[vc_row][vc_column][vc_column_text]In May, 2022, the International Organization for Standardization (ISO) published ISO 24143:2022 Information and documentation — Information Governance — Concept and principles,
which provides needed clarity and credibility to the IG discipline.
But it could be strengthened greatly, by building on previous foundational work by ISO.
To make the new IG standard carry more weight, to give it more “teeth” so to speak, it should require the accomplishment of compliance with other related ISO standards.
ISO 27701 Required Adherence to Security Standards
This was the approach taken with ISO 27701 27701:2019 “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management — Requirements and guidelines.” This standard for Privacy Information Management Systems (PIMS), an extension to the cybersecurity standard, specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing. It also requires adherence to ISO 27001/2 before compliance can be achieved with ISO 27701.
Building a Solid IG Framework: Integration with Security & Privacy Compliance, Records Management, IT Governance and Risk Management ISO Standards
In much the same way, ISO 24143 could require, as prerequisites, compliance with 27001/2 and 27701. Taking this further, ISO 24143 could also require adherence with the standard for Records Management, ISO 15489:2016 Information and documentation — Records management — Part 1: Concepts and Principles (which was reviewed and confirmed in 2021, so it is still up-to-date).
“ISO 15489-1:2016 defines the concepts and principles from which approaches to the creation, capture and management of records are developed. This part of ISO 15489 describes concepts and principles relating to the following:
a) records, metadata for records and records systems;
b) policies, assigned responsibilities, monitoring and training supporting the effective management of records;
c) recurrent analysis of business context and the identification of records requirements;
d) records controls;
e) processes for creating, capturing and managing records.
ISO 15489-1:2016 applies to the creation, capture and management of records regardless of structure or form, in all types of business and technological environments, over time.”
Adding in IT Governance
A requirement for adherence to the IT governance standard, ISO 38500:2015 should also be required:
“ISO/IEC 38500:2015 provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations.”
“ISO/IEC 38500:2015 applies to the governance of the organization’s current and future use of IT including management processes and decisions related to the current and future use of IT. These processes can be controlled by IT specialists within the organization, external service providers, or business units within the organization.”\
Going Further: Including Risk Management
ISO’s definition of IG in 24143 emphasizes Risk so why not include adherence to the ISO standard for Risk Management? ISO 31000:2018 Risk management – Guidelines states:
“Managing risk is:
– iterative and assists organizations in setting strategy, achieving objectives and making informed decisions.
– part of governance and leadership, and is fundamental to how the organization is managed at all levels. It contributes to the improvement of management systems.
– part of all activities associated with an organization and includes interaction with stakeholders.
– considers the external and internal context of the organization, including human behaviour and cultural factors.
– based on the principles, framework and process outlined in this standard”
Conclusion on the Use of ISO Standards in ISO 24143
If ISO 24143 required adherence to the ISO standards for Security, Privacy Information Management Systems, Records Management, IT Governance, and Risk Management standards, this would greatly strengthen and define the discipline of Information Governance.