis is done to gain understanding of the business context in
which business activity takes place. Documentary sources and interviews with the stakeholders that
have been identified as part of the information gathering should be used as the basis for the analysis.
Specific subjects of analysis should be the internal and external factors affecting the operations of the
organization, and could include:
— the behaviour and strategic directions of the business entity;
— the operational, legal and other requirements which apply to it;
— its resourcing;
— stakeholder requirements;
— broad risks that it should manage;
— at a high level, the functions and work processes that it performs.
The outcomes of the analysis of the business context should be documented and reviewed periodically
to ensure that changes in the environment are identified and assessed. Source documents for the
analysis and any authorizations should be retained as records, as such documentation supports and
provides justification for appraisal decision-making.
5.6 Analysis of the technological context
An analysis of existing technologies in use provides a view of the opportunities and constraints
for future methods and tools for creating and managing records, and should assist in making
implementable appraisal decisions. It can also inform design and implementation choices for the tools
and resources developed using the results of appraisal (see 6.5). Using the documentary sources and
stakeholders identified to be relevant for this purpose, the following factors could be taken into account
to understand the existing technological environment:
— technologies that are maintained solely by the organization, as well as technologies used for
collaboration with other parties;
— use of existing (legacy) systems;
— use of outsourced services, such as cloud-based technologies;
— technical standards required to be implemented, or preferred;
6 © ISO 2018 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/TR 21946:2018(E)
— the range of formats that information, including records, is processed and retained in;
— available knowledge of existing technologies, systems and standards, used both within the
organization and outside its perimeter.
The outcomes of the analysis of the technological context should be documented and reviewed
periodically to ensure that changes in the environment are identified and assessed. Source documents
for the analysis and any authorizations should be retained as records, as such documentation supports
and provides justification for appraisal decision-making.
5.7 Functional analysis
Functional analysis is a top-down hierarchical analysis starting with strategic goals and purpose,
and then identifying the functions and activities which support them. At its lowest level, a functional
analysis identifies transactions, which are the smallest parts of work processes.
NOTE Basic steps for undertaking functional analysis are described in ISO TR 26122.
The purpose of this type of analysis is to create a picture of a function through groupings of business
activities and transactions that could be linked to their business context, in order to identify relevant
risks and records requirements.
The outcomes of a functional analysis should be verified in consultati
...
RAPPORT ISO/TR
TECHNIQUE 21946
Première édition
2018-11
Information et documentation —
Evaluation dans le cadre de la gestion
des documents d'activité
Information and documentation — Appraisal for managing records
Numéro de référence
ISO/TR 21946:2018(F)
©
ISO 2018
---------------------- Page: 1 ----------------------
ISO/TR 21946:2018(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2018
Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en œuvre, aucune partie de cette
publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,
y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut
être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève
Tél.: +41 22 749 01 11
Fax: +41 22 749 09 47
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
ii © ISO 2018 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO/TR 21946:2018(F)
Sommaire Page
Avant-propos .iv
Introduction .v
1 Domaine d'application . 1
2 Références normatives . 1
3 Termes et définitions . 1
4 Processus d'évaluation . 2
5 Collecte et analyse d'informations . 4
5.1 Généralités . 4
5.2 Détermination du périmètre de l'évaluation . 5
5.3 Choix des personnes à impliquer dans le processus d'évaluation . 6
5.4 Collecte d'informations . 6
5.5 Analyse du contexte de l'activité . 7
5.6 Analyse du contexte technologique. 7
5.7 Analyse fonctionnelle . 8
5.8 Analyse séquentielle. 8
5.9 Identification des agents . 8
5.10 Identification des secteurs d'activité critiques . 9
5.11 Détermination des exigences relatives aux documents d'activité .10
5.11.1 Généralités .10
5.11.2 Besoins de l'activité en documents d'activité .10
5.11.3 Exigences juridiques et règlementaires relatives aux documents d'activité .11
5.11.4 Attentes de la société ou de la communauté concernant les documents
d'activité .12
6 Évaluation et mise en œuvre .13
6.1 Généralités .13
6.2 Liens entre les exigences relatives aux documents d'activité et les fonctions et
processus de travail .13
6.3 Évaluation et traitement des risques associés à la mise en œuvre d'exigences
relatives aux documents d'activité .15
6.4 Documentation du processus d'évaluation .18
6.5 Utilisation des résultats du processus d'évaluation .19
7 Surveillance .20
8 Revue et action corrective .20
Bibliographie .22
© ISO 2018 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO/TR 21946:2018(F)
Avant-propos
L'ISO (Organisation internationale de normalisation) est une fédération mondiale d'organismes
nationaux de normalisation (comités membres de l'ISO). L'élaboration des Normes internationales est
en général confiée aux comités techniques de l'ISO. Chaque comité membre intéressé par une étude
a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,
gouvernementales et non gouvernementales, en liaison avec l'ISO participent également aux travaux.
L'ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui
concerne la normalisation électrotechnique.
Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier de prendre note des différents
critères d'approbation requis pour les différents types de documents ISO. Le présent document a été
rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir www
.iso .org/directives).
L'attention est attirée sur le fait que certains des éléments du présent document peuvent faire l'objet de
droits de propriété intellectuelle ou de droits analogues. L'ISO ne saurait être tenue pour responsable
de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant
les références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de
l'élaboration du document sont indiqués dans l'Introduction et/ou dans la liste des déclarations de
brevets reçues par l'ISO (voir www .iso .org/brevets).
Les appellations commerciales éventuellement mentionnées dans le présent document sont données
pour information, par souci de commodité, à l'intention des utilisateurs et ne sauraient constituer un
engagement.
Pour une explication de la nature volontaire des normes, la signification des termes et expressions
spécifiques de l'ISO liés à l'évaluation de la conformité, ou pour toute information au sujet de l'adhésion
de l'ISO aux principes de l'Organisation mondiale du commerce (OMC) concernant les obstacles
techniques au commerce (OTC), voir le lien suivant: www .iso .org/iso/foreword .html.
Le présent document a été élaboré par le comité technique ISO/TC 46, Information et documentation,
sous-comité SC 11, Archives/Gestion des documents d'activité.
Il convient que l'utilisateur adresse tout retour d'information ou toute question concernant le présent
document à l'organisme national de normalisation de son pays. Une liste exhaustive desdits organismes
se trouve à l'adresse www .iso .org/members .html.
iv © ISO 2018 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO/TR 21946:2018(F)
Introduction
L'évaluation dans le cadre de la gestion des documents d'activité est le processus récurrent qui consiste
à évaluer les activités professionnelles afin de déterminer les documents d'activité qu'il est nécessaire
de créer et de capturer, et de définir la méthode et la durée de conservation desdits documents. Elle
associe la compréhension des activités professionnelles et de leur contexte
— à l'identification des besoins de l'activité, des exigences règlementaires ainsi que des attentes de la
société par rapport aux documents d'activité, et
— à l'analyse des perspectives et à l’appréciation des risques liés à la création et à la gestion de
documents d'activité.
L'évaluation régulière et systématique de la gestion des documents d'activité présente un certain
nombre d'avantages, notamment:
— assurer la conformité des documents d'activité aux exigences juridiques/réglementaires;
— répondre aux besoins de l'activité dans le cadre de la gestion des documents d'activité et décider du
sort final des documents d'activité en temps voulu;
— identifier les exigences en matière de conservation permanente des documents d'activité en tant
qu'archives;
— mettre en place des mesures afin de protéger et de gérer les documents d'activité selon leur niveau
de criticité pour l'organisme et/ou selon les exigences de conservation auxquelles ils sont soumis;
— améliorer l'efficacité organisationnelle grâce à la bonne utilisation des ressources;
— gérer efficacement les risques liés aux documents d'activité;
— accroître la capacité à rendre compte de décisions concernant la création, la capture et la gestion
des documents d'activité.
Selon certaines pratiques classiques de gestion des documents d'activité et des archives, l'évaluation
dans le cadre de la gestion des documents d'activité est uniquement utilisée en tant qu'instrument pour
identifier les exigences de conservation des documents d'activité ou créer un référentiel de gestion
des documents. Le concept d'évaluation tel que décrit dans l'ISO 15489-1 a cependant vocation à être
utilisé de façon plus large. Il peut servir à identifier différents types d'exigences relatives à la création,
la capture et la gestion des documents d'activité dans le temps et à les mettre en œuvre de façon
appropriée à des contextes évolutifs. Ainsi, l'évaluation peut renforcer la capacité à rendre compte et
rendre l'activité plus efficace.
Les résultats de l'évaluation peuvent servir à l'élaboration de politiques, de systèmes et de processus,
ainsi qu'au développement d’une série de contrôles des documents d'activité. Ces contrôles comprennent
des référentiels de métadonnées, des plans de classement fonctionnel, des règles d'accès et d'habilitation
et des référentiels de gestion des documents. Dans certaines juridictions, l'évaluation dans le cadre de
la gestion des documents d'activité, ou d'une partie de ces derniers, peut être exigée par la loi ou un
règlement avant le développement de tels outils.
L'évaluation est une approche stratégique et proactive de la création, de la capture et de la gestion des
documents d'activité, et non une approche réactive.
L'évaluation est affaire de responsabilité et de consultation et, dans certains cas, il convient qu'elle soit
menée en collaboration avec les parties prenantes intéressées par la création, la capture et la gestion de
classes particulières de documents d'activité.
Les recommandations relatives à l'évaluation dans le cadre de la gestion des documents d'activité dans
le présent document peuvent être utilisées si un organisme met en place un système de gestion des
documents d'activité (SGDA) conforme aux dispositions de l'ISO 30301. Selon l'approche normalisée
© ISO 2018 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO/TR 21946:2018(F)
relative aux systèmes de gestion, l'évaluation peut aider à respecter les exigences liées au «contexte de
l'organisme» et à la «planification opérationnelle».
vi © ISO 2018 – Tous droits réservés
---------------------- Page: 6 ----------------------
RAPPORT TECHNIQUE ISO/TR 21946:2018(F)
Information et documentation — Evaluation dans le cadre
de la gestion des documents d'activité
1 Domaine d'application
Le présent document fournit des recommandations concernant la manière de réaliser une évaluation
dans le cadre de la gestion des documents d'activité. Il décrit certains des produits et résultats qu'il
est possible de mettre en œuvre dans le sillage de l'évaluation. Ainsi, le présent document décrit une
application pratique du concept d’évaluation décrit dans l'ISO 15489-1.
Le présent document:
a) établit une liste des principaux objectifs de l'évaluation;
b) décrit l'importance de l’établissement du périmètre de l'évaluation;
c) explique comment analyser les fonctions de chaque activité et comprendre leur contexte;
d) explique comment identifier les exigences relatives aux documents d'activité;
e) décrit les relations entre les exigences relatives aux documents d'activité, les fonctions et les
processus de travail;
f) explique comment utiliser l'appréciation des risques pour prendre des décisions liées aux
documents d'activité;
g) établit la liste des options de documentation des résultats de l'évaluation;
h) décrit les utilisations possibles des résultats de l'évaluation; et
i) explique l'importance de la surveillance et de la revue de la mise en pratique des décisions suite à
l'évaluation.
Le présent document peut être utilisé par tous les organismes, indépendamment de leur taille, de la
nature de leurs activités ou de la complexité de leurs fonctions et de leur structure.
2 Références normatives
Les documents suivants cités dans le texte constituent, pour tout ou partie de leur contenu, des
exigences du présent document. Pour les références datées, seule l'édition citée s'applique. Pour les
références non datées, la dernière édition du document de référence s'applique (y compris les éventuels
amendements).
ISO 15489-1, Information et documentation — Gestion des documents d’activité — Partie 1: Concepts et
principes
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions de l'ISO 15489-1 s'appliquent.
L'ISO et l'IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en
normalisation, consultables aux adresses suivantes:
— ISO Online browsing platform: disponible à l'adresse https: //www .iso .org/obp
— IEC Electropedia: disponible à l'adresse http: //www .electropedia .org/
© ISO 2018 – Tous droits réservés 1
---------------------- Page: 7 ----------------------
ISO/TR 21946:2018(F)
4 Processus d'évaluation
L'évaluation dans le cadre de la gestion des documents d'activité implique l'analyse du ou des contextes
au sein desquels les activités sont menées, afin:
— de déterminer les exigences relatives aux documents d'activité;
— de comprendre quels domaines d'activité sont considérés, par les parties prenantes, comme critiques
pour atteindre les objectifs fixés par un organisme; et
— d'identifier et d’apprécier les risques liés aux documents d'activité.
Il convient que les résultats du processus d'évaluation soient utilisés pour concevoir de façon proactive
des contrôles et processus liés aux documents d'activité pour soutenir au mieux les activités et les
technologies afin de garantir le respect des exigences convenues relatives aux documents d'activité
dans le temps.
L'évaluation dans le cadre de la gestion des documents d'activité prend en compte les besoins des agents
directement impliqués dans les activités, mais aussi les besoins des parties prenantes internes et
externes concernées et les besoins plus larges de la société. De cette manière, la gestion des documents
d'activité à des fins organisationnelles ou autres peut être élaborée de façon cohérente.
Le contexte dans lequel l'activité est menée, les opérations en elles-mêmes, les exigences relatives aux
documents d'activité et l'identification des risques évolueront avec le temps. Par conséquent, l'évaluation
dans le cadre de la gestion des documents d'activité est une activité nécessairement récurrente.
La représentation des activités d'évaluation à la Figure 1 reflète le cycle continu de cette tâche, à mesure
que les besoins et les circonstances qui influent sur la création, la capture et la gestion des documents
d'activité changent au fil du temps.
2 © ISO 2018 – Tous droits réservés
---------------------- Page: 8 ----------------------
ISO/TR 21946:2018(F)
NOTE L'évaluation dans le cadre de la gestion des documents d'activité constitue un cycle d'amélioration
continue.
Figure 1 — Évaluation récurrente dans le cadre de la gestion des documents d'activité
Les résultats du processus d'évaluation peuvent être synonymes d'améliorations dans plusieurs
domaines, tels que la conformité règlementaire, la gestion des risques, la sécurité des informations,
la protection de la confidentialité, la réutilisation des informations ou la protection des documents
d'activité archivés. Ils peuvent également être utilisés pour déterminer quels documents d'activité
peuvent être rendus publics, dans le cadre de l'application des lois et règlements sur la divulgation
d'informations au grand public.
Certains événements peuvent donner lieu à une évaluation dans le cadre de la gestion des documents
d'activité.
Par exemple, lorsque:
— la mise en place de nouvelles entités;
— l’introduction de nouvelles exigences juridiques et règlementaires, des modifications dans la
pratique juridique et le respect des lois ou des obligations contractuelles;
— l’apparition de nouveaux systèmes et technologies; ou
© ISO 2018 – Tous droits réservés 3
---------------------- Page: 9 ----------------------
ISO/TR 21946:2018(F)
— l’élaboration de nouvelles dispositions pour la gestion des documents d'activité, comme lors de
collaborations entre juridictions sur des projets communs, l’imposent.
Ou, lorsque des changements surviennent concernant:
— des structures organisationnelles ou des fusions;
— de nouvelles exigences réglementaires ou des modifications de ces dernières;
— de nouvelles activités ou fonctions ou des modifications de ces dernières; ou
— des modifications au niveau des attentes du grand public en matière de gestion des documents
d'activité de l'organisme concerné, y compris de nouvelles attentes liées à l'accès et l'utilisabilité.
Les problèmes liés à la création et à la gestion des documents d'activité, comme des documents
d'activité manquants (qu'il aurait convenu de créer), des accès non autorisés aux documents d'activité
ou la suppression non autorisée de documents d'activité, pourraient également justifier une évaluation.
La fréquence d'évaluation dans le cadre de la gestion des documents d'activité et l’échelle à laquelle
cette dernière est réalisée varieront d'un cas à un autre. Par exemple, un organisme possédant un
cadre règlementaire très stable et une activité relativement constante pourrait réaliser des évaluations
de manière moins fréquente qu'un organisme connaissant des changements fréquents. Le processus
d'évaluation peut être modifié au niveau de son étendue ou de son périmètre, selon les résultats
attendus (voir 5.2).
L'évaluation dans le cadre de la gestion des documents d'activité est réalisée de manière cohérente et
responsable. Cela signifie:
— mener à bien une évaluation dans le cadre d'un mandat et d'une autorisation clairs;
— conserver, sous la forme de documents d'activité, la documentation relative à la recherche, à l'analyse
et à la consultation des parties prenantes qui ont été effectuées dans le cadre du processus;
— prendre des décisions cohérentes et utiliser les décisions passées afin de vérifier tout précédent;
— justifier les décisions prises et conserver les documents correspondants.
5 Collecte et analyse d'informations
5.1 Généralités
Le processus d'évaluation comporte un certain nombre de types d'analyses, qui peuvent être réalisées
successivement ou simultanément. Ces analyses comprennent les étapes suivantes:
— compréhension du contexte dans lequel l'évaluation est menée à bien, y compris les caractéristiques
relatives à l'organisme, aux technologies et à l'activité;
— analyse des fonctions de l'activité en elles-mêmes;
— analyse des exigences relatives aux documents d'activité d'un point de vue organisationnel, juridique
et sociétal;
— identification et appréciation des risques associés à la création, la capture et la gestion des documents
d'activité.
Certains types d'analyses, telles que l'analyse du contexte de l'activité, peuvent déjà avoir été effectués
à d'autres fins au sein de l'organisme, par exemple dans le cadre de la sécurité des informations. Il est
recommandé de vérifier si l'analyse requise a déjà été effectuée et si les résultats obtenus peuvent être
réutilisés pour l'évaluation.
4 © ISO 2018 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO/TR 21946:2018(F)
Il est important de noter que l'identification des risques a lieu tout au long du processus d'évaluation
sous trois formes différentes:
— lors de l'examen du contexte organisationnel au sein duquel le processus se déroule, les risques
internes et externes affectant l'organisme et ses parties prenantes peuvent être identifiés;
— lors de l'analyse de l'activité par rapport à des fonctions, activités ou processus de travail particuliers
pendant l'analyse de l'activité. Par exemple, les risques associés à une mauvaise gestion des
documents d'activité des services publics axés sur les citoyens ou à des informations d'identification
personnelle pourraient être supérieurs à ceux relatifs à d'autres activités administratives;
— lors de l'identification des risques susceptibles d’être gérés en respectant les exigences relatives aux
documents d'activité identifiées.
Après l'identification des risques, il convient d'effectuer une analyse et une évaluation (conformément
aux pratiques de gestion des risques de l'organisme, le cas échéant). Cela permet de faciliter la prise
de décisions quant à la manière de respecter les exigences et à l'investissement approprié en matière
de ressources pour ce faire. Cet aspect de l'évaluation et du traitement des risques est détaillé plus
avant en 6.3.
Les résultats de l'analyse menée pour l'évaluation dans le cadre de la gestion des documents d'activité
peuvent être utilisés pour développer d'autres outils et ressources pouvant servir à la création, la
capture et la gestion des documents d'activité (voir 6.5).
5.2 Détermination du périmètre de l'évaluation
Le périmètre d'une évaluation doit être clairement défini dès le début de tout processus d'évaluation. Les
événements qui déclenchent l'évaluation, ainsi que le rôle et les responsabilités de la ou des personne(s)
chargée(s) de l'évaluation, influenceront directement son périmètre. Le périmètre de l'évaluation
influencera à son tour le type d'agents impliqués dans le processus. Par exemple, un périmètre portant
plus particulièrement sur l’aspect sociétal exigera une plus grande implication d'agents externes par
rapport à un périmètre dont l'accent sera uniquement mis sur l'activité, qui exigerait une implication
étendue des représentants commerciaux. Le périmètre de l'évaluation peut évoluer selon les fonctions
et activités couvertes, ou les parties de l'analyse concentrant toute l'attention.
EXEMPLE 1 Un processus d'évaluation pourrait être mené par le responsable d'un système de gestion en cours
de remplacement. Le système ne prend en charge qu'une seule fonction, mais celle-ci est exécutée par plusieurs
entités de l'organisme, qui travaillent de façon collaborative en ligne. Dans ce cas, le périmètre est limité à cette
seule fonction mais prend en compte les contextes de chacune des entités de l'organisme qui y contribuent, avec
leurs risques et leurs exigences.
EXEMPLE 2 Lors d'une fusion, les fonctions d'un organisme sont analysées afin de prendre des décisions
concernant la migration des documents d'activité vers de nouveaux systèmes et d'autres sujets comme
l'intégration de référentiels de gestion des documents. Le périmètre du processus d'évaluation devrait, dans cet
exemple, couvrir les fonctions des deux entités.
EXEMPLE 3 Un processus d'évaluation mené dans l'optique de définir des exigences relatives aux documents
d'activité pour les intégrer aux spécifications d'un nouveau système de gestion impliquerait d'accorder une plus
grande importance à l'analyse des fonctions prises en charge par le système, contrairement à une évaluation
réalisée dans le but de développer un référentiel de gestion des documents concernant l'intégralité de l'activité
d'un organisme.
EXEMPLE 4 Un processus d'évaluation mené à bien afin de définir des règles de sort final pour toute une
juridiction, dans l'optique d'identifier les classes de documents d'activité à conserver en tant qu'archives, aura un
large périmètre englobant une analyse de haut niveau du contexte, des fonctions et des activités, des exigences et
des risques pour toute la juridiction. Cela permet d'assurer la cohérence des décisions prises. Dans certains cas,
une telle évaluation est réalisée en une étape pour toute la juridiction. D'autres évaluations sont effectuées en
plusieurs étapes, en collaboration avec les organismes dans la juridiction.
© ISO 2018 – Tous droits réservés 5
---------------------- Page: 11 ----------------------
ISO/TR 21946:2018(F)
5.3 Choix des personnes à impliquer dans le processus d'évaluation
L'évaluation dans le cadre de la gestion des documents d'activité est fondamentale pour le travail des
professionnels de la documentation, ce qui fait d'eux les personnes idéales pour planifier et mener les
activités d'évaluation.
Il convient que d'autres personnes ou groupes soient impliqués dans une ou plusieurs étapes du
processus d'évaluation. L'implication d'autres personnes dépendra du but et du périmètre du processus
d'évaluation et de l'objet principal de l'analyse. Ces personnes incluront des agents internes et des
parties prenantes, comme
— des représentants commerciaux;
— des représentants juridiques;
— la direction;
— des instances dirigeantes, telles que des conseils d'administration ou des comités d'audit;
— des professionnels associés de la gestion d'informations, comme des responsables de la protection
de la vie privée, des documentalistes, des spécialistes de la conservation ou les responsables des
données et de la transparence;
— des professionnels des communications; et/ou
— des spécialistes des technologies de l'information.
Il convient que les agents externes et les parties prenantes soient également consultés ou impliqués de
manière appropriée. Ces derniers peuvent comprendre des personnes et des groupes comme
— des parties prenantes;
— des clients;
— des cabinets d'audit externe ou des autorités règlementaires;
— des experts sur le sujet, des membres d'associations professionnelles ou des universitaires;
— des représentants d'institutions chargées des archives;
— des promoteurs de la transparence;
— des experts en confidentialité;
— des experts en sécurité des informations;
— des personnes ou groupes affectés par les activités du gouvernement ou de l'organisme; et/ou
— des personnes mentionnées dans les documents d'activité, telles que des pupilles de l'État durant
leur enfance ou des personnes ayant bénéficié d'une aide ou de services de la part du gouvernement.
5.4 Collecte d'informations
L'évaluation dans le cadre de la gestion des documents d'activité repose sur l'identification des parties
prenantes et d'autres sources d'informations renseignant sur le contexte de l'activité et technologique,
les fonctions, les risques et les exigences. Il convi
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.