Records management

IT Impact Zone
IT Impact Zone


This is a top level control.

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a data profiling program., CC ID: 13992
  • Establish, implement, and maintain a translation management program., CC ID: 14316
  • Establish, implement, and maintain an information management program., CC ID: 14315
  • Establish, implement, and maintain records management systems., CC ID: 13036
  • Establish, implement, and maintain records management policies., CC ID: 00903
  • Establish, implement, and maintain records management procedures., CC ID: 11619
  • Physically secure printed records., CC ID: 11778
  • Establish, implement, and maintain an e-discovery program., CC ID: 00976


  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (Art. 32.1.(b), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The processing of personal data without electronic means will be allowed only if the following minimum security measures are implemented with the technical specifications stated in Annex B of this Code: implementing procedures to safeguard records and documents in order to discharge the relevant tas… (§ 35, Annex B.27, Italy Personal Data Protection Code)
  • Procedures must be developed to identify the controls used for business continuity management system documentation and records. (§, BS 25999-2, Business continuity management. Specification, 2007)
  • The organization must develop and maintain records to demonstrate the organization's conformity to this Standard and the organizational resilience management system, along with the achieved results. The organization must develop, implement, and maintain procedures to protect a record's integrity. Th… (§ 4.5.4, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Seal numbers should be stored in a log that is not located next to the containers that contain the seals in order to prevent persons from altering the seals and then changing the paperwork to match the new seals. A record of the seals should be maintained and should include the date and time the sea… (Pg 11-II-15, Pg 11-II-16, Protection of Assets Manual, ASIS International)
  • The Facility Clearance forms must be retained by the organization for the duration of the Facility Clearance. (§ 2-111, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • The Chief Information Officer, Records Officer, and, if required, the General Counsel, the National Archives and Records Administration (NARA), and the General Accounting Office must review all proposed electronic recordkeeping systems before they are implemented. (Ch 6 (Approval Requirements for Electronic Recordkeeping Systems), Department of Health and Human Services Records Management Procedures Manual, Version 1.0 Final Draft)
  • Determine whether audit procedures for operations consider ▪ The adequacy of security policies, procedures, and practices in all units and at all levels of the financial institution and service providers. ▪ The adequacy of data controls over preparation, input, processing, and output. ▪ The ad… (Exam Tier II Obj C.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • Identify and review the institution's use of item processing and document imaging solutions and describe the imaging function. ▪ Describe or obtain the system data flow and topology. ▪ Evaluate the adequacy of imaging system controls including the following: • Physical security; • Data secur… (Exam Tier I Obj 9.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • § 11.1(b): This part applies to electronic records created, maintained, modified, archived, retrieved, or transmitted under any records requirements in Food and Drug Administration (FDA) regulations. It also applies to electronic records that are submitted to the FDA under the requirements of the F… (§ 11.1(b), § 11.1(f), 21 CFR Part 11, Electronic Records; Electronic Signatures)
  • The Records Management Officer should ensure all system and/or data owners know the retention requirements for their information, so records that should be preserved are not destroyed. (§ 3.8, Guidelines for Media Sanitization, NIST SP 800-88, September 2006)
  • The audit team should retain records that include the procedures used for the audit and any documentation of consultations and resolutions of differences amongst the team members. (¶ 8, PCAOB Auditing Standard No. 3)