New ISO Information Governance Standard Can Help Fuel Organization Initiatives

The International Organization for Standardization’s (or “ISO”) publication ISO 24143 is worth a look for every leader seeking to build support for expanding their organization’s support for their information governance program.1 Although ISO 24143 does not itself significantly break new ground, it may help stakeholders attract internal attention to, and secure funding for, enhanced information governance capabilities. This is because ISO is well-recognized and respected by corporate leaders for setting formal quality standards. Information and records management professionals therefore may benefit from including this new standard in their strategic plans.

“Information Governance” (“IG”) is a fuzzy term used to define programs that span more than a dozen functions in most large organizations.2 At a minimum, IG encompasses Data Protection/Privacy, Security, Records & Information Management, eDiscovery, and Information Technology. Identifying key personnel to spearhead an IG program and obtain sustaining budgets has been a challenge for more than a few organizations.

The ISO on Information Governance is divided into several parts, including definitions; general, strategic, and operational benefits; and principles.

IG professionals will find many familiar themes and principles in ISO 24143. For example, like materials from ARMA, the Compliance, Governance and Oversight Council (CGOC), the Information Governance Initiative (IGI), and The Sedona Conference, the ISO trumpets the need for cooperation among stakeholders to align all information-related activities with the organization’s mission, goals, and obligations. ISO 24143 at vi.

Unlike some other organizations, the ISO does not provide specific tactical guidance on how to implement an effective IG program. For example, ARMA has an Information Governance Implementation Model designed to provide a standardized process to assess an IG program’s maturity across seven key areas. CGOC has an Information Governance Process Maturity Model that suggests mapping 22 processes, the risks associated with them, and the extent to which a current state mitigates or eliminates those risks. The Sedona Conference has provided guidance on assessing and reconciling conflicting laws or obligations and defensible disposition. E.g., The Sedona Conference, Commentary on Information Governance, Second Edition, 20 Sedona Conf. J. 95, 145-147 (2019); The Sedona Conference, Commentary on Defensible Disposition, Second Edition, 20 Sedona Conf. J. 179 (2019).

What sets ISO 24143 apart from other organizations’ publications is that it is an international standard, adopted after a thorough and well-defined process. See https://www.iso.org/directives-and-policies.html. ISO, per its website, “was founded with the idea of answering the question ‘what’s the best way of doing this?’” and, traditionally, when an organization is certified as complying with an ISO, it means “that consumers can have confidence that their products are safe, reliable and of good quality.” See https://www.iso.org/benefits-of-standards.html. Thus, ISO standards are important for any organization devoted to ensuring the quality and safety of their products and operations – whether automotive, healthcare, industrial equipment, energy, or technology.

Significantly, the introduction to ISO 24143 notes that IG “requires coherence and integration” with other relevant international standards (ISO 24143 at v), and specifically mentions the ISO 9000 family (intended to provide organizations with the guidance and tools needed to ensure that their products and services meet external requirements and drive consistent quality improvement), ISO 27000 (regarding information security management systems), and ISO 30300 (providing guidance regarding the core concepts of records and information management).

ISO 24143 defines an IG program as a: “strategic framework for governing information assets across an entire organization to enhance coordinated support for the achievement of business outcomes and obtain assurance that the risks to its information, and thereby the operation capabilities and integrity of the organisation, are effectively identified and managed.” ISO 24143 at 3.

One of the ISO’s principles, in particular, elevates the emphasis on risk and insists that agendas of any particular stakeholders should not have disproportional influence. It states: “Information Governance should adopt a risk-based approach and implement controls for appropriate information usage in compliance with law, policies, regulation in alignment with the organisations’s risk profile/appetite,” and not the desires of one or a few departments. ISO 24143, Principle 5.11, at p. 7.

The ISO also nudges IG up the corporate ladder of priorities. Like publications of The Sedona Conference, ARMA, the CGOC, and the IGI, the ISO urges that senior management be committed to lead and support IG. But the ISO continues, stating: “[a] member of the organisation’s senior management should be responsible for Information Governance and ensure accountability, reporting to the most senior person or governance structure in the organisation.” (Emphasis added.) The IGI for several years has urged organizations to appoint a Chief IG Officer to report to the Chief Executive Officer (“CEO”).3 But the reference to the “most senior . . . governance structure” suggests that the Board should be aware of IG issues and that the CEO should be accountable for the successful implementation and execution of an IG program that conforms to the ISO standard.

Finally, the ISO identifies several strategic benefits from a good IG program, among them: “reducing risk that could cause reputational damage, financial loss or penalties” by, for example, eliminating information that is no longer required to be retained; identifying gaps in systems, policies, procedures, and processes required to govern an organization’s information assets effectively; and ensuring that the organization’s policies are consistent and working in harmony.

For additional information on how we can assist with implementing an ISO 24143-inspired IG program or further details on Redgrave LLP’s Information Governance services, please contact Chris King at cking@redgravellp.com or at 312.405.2020.

The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.

By Chuck Ragan

 

[1] ISO 24143 is available for purchase from ISO at https://www.iso.org/standard/77915.html.

[2] See 2014 Annual Report of Information Governance Initiative.

[3] Id.