elevenM’s Cassie Findlay looks at getting the most out of standards. Cassie is a current member of the Standards Australia Committee on Records Management and a former member of the International Organization for Standardization (ISO) Technical Committee on Records Management. She was lead author of the current edition of the International Standard on records management, ISO 15489.
“Standards are like toothbrushes. Everyone thinks they’re a good idea, but no one wants to use someone else’s.”(origin unknown)
Why pay attention to standards, national or international? Aren’t they just for making sure train tracks in different states are the same gauge? What do they have to do with managing and securing information or with privacy? Do we need standards?
The value of standards for manufacturing or product safety is clear and easy to grasp.
However for areas like privacy, recordkeeping and information security, with all their contingencies, the question arises as to how we can standardise when so often the answer to questions about what to do is ‘it depends’.
The answer lies in what you seek to standardise, and indeed what type of standards products you set out to create.
Of the domains elevenM works in, it could be argued that cyber security and information security have the clearest use cases for standardisation. The ISO 27001 set of standards have a huge profile and wide uptake, and have become embedded in contracts and requirements for doing business internationally. By meeting the requirements for a robust information security management system (ISMS) organisations can signal the readiness of their security capability to the market and to business partners. However this is a domain in which standards have proliferated, particular in cyber security. This was a driver for the work of the NSW Government-sponsored Cyber Security Standards Harmonisation Taskforce, led by AustCyber and Standards Australia, which recently released a report containing a range of recommendations for cyber security standards harmonisation and simplification.
In the world of information management, specifically recordkeeping, strong work has been underway over the last couple of decades to codify and standardise approaches to building recordkeeping systems, tools and processes, in the form of the International Standard ISO 15489 Records Management and its predecessors. In the case of this standard, the recordkeeping profession is not seeking to establish a minimum set of compliance requirements, but rather to describe the optimal approach to building and maintaining key recordkeeping controls and processes, including the work of determining what records to make and keep, and ensuring that recordkeeping is a business enabler – whatever your business. The standard takes a ‘digital first’ approach and supports the work of building good recordkeeping frameworks regardless of format. Complementary to ISO 15489, the ISO 30300 Management systems for records suite offers compliance-focused standards that enable organisations to establish and maintain management systems that enable good recordkeeping, and that can be audited by third parties such as government regulators or independent auditors.
In the privacy world, compliance requirements come, in most jurisdictions, directly from applicable laws (GDPR, Australia’s Privacy Act), and practitioners typically focus on these as opposed to seeking out standards. The United States has a patchwork of regulatory requirements affecting privacy, but has seen widespread adoption of the California Consumer Privacy Act (CCPA) for consumer privacy, with other States following suit with similar laws. The US National Standards body, NIST, does however, have a strong track record in standards development for security and now for privacy, in the form of its Cybersecurity Framework, and more recently, its Privacy Framework. However it is important to note that these are not standards, but are voluntary tools issued by NIST to help organisations to manage privacy risk.
The next time your organisation is looking to align a standard, be sure to understand why, and whether:
- meeting the standard helps you establish bonafides to the market, such as via the adoption of the ISO 27001 standards;
- independent auditors and other third parties have signalled they will use the standard to guide their audits, such as the ISO 30300 suite;
- the standard provides your organisation with a useful tool or framework towards best practice, as found in the foundational standard for recordkeeping, ISO 15489; or
- whether regulatory or compliance requirements exist that supersede any standard – and are prescriptive on their own (for example through the Privacy Act and guidance from the OAIC).
The toothbrush gag is one heard often in standards development circles such as ISO Committees, and it perhaps has a limited audience, but the point it makes is a good one in that standards are – and should be – tailored to users and uses. They do not, however, tackle plaque.