Records Management & Information Management

  • 9 February 2023
  • 4 replies

Userlevel 1
Badge +1

A client of mine is one the small but specialized University College in South Africa.

Management has identified a weakness in records management and management of information across functional areas and the Academic stream of the institution.

During my environmental scanning of the institution, I concluded that systems integration and information architecture need to be addressed first as a steppingstone towards improving the flow of information to and from the functional areas.

The concept of records management takes a distinctive feature towards information security in this regard. Consequently, matters of risk management become truly relevant to the responsibility conferred on the council of the institution. Logical as it maybe, the ownership of information remain in the hands of the functional heads, yet the health state operational systems and the systems security continue to be the responsibility of the CIO/CISO.

Now, with a robust platform like DRATA certain aspects of the problem statement above can be adequately resolved, especially when SOC2 type 1 and 2 are brought into the picture. The challenge, as the case might present itself in this situation, is to position the SOC 2 capability in resolving some of the gaps from a technical point of view. Therefore, there seems to be an opportunity of placing the SOC 2 strategically, to unravel the problem statement. Furthermore, the question is to what extent would SOC 2 facilitate the solution and help develop a technical and information architecture suitable to avert any unforeseeable occurrence of disruption in the short and long-term?


4 replies

Userlevel 4
Badge +1

Great question, @terryr ! Will try and get a Drata expert in here to answer this question. Stay tuned!

Userlevel 1
Badge +2

@terryr I would actually say that ISO 27001 is more relevant to record and information management. ISO 27001 has specific requirements around how records and information is managed. For example:

Control 5.9 “An inventory of information and other associated assets, including owners, should be developed and maintained.” The purpose of this control is to identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership.

Control 5.10 “Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.” The purpose of this control is to ensure information and other associated assets are appropriately protected, used and handled.

Control 5.11 “Personnel and other interested parties as appropriate should return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.” The purposed of this control is to protect the organization’s assets as part of the process of changing or terminating employment, contract or agreement.

Control 5.12 “Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.” The purpose of this control is to ensure identification and understanding of protection needs of information in accordance with its importance to the organization.

Control 5.13 “An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization.” The purpose of this control is to facilitate the communication of classification of information and support automation of information processing and management.

Control 5.14 “Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties.” The purpose of this control is to maintain the security of information transferred within an organization and with any external interested party.

I think ISO 27001 would be a better framework solving your issue.

Userlevel 1
Badge +1

Quite comprehensive.

what I like about your views is that the controls stated are applicable to the record management legislative framework!

Much appreciated.


Userlevel 1
Badge +2

You’re welcome! Happy to help!