Gestion info
INFORMATION GOVERNANCE
MAI 2022
Contents
- 1 Foreword
- 2 Introduction
- 3 1 Scope
- 4 2 Normative references
- 5 3 Terms and definitions
- 6 4BenefitsofInformationGovernance
- 7 5 Principles of Information Governance
- 7.1 5.1 Recognising information as a corporate, strategic asset
- 7.2 5.2 Designing Information Governance as a key element of corporate strategy
- 7.3 5.3 Integrating Information Governance into the organisation’s governance frameworks
- 7.4 5.4 Securing senior management’s leadership and commitment
- 7.5 5.5 Building Information Governance in a collaborative way
- 7.6 5.6 Ensuring Information Governance supports legal compliance and any mandatory requirements
- 7.7 5.7 Aligning Information Governance to business objectives
- 7.8 5.8 Ensuring Information Governance supports information security and privacy
- 7.9 5.9 Ensuring Information Governance supports information quality and integrity
- 7.10 5.10 Fostering a collaboration and knowledge sharing culture
- 7.11 5.11 Adopting a risk-based approach
- 7.12 5.12 Ensuring the availability and accessibility of information to authorised stakeholder
- 7.13 5.13 Governing information throughout its information lifecycle
- 7.14 5.14 Supporting corporate culture
- 7.15 5.15 Supporting sustainability
- 8 Annex A - Concept diagrams
- 9 Bibliography
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 46, Information and documentation.
Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html.
Introduction
Information is a critical asset that is indispensable to support business processes and therefore, a foundation for the success of any business activities. Due to numerous existing and emerging forms and uses of information and information-related risks, organizations often struggle with implementing consistent and comprehensive systems to store, retrieve, share and analyse information. The current global digital transformation and the changes in societal expectations increasingly demand greater transparency, accountability, data protection, security, interoperability and information sharing within and between organisations. This trend requires a solid vision and strategy for Information Governance that supports the business process at a strategic level including digital transformation initiatives. Many governmental and non-governmental organisations worldwide already perceive the necessity and understand the benefits of coordinating at a strategic level the efforts of multiple information-, data- and knowledge-related disciplines.
This document defines concepts and principles for Information Governance.
This document provides guiding principles for members of governing bodies of organisations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, compliant, secure, transparent and accountable creation, use, maintenance, preservation and disposition of information within their organisations.
Information Governance is an integral part of the overall governance of the organisation. It identifies common high-level principles and provides a framework enabling effective and efficient cooperation of all the information-related professionals, in support of the mission of an organisation and achievement of its strategic goals. Stakeholders which are engaged in the collaboration include but are not limited to:
- Data Management
- Information Management
- Records Management
- Knowledge Management
- Regulatory Compliance
- Digital Preservation
- Information Security
- Enterprise Architecture
- Data Protection
- Open Data
- Big Data
- Artificial Intelligence (AI)
- Blockchain — Business Processes
- Quality Management.
Information Governance requires coherence and integration with relevant Management System Standards (MSS), such as ISO 9000, ISO/IEC 27000 and the ISO 30300 series.
Information Governance is a strategic framework for managing information assets across an entire organisation to support its business outcomes and obtain assurance that the risks to its information, and thereby the operational capabilities and integrity of the organisation, are adequately identified and managed. Information Governance includes but is not limited to policies, processes, procedures, roles and controls put in place to meet regulatory, legal, risk and operational requirements. Information Governance provides an overarching high-level framework that:
- aligns all information-related activities with the mission and goals of an organisation, and its business, legal and societal obligations,
- ensures a comprehensive and systematic approach to information by integrating processes relevant to directing and controlling information,
- supports cooperation between stakeholders, and
- creates a high-level basis for managing information regardless its form, type and format, informs education, professional development of the workforce and awareness about information-related obligations, risks and possibilities.
1 Scope
This document establishes concepts and principles for Information Governance.
This document applies to the governance of the organisation's past, current and future information assets. It applies to organisations of all sizes in all sectors, including public and private companies, government entities, and not-for-profit organisations.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
- ISO Online browsing platform: available at https:// www .iso .org/ obp
- IEC Electropedia: available at https:// www .electropedia .org/
3.1 Terms relating to concept of information
3.1.1 authentic (preferred term) authenticity (admitted term)
- authentic property of information (3.1.3) that can be proven to be what it purports to be
- Note 1 to entry
- Authenticity implies that information has been created or sent by the agent purported to have created or sent it, and to have been created or sent when purported.
- Note 2 to entry
- When information can be proven to be what it purports to be it, it can be called authentic information.
- Note 3 to entry
- See Figure A.1 in Annex A.
- [SOURCE: ISO 30300:2020, 3.2.2, modified — “records” has been replaced by "information". “Authentic” has been replaced by “authenticity”. A new Note 2 to entry has been added.]
3.1.2 data set
- data set of characters or symbols to which meaning is or could be assigned.
- Note 1 to entry
- See Figure A.1 in Annex A.
- [SOURCE: ISO 30300: 2020, 3.2.4]
3.1.3 information data (3.1.2)
- information data in context with a particular meaning
- Note 1 to entry
- See Figure A.1 in Annex A.
- [SOURCE: ISO 30300:2020, 3.2.7]
3.1.4 information asset information
- information asset information "information data" that has value to the relevant stakeholder
- Note 1 to entry
- See Figure A.1 in Annex A.
- [SOURCE: ISO/TS 17573-2:2020, 3.95, modified — “information” is taken place of “knowledge and data”.]
3.1.5 integrity
- integrity : property of information that is complete and unaltered.
- Note 1 to entry
- See Figure A.1 in Annex A.
- [SOURCE: ISO 30300:2020, 3.2.8, modified — “records” has been replaced by "information".]
3.2 Terms relating to the concept of Information Governance
3.2.1 compliance
- compliance characteristic of conformance to rules, such as those defined by a law, a regulation, a standard, or a policy.
- Note 1 to entry
- See Figure A.2 in Annex A.
- [SOURCE: ISO/IEC 20924:2021, 3.1.10, modified — The word "characteristic" has been added in the definition. A note to entry has been added.]
3.2.2 digital continuity
- digital continuity : ability to use digital information (3.1.3) in the way that is needed, for whenever and wherever is needed
- Note 1 to entry
- See Figure A.2 in Annex A.
3.2.3 disposition
- disposition : range of processes associated with implementing retention, destruction or transfer decisions about information (3.1.3)
- Note 1 to entry
- See Figure A.2 in Annex A.
- [SOURCE: ISO 30300:2020, 3.4.8, modified — “records” has been replaced by “information”, shortened in words but keeping the meaning.]
3.2.4 e-discovery
- e-discovery
process of identifying, collecting, preserving, reviewing and exchanging electronically stored information (ESI) for the purpose of using it as digital evidence
- Note 1 to entry
- E-discovery also known as ediscovery, eDiscovery, e-Discovery, e-discovery, electronic discovery.
- Note 2 to entry
- ESI includes, but not limited to electronic formats, emails, documents, presentations, databases, voicemail, audio and video files.
- Note 3 to entry
- E-discovery often refers to a form of digital investigation that attempts to find evidence in ESI in response to a request for production in a law suit or investigation.
- Note 4 to entry
- See Figure A.2 in Annex A.
3.2.5 framework
- framework : structure composed of related parts designed to support the accomplishment of a specific task
- Note 1 to entry
- See Figure A.2 in Annex A.
- [SOURCE: ISO 15638-6:2014, 4.30]
3.2.6 governance
- governance : principles, policies and framework by which an organisation is directed and controlled
- Note 1 to entry
- See Figure A.2 in Annex A.
- [SOURCE: ISO/IEEE 11073-10201:2020, 3.1.25, modified — “composed of related parts” taking place of “processes and specifications”]
3.2.7 Information Governance
- Information Governance : strategic framework for governing information assets (3.1.4) across an entire organization in order to enhance coordinated support for the achievement of business outcomes and obtain assurance that the risks to its information (3.1.3), and thereby the operation capabilities and integrity (3.1.5) of the organisation, are effectively identified and managed
- Note 1 to entry
- Information Governance includes (but is not limited to) policies, processes, procedures, roles and controls put in place to meet regulatory, legal, risk and operational requirements.
- Note 2 to entry
- Data is one form of information asset.
- Note 3 to entry
- See Figure A.2 in Annex A.
3.2.8 information security =
- information security : preservation of confidentiality, integrity and availability of information (3.1.3)
- Note 1 to entry
- See Figure A.2 in Annex A.
- [SOURCE: ISO/IEC 27000:2018, 2.28]
4BenefitsofInformationGovernance
4.1 General
Information Governance is a strategic, multi-disciplinary framework enabling collaboration between related professions. It considers information as a valuable corporate asset, and has the potential to deliver the following benefits.
4.2Strategic benefits
Information Governance:
a) Provides an overarching high-level governance framework that supports an organisation’s mission and results in achieving economic and strategic benefits including, but not limited to:
- 1) maximisation of value derived from the information assets,
- 2) protection of the rights of the organisation and other stakeholders,
- 3) compliance with legal and regulatory requirements, and
- 4) promotion of openness, transparency and accountability;
- b) Supports informed decision-making by providing timely access to authentic, reliable, relevant, full and accurate, current and accessible information;
- c) Reduces risk that could cause reputational damage, financial loss or penalties by
- 1) applying adequate security and protection to valuable information assets, and
- 2) destroying or purging information that is no longer required to be retained;
- d) Identifies gaps in systems, policies, procedures and processes required to govern an organisation’s information assets effectively;
- e) Ensures the organisation's policies are consistent and working in harmony with regards to security, privacy, appraisal, preservation, disposition, discovery and disclosure of information;
- f) Provides a mechanism for inclusion of all information assets in the governance program;
- g) Eliminates silos and professional frictions and encourages a cooperative and cross-disciplinary approach in implementing innovative and emerging technologies that align to organisational strategic objectives and priorities;
- h) Supports ethical governance relating to existing and emerging technologies such as AI and block chain.
4.3 Operational benefits
Information Governance:
a) Provides a comprehensive and systematic approach to governing information that underpins an organisation’s operation by integrating information management, information security and privacy, compliance, business continuity, disaster recovery, e-discovery and other aspects relevant to directing and controlling information;
b) Identifies what organisational information exists, where it is located, what actions can be taken on it, and how it should be managed and controlled, resulting in valuable information which can be used and reused many times;
c) Underpins systematic organisation of information assets, which allows increased availability, sharing and collaboration, and provides faster search and retrieval of business information;
d) Provides the framework for information assets maintenance to eliminate the loss of crucial business information;
e) Reduces costs associated with storing and the resources required to manage or discover information by adopting a disposition program that destroys information no longer needed or required to be retained;
f) Reduces the production cost for e-discovery and ensures that organisations are not creating additional risk by producing and retaining more information than necessary;
g) Preserves corporate culture and memory by providing a foundation for enhancing the capability of digital continuity collaboratively achieved at an enterprise level.
5 Principles of Information Governance
5.1 Recognising information as a corporate, strategic asset
Information Governance considers the organisation’s information as an asset (as defined in 3.2.8). Information is strategic for the future of any organisation and facilitates its long-term sustainability.
Information Governance acknowledges legal, business, historical and other value of information and information assets, their essential role in business and governance, information-related benefits and risks, and the potential of information assets to become a key competitive advantage.
Information to be governed includes structured and unstructured, non-digital and digital information, as well as the information in the heads of the people.
5.2 Designing Information Governance as a key element of corporate strategy
Information Governance includes all the high-level, strategic aspects of governing and controlling information, such as the provision of infrastructure and systems for processing; compliance to legal and regulatory requirements related to information; governance instruments such as policies, procedures, and standards; and people (resourcing, training and professional development).
5.3 Integrating Information Governance into the organisation’s governance frameworks
Information Governance should be included into the corporate governance: system by which corporations are directed and controlled (see ISO/IEC 38500), to achieve the organisation’s goals, and to answer ethical requirements of integrity, memory and societal responsibility.
Information Governance forms an integral part of, and should be integrated with, all the organisation’s governance frameworks and management systems. Information Governance integrates with all information management frameworks and systems, such as financial, risk, security, quality, environmental, health and safety management processes and their operational requirements and procedures. Information Governance should be included in the integrated reporting of the organisation.
Information Governance should encompass all information-centric governance facets or domains including but not limited to records management, data protection/privacy, information security, information sensitivity, data management, enterprise content management, document control and e-discovery.
5.4 Securing senior management’s leadership and commitment
Senior management should be committed to guide, lead and support Information Governance. A member of the organisation's senior management should be responsible for Information Governance and ensure accountability, reporting to the most senior person or governance structure in the organisation.
The responsibilities of that Information Governance leader should include identifying the components of the organisation’s Information Governance framework, defining the processes, procedures and driving them, unlocking potential and emergent obstacles, communicating the goals and business objectives, allocating the resources needed (team, structures, infrastructures) and keeping upper management informed on progress.
The Information Governance leader oversees all these activities together in a coherent Information Governance program.
In addition, the operational responsibility of Information Governance aspects can be delegated to an Information Governance officer, and/or other staff members at an appropriate level.
5.5 Building Information Governance in a collaborative way
Information Governance is understood primarily as a strategic multi-disciplinary framework that lays the foundation for cooperation and synergy between numerous information-related professions.
A common goal of this cooperation is consistent and comprehensive governance and management of diverse information assets across an entire organisation.
The specific sub-principles of Information Governance as a collaborative effort are the following:
- Inclusiveness – all stakeholders are included;
- Comprehensiveness – all information assets, existing and future ones, are covered;
- Policy consistency – no weak links in preserving vital knowledge, information and data; to meet security, privacy, and compliance objectives;
- Agility – proactive engagement with new information-related disciplines or stakeholders;
- Cooperation – cross-discipline efforts and consensus-based decision-making are encouraged and supported; in the overlapping areas, collective efforts are preferable to drawing rigid boundaries between disciplines.
5.6 Ensuring Information Governance supports legal compliance and any mandatory requirements
Information Governance supports and aims for compliance with all applicable laws, regulations, mandatory and voluntary standards and codes of industry practice applicable to the organisation.
5.7 Aligning Information Governance to business objectives
Information Governance should be aligned to strategic and operational goals and objectives of the organisation and the business needs. Alignment should be continuously monitored and revised as the business needs and direction change.
All stakeholder requirements and needs should be considered when developing the Information Governance program.
5.8 Ensuring Information Governance supports information security and privacy
Information Governance should support and facilitate information security and privacy. Access controls and permissions should be established and implemented to ensure that information is only made available to those with adequate authority.
5.9 Ensuring Information Governance supports information quality and integrity
Information Governance should seek to ensure information is:
- authentic;
- trustworthy;
- complete and consistent (managed throughout the whole organisation);
- reliable;
- relevant;
- easy to retrieve and use;
- accurate;
- able to demonstrate integrity.
5.10 Fostering a collaboration and knowledge sharing culture
Effective and efficient Information Governance often requires the information to be treated as a corporate resource rather than an asset controlled exclusively by specific business area/function or individual."
Information Governance requires a cross-functional collaboration where appropriate, to maximise information’s value.
Information should be shared in ways that make it easy to (re)use, deliver and exchange. It should be made available through multiple channels whilst always ensuring that conditions for confidentiality, privacy and security are met.
Information systems (digital or not) and processes shall be designed to support interoperability, thus enabling collaboration and knowledge sharing.
5.11 Adopting a risk-based approach
Information Governance should adopt a risk-based approach and implement controls for appropriate information usage in compliance with laws, policies, regulation in alignment with the organisation’s risk profile/appetite.
5.12 Ensuring the availability and accessibility of information to authorised stakeholder
Information Governance should contribute to the organisation’s performance by ensuring that relevant information is available at the right time, place and format to authorised users/consumers at an efficient cost.
It should support the competitive position and sustainability of the organisation.
The Information Governance program should continuously adapt to meet the organisation’s internal and external evolving needs.
5.13 Governing information throughout its information lifecycle
Information should be managed throughout the whole information lifecycle, from creation (and sometimes before: e.g. development of policies and procedures, design of information systems) or receipt through to ultimate disposition, and even after (some metadata could still be retained for compliance purposes).
5.14 Supporting corporate culture
Information Governance should become embedded in the culture of the organisation and the behaviour and attitude of people working for it.
Embedding Information Governance in the behaviour of the people working for an organisation depends on leadership at all levels and clear values of an organisation, as well as an acknowledgement and implementation of measures to promote Information Governance. If this is not the case at all levels of an organisation, there is a risk of failure.
Information Governance programmes require a planned approach to adoption, change management and awareness, ensuring that all Information Governance initiatives equip employees to comply with the organisation’s Information Governance requirements.
5.15 Supporting sustainability
Information Governance is part of socially responsible behaviour of organisations and contributes to sustainable development.
Annex A - Concept diagrams
A.1 General
Concepts are not independent of one another. An analysis of the relationships among concepts within the field of Information Governance into a concept system is a prerequisite of a coherent vocabulary.
Such an analysis was carried out in the development of the vocabulary defined in this document. This annex provides the concepts diagrams elaborated during the development process for a better understanding of the vocabulary relationships.
According to ISO 704, there are three forms of concept relationships used in this annex.
a) Associative (with arrow). Associative relations are non-hierarchical. An associative relation exists when a thematic connection can be established between concepts by virtue of experience (ISO 704:2009, 5.5.3).
b) Partitive (without an arrow). Partitive relations are hierarchical. A partitive relation is said to exist when the superordinate concept represents a whole, while the subordinate concepts represent parts of that whole. The parts come together to form the whole (ISO 704:2009, 5.5.2.3.1).
c) Generic (without an arrow). Generic relations are hierarchical. A generic relation exists between two concepts when the intension of the subordinate concept includes the intension of the superordinate concept plus at least one additional delimiting characteristic (ISO 704:2009, 5.5.2.2.1).
A.2 Concept diagrams
A.2.1 General
Figures A.1 and A.2 show the concepts diagrams on which the thematic groupings of core concepts are developed, where the term and vocabulary are associated with Information Governance settings and frameworks.
As the terms are repeated without the definition and any related notes, it is recommended to refer to Clause 3 to consult these elements.
A.2.2 Concepts relating to information
Figure A.1 — Core concepts relating to information
A.2.3 Concepts relating to Information Governance
Figure A.2 — Concepts relating to Information Governance
Bibliography
[1] ISO 704:2009, Terminology work — Principles and methods
[2] ISO/IEC TR 10032, Information technology — Reference Model of Data Management
[3] ISO/IEEE 11073-10201:2020, Health informatics — Device interoperability — Part 10201: Point-of-care medical device communication — Domain information model
[4] ISO/TR 14639-2, Health informatics — Capacity-based eHealth architecture roadmap — Part 2: Architectural components and maturity model
[5] ISO 15489-1, Information and documentation — Records management — Part 1: Concepts and principles
[6] ISO 15638-6, Intelligent transport systems — Framework for collaborative Telematics Applications for Regulated commercial freight Vehicles (TARV) — Part 6: Regulated applications
[7] ISO/IEC 15944-8, Information technology — Business operational view — Part 8: Identification of privacy protection requirements as external constraints on business transactions
[8] ISO 16439, Information and documentation — Methods and procedures for assessing the impact of libraries
[9] ISO/TS 17187, Intelligent transport systems — Electronic information exchange to facilitate the movement of freight and its intermodal transfer — Governance rules to sustain electronic information exchange methods
[10] ISO/TS 17573-2:2020, Electronic fee collection — System architecture for vehicle related tolling — Part 2: Vocabulary
[11] ISO/TR 18128, Information and documentation — Risk assessment for records processes and systems
[12] ISO/TR 19591, Personal protective equipment for firefighters — Standard terms and definitions
[13] ISO/IEC 20924:2021, Information technology — Internet of Things (IoT) — Vocabulary
[14] ISO 21505:2017, Project, programme and portfolio management — Guidance on governance
[15] ISO/TR 21965, Information and documentation — Records management in enterprise architecture
[16] ISO 22316, Security and resilience — Organizational resilience — Principles and attributes
[17] ISO 24531, Intelligent transport systems — System architecture, taxonomy and terminology — Using XML in ITS standards, data registries and data dictionaries
[18] ISO/IEC TR 26927, Information technology — Telecommunications and information exchange between systems — Corporate telecommunication networks — Mobility for enterprise communications
[19] ISO/IEC 27000:2018, Information technology — Security techniques — Information security management systems — Overview and vocabulary
[20] ISO/IEC 27050, Information technology — Electronic discovery
[21] ISO/IEC 27014, Information security, cybersecurity and privacy protection — Governance of information security
[22] ISO 30300:2020, Information and documentation — Records management — Core concepts and vocabulary
[23] ISO 37000, Governance of organizations — Guidance
[24] ISO 31000, Risk management — Guidelines
[25] ISO/TR 31004, Risk management — Guidance for the implementation of ISO 31000
[26] ISO 37001, Anti-bribery management systems — Requirements with guidance for use
[27] ISO 37002, Whistleblowing management systems — Guidelines
[28] ISO 37301, Compliance management systems — Requirements with guidance for use
[29] ISO/IEC 38500, Information technology — Governance of IT for the organization
[30] ISO/IEC TR 38502, Information technology — Governance of IT — Framework and model
[31] ISO/IEC TR 38504, Governance of information technology — Guidance for principles-based standards in the governance of information technology
[32] ISO/IEC 38505-1, Information technology — Governance of IT — Governance of data — Part 1: Application of ISO/IEC 38500 to the governance of data