Two new global records management standards have been published by the International Organization for Standardization (IS0), promising to help prevent failures in corporate governance.

The new ISO standards aim to help organisations looking to addresses the development and implementation of a records policy and provide a means of measuring and monitoring performance.

One of the working groups that developed the standards was led by Judith Ellis,  Managing Director of Enterprise Knowledge, an Information Management consulting firm in Victoria, Australia.

Ellis believes, "The ISO 30300 series offers the methodology for a systematic approach to the creation and management of records, aligned with organisational objectives and strategies.

“Managing records using an MSS supports cost-effective operational processes, such as storage, information retrieval, information re-use, litigation and due diligence."

According to ISO, the cost of developing an MSR depends on the scope of implementation within an organisation and is determined by business needs and an assessment of risk. It claims the investment is worth it “can provide both short- and long-term returns on investment, as well as cost avoidance.”

Development of these new standards incorporates experience gained in the implementation of ISO15489, Information and documentation - Records management, published some 10 years ago.

The new standards, which are available for purchase from the ISO Web shop, (for 86 and 106 Swiss francs respectively) are formally known as ISO 30300:2011, Information and documentation - Management systems for records - Fundamentals and vocabulary, and ISO 30301:2011, Information and documentation - Management systems for records - Requirements.

They have been developed with the assistance of experts drawn from 27 countries on five continents.

These standards have been developed to be compatible with and complementary to other management system standards (MSSs) developed by ISO, such as ISO 9001 (quality management), ISO 14001 (environmental management), and ISO/IEC 27001 (information security management).

ISO 30300 is the umbrella standard which includes the fundamentals and vocabulary common to the whole series, while ISO 30301 specifies requirements for an MSR (management system for records). Further standards in the ISO 30300 series are under development.

ISO has also announced the official launch of the new International Standard ISO/IEC 27035:2011.

Entitled ‘Information technology – Security techniques – Information security incident management’, the standard gives ‘how to’ guidance on detecting, reporting and assessing information security incidents and vulnerabilities.

ISO says that ISO/IEC 27035:2011 will help organisations respond to information security incidents, including the activation of appropriate controls for the prevention and reduction of, and recovery from, impacts, and, in so doing, learn and improve their overall approach.

Edward Humphreys, whose team developed the original version of the standard, ISO/IEC TR 18044:2004, commented: “Effective and timely handling of major incidents can make the difference between the survival or ‘death’ of an organization. The new ISO/IEC 27035 standard provides tried and tested advice on the processes and methods that need to be deployed for ensuring effective management of information security incidents.

“Incidents can vary from the minor, which may have an impact on an isolated business system to a major incident, which affects all business systems. Some incidents have the effect of disrupting an organization and the use of its business resources for 24-72 hours or more; some cause a serious loss and/or destruction of data and some can leave the organization with a serious crime on their hands. ISO/IEC 27035:2011 offers a solution.”

The new standard is applicable to any organization, irrespective of size. It covers a range of information security incidents, whether deliberate or accidental, and whether caused by technical or physical means.

www.iso.org