Information governance: information security and access within a UK context
| DOI | https://doi.org/10.1108/09565691011064322 |
| Pages | 182-198 |
| Published date | 13 July 2010 |
| Date | 13 July 2010 |
| Author | Elizabeth Lomas |
| Subject Matter | Information & knowledge management |
Information governance:
information security and access
within a UK context
Elizabeth Lomas
CEIS, Northumbria University, Newcastle, UK
Abstract
Purpose – The purpose of this paper is to demonstrate that records management frameworks need to
be risk based, flexible and aligned to wider information management objectives. The paper outlines
some of the changes, challenges and opportunities now and on the horizon for records managers. The
paper argues that through embedding the international information security standard ISO 27001 in
conjunction with the records management standard ISO 15489, holistic information governance
strategies will be delivered that are responsive to change.
Design/methodology/approach – The paper provides a discussion on the challenges facing
records and information management professionals and suggests that ISO 27001 provides some of the
systems’ solutions lacking from ISO 15489.
Findings – The alignment of ISO 27001 to ISO 15489 strengthens the delivery of existing records
management systems and its drivers. This is critical to build strong information governance
programmes, which enable risks to be assessed in an ever-changing information management world.
Practical implications – Successful implementation of records management requires alignment
with wider information standards and strategies to deliver holistic information management and
governance.
Originality/value – This research will assist in promoting best practice in records management and
information governance.
Keywords Records management, Information management, Quality standards, Data security,
Risk management,United Kingdom
Paper type General review
Introduction
It is not the strongest of the species that survives, nor the most intelligent, but the one most
responsive to change (Charles Darwin).
Over the last 20 years, records management professionals have had to make a
paradigm shift in their roles and responsibilities in order to remain relevant within
public and private sector organisations. This shift has involved moving from the
physical management of largely paper filing, controlled and appraised at key stages
through a records management lifecycle, to managing and valuing electronic records
The current issue and full text archive of this journal is available at
www.emeraldinsight.com/0956-5698.htm
This paper is an expression of the author’s own personal and professional viewpoints but she is
enormously indebted to each and every one of the 80 co-researchers in the Continued
Communication Research Group for their lively discussions and expertise which have influenced
her opinion and expanded her knowledge (www.continuedcommunication.org). The author must
also thank Dawn Diggines, Sonja Gabriel, Suzie Mereweather and Victor Parry for their expert
information security advice and commonsense.
RMJ
20,2
182
Received 16 April 2010
Revised 28 April 2010
Accepted 6 May 2010
Records Management Journal
Vol. 20 No. 2, 2010
pp. 182-198
qEmerald Group Publishing Limited
0956-5698
DOI 10.1108/09565691011064322
from capture in line with the records continuum model. Within this timeframe, records
management concepts have gained international recognition through the publication of
the international records management standard ISO 15489 – parts 1 and 2 (ISO, 2001;
ISO/TR, 2001) Information and Documentation – Records Management (subsequently
referred to within this paper as ISO 15489). However, records managers are currently
moving through another paradigm shift, with larger seismic tremors on the horizon.
Records managers have moved from a world in which they have been able to control
and maintain information within an organisation’s boundaries (albeit sometimes
through server networks spread across the globe) to a world in which individuals may
often create organisational records from beyond that organisation’s boundaries through
Web 2.0 technologies or business applications which are hosted and supported within a
third party “Cloud”. This makes the case for rethinking how information is captured,
audited and managed for operational purposes, accountability and use over time. It also
raises additional questions about information ownership (e.g. information created and
held in Web 2.0 software or the Cloud may not be owned by the creator), information
rights legislation (e.g. dispersed information will be impacted upon by wide ranging
information rights legislation across the globe with many different permutations) and
information reuse (e.g. information gains new value through new uses in its original
form and new forms such as mashups and “linked data” schemes). Within this context,
many of the key information management questions relate to issues around information
value, access, security and risk management over time. It is the contention of this paper
that information governance solutions and thinking, which balance risks, present many
of the practical answers for the development of records and information management
systems within the context of current and future challenges. The implementation of the
international standard on Information Security Management Systems Requirements
ISO 27001 published in 2005 (subsequently referred to within this paper as ISO
27001), which devises a governance framework, holds many answers to strengthening
records management systems.
ISO 27001 is a more holistic standard t han ISO15489 focus ing on wider information
risks that link closelyto organisational goals. ISO 27001is designed to “provide a model
for establishing, implementing, operating, monitoring, reviewing, maintaining and
improving an Information Security Management System (ISMS)”(ISO, 2005a, b, p. v). In
particular, its approach marries organisational goals withhuman factors. The emphasis
on the latter is an important part of the standard’s focus that is lacking from ISO 15489
although it has been noted by researchers that culture and human factors are a key
requirementif ISO 15489 is to be successfullyimplemented (McLeod, 2004; Oliver,2007).
Furthermore, ISO 27001 has a systems approach built around risk management, which
enables information managers to build flexible frameworks for evaluating the
appropriate organisational use and impact of new storage and software systems within
and outside organisational boundaries based on the nature and cultural context of the
organisation. Within the UK context, the risks and benefits associated with managing
online informationare at the forefront of publicand business consciences. It is understood
that information governance is a critical consideration for any organisation’s success.
Information governance
Information governance is about putting in place information management
programmes to ensure that information is controlled to ensure it is “appropriately”
Information
governance
183
To continue reading
Request your trial