ISO 21502:2020 Clause 7.16.3 Storing and retrieving information and documentation

Project Management 10 Minutes

A system should be defined and established for receiving, identifying, securely storing and maintaining information and documentation, such that the information and documentation can be distributed and is retrievable only by those individuals who are authorized to access it. The system should include business continuity measures in the event of a disruptive incident. The system should include disposal and retention requirements for all categories of project information which have been defined as needing to be managed.
A system should be established to ensure the integrity of groups of related information, such as those systems used for configuration management.

In information and documentation management, storing and retrieving information and documentation efficiently is essential for ensuring accessibility, security, and usability. Here are common practices and strategies employed by project organizations:

  1. Centralized Storage Systems: Project organizations often utilize centralized storage systems, such as document management systems (DMS) or content management systems (CMS), to store all project-related information and documentation in one location. These systems offer features like version control, access controls, metadata tagging, and search functionalities to facilitate easy retrieval.
  2. Folder Structures: Organizing information and documentation into logical folder structures helps users navigate and locate files effectively. Folders can be categorized by project phase, document type, team, or any other relevant criteria to ensure consistency and clarity.
  3. Metadata Tagging: Applying metadata tags to documents enhances searchability and categorization. Metadata can include information like document title, author, creation date, project phase, keywords, and file format. Tagging enables users to filter and retrieve documents based on specific criteria.
  4. Version Control: Maintaining version control ensures that users can access the most up-to-date versions of documents while preserving previous iterations. Version control systems track changes, revisions, and comments, allowing users to revert to earlier versions if needed and preventing confusion over multiple versions.
  5. Access Controls and Permissions: Implementing access controls and permissions restricts access to sensitive information and ensures that only authorized individuals can view, edit, or delete documents. Role-based access control (RBAC) and user authentication mechanisms help enforce security policies and compliance requirements.
  6. Backup and Disaster Recovery: Regularly backing up project information and documentation is essential for mitigating the risk of data loss due to hardware failure, cyber-attacks, or other unforeseen events. Backup procedures should be automated, and multiple backup copies should be stored in secure locations to facilitate disaster recovery.
  7. Search Functionality: Robust search functionality enables users to quickly locate specific documents or information within large repositories. Full-text search capabilities, advanced search filters, and keyword highlighting enhance the efficiency of information retrieval.
  8. Training and Documentation: Providing training and documentation on information management best practices ensures that project team members understand how to store, retrieve, and manage information effectively. Training sessions, user guides, and knowledge bases support user adoption and proficiency with information management systems.
  9. Integration with Collaboration Tools: Integrating information management systems with collaboration tools such as project management software, communication platforms, and workflow automation tools streamlines information sharing and enhances team collaboration. Seamless integration reduces duplication of effort and improves overall productivity.

By implementing these strategies, project organizations can establish robust information and documentation management practices that facilitate efficient storage, retrieval, and utilization of project-related information, ultimately contributing to project success.

A system should be defined and established for receiving, identifying, securely storing and maintaining information and documentation.

Establishing a systematic approach for receiving, identifying, securely storing, and maintaining information and documentation is critical for effective information management within a project organization. Here’s how such a system could be defined and implemented:

  1. Receiving Information and Documentation:
    • Designate a centralized point or channel for receiving all project-related information and documentation, such as a designated email address or document repository.
    • Clearly communicate to all stakeholders the preferred methods and formats for submitting information and documentation.
    • Implement automated processes, such as email filters or form submissions, to streamline the receipt of information and documentation.
  2. Identifying Information and Documentation:
    • Develop a standardized system for categorizing and tagging incoming information and documentation based on their type, source, relevance, and urgency.
    • Assign unique identifiers or codes to documents for easy tracking and retrieval.
    • Establish naming conventions and metadata standards to facilitate consistent identification and organization of documents.
  3. Securely Storing Information and Documentation:
    • Utilize secure and reliable storage systems, such as encrypted databases or cloud-based repositories, to store sensitive and confidential information.
    • Implement access controls and permissions to restrict unauthorized access to sensitive documents.
    • Regularly update and patch storage systems to address security vulnerabilities and ensure data integrity.
  4. Maintaining Information and Documentation:
    • Develop protocols and procedures for regularly reviewing, updating, and archiving information and documentation as necessary.
    • Establish version control mechanisms to track changes and revisions to documents over time.
    • Implement backup and disaster recovery measures to safeguard against data loss or corruption.
  5. Training and Awareness:
    • Provide training and guidance to project team members on how to use the information management system effectively.
    • Raise awareness among stakeholders about the importance of proper information and documentation management practices, including data security and confidentiality.
    • Offer ongoing support and resources, such as user manuals or FAQs, to address any questions or issues that may arise.
  6. Continuous Improvement:
    • Regularly evaluate the effectiveness of the information management system and processes through feedback mechanisms, audits, and performance metrics.
    • Identify areas for improvement and implement corrective actions to enhance the efficiency, security, and reliability of the system.
    • Stay updated on emerging technologies and best practices in information management to adapt and evolve the system accordingly.

By defining and establishing a comprehensive system for receiving, identifying, securely storing, and maintaining information and documentation, project organizations can ensure that critical data is managed effectively and in compliance with regulatory requirements and organizational standards.

The information and documentation should be distributed and is retrievable only by those individuals who are authorized to access it.

Ensuring that information and documentation are distributed and retrievable only by authorized individuals is essential for maintaining confidentiality, security, and compliance. Here’s how this can be achieved:

  1. Access Control Mechanisms: Implement access control mechanisms to restrict access to information and documentation. This includes user authentication (e.g., usernames, passwords, multi-factor authentication) and authorization mechanisms (e.g., role-based access control, permissions based on job roles or project responsibilities).
  2. Role-Based Access Control (RBAC): Assign access rights and permissions based on the roles and responsibilities of individuals within the organization. Users are granted access only to the information and documentation necessary for performing their duties.
  3. Encryption: Utilize encryption techniques to protect sensitive information and documentation both in transit and at rest. This ensures that even if unauthorized individuals gain access to the data, it remains unreadable without the appropriate decryption keys.
  4. Secure Communication Channels: Use secure communication channels (e.g., encrypted emails, secure file transfer protocols) for distributing sensitive information and documentation. Avoid sending sensitive data through unsecured channels that could be intercepted or compromised.
  5. Audit Trails and Logging: Maintain audit trails and logging mechanisms to track access to information and documentation. This enables organizations to monitor user activity, detect unauthorized access attempts, and investigate security incidents or breaches.
  6. Regular Access Reviews: Conduct regular reviews of user access rights and permissions to ensure that they align with current roles and responsibilities. Remove access privileges for individuals who no longer require them or have changed roles within the organization.
  7. Training and Awareness: Provide training and awareness programs to educate users about the importance of data security and confidentiality. Emphasize the proper handling of sensitive information and documentation and the consequences of unauthorized access or disclosure.
  8. Data Loss Prevention (DLP): Implement data loss prevention measures to prevent unauthorized distribution or leakage of sensitive information. This may include policies, technologies, and procedures designed to monitor, detect, and prevent the unauthorized transfer of sensitive data outside the organization.

By implementing these measures, organizations can ensure that information and documentation are distributed and retrievable only by authorized individuals, thereby mitigating the risk of unauthorized access, data breaches, and compliance violations.

The system should include business continuity measures in the event of a disruptive incident.

Incorporating business continuity measures into the information management system is crucial for ensuring resilience and continuity in the event of disruptive incidents. Here’s how this can be achieved:

  1. Risk Assessment and Business Impact Analysis: Conduct a comprehensive risk assessment and business impact analysis to identify potential threats and their potential impact on information and documentation. This includes natural disasters, cyber-attacks, equipment failures, and other disruptive incidents.
  2. Backup and Redundancy: Implement robust backup and redundancy measures to ensure the availability and integrity of information and documentation. This includes regularly backing up data to offsite locations, utilizing redundant storage systems, and maintaining backup copies of critical documents.
  3. Disaster Recovery Plan: Develop a formal disaster recovery plan that outlines procedures for recovering and restoring information and documentation in the event of a disruptive incident. This includes establishing recovery time objectives (RTOs) and recovery point objectives (RPOs), identifying recovery resources and strategies, and assigning roles and responsibilities.
  4. Failover and Redundancy: Implement failover mechanisms and redundancy in infrastructure and systems to minimize downtime and ensure continuous access to information and documentation. This may involve deploying redundant servers, network connections, and data centers to support failover and failback operations.
  5. Incident Response Plan: Develop an incident response plan that outlines procedures for detecting, responding to, and mitigating the impact of disruptive incidents on information and documentation. This includes establishing communication channels, activating emergency response teams, and coordinating recovery efforts.
  6. Testing and Training: Regularly test and update business continuity plans through tabletop exercises, simulations, and drills. Ensure that all stakeholders are trained and familiar with their roles and responsibilities in executing the plans during a disruptive incident.
  7. Communication and Coordination: Establish communication protocols and coordination mechanisms to facilitate collaboration among stakeholders during a disruptive incident. This includes establishing communication channels, maintaining contact lists, and conducting regular updates and briefings.
  8. Continuous Improvement: Continuously monitor and evaluate the effectiveness of business continuity measures and update plans and procedures as needed. Incorporate lessons learned from past incidents to improve resilience and preparedness for future disruptive events.

By integrating business continuity measures into the information management system, organizations can enhance their ability to withstand and recover from disruptive incidents, minimize downtime, and maintain the availability and integrity of critical information and documentation.

The system should include disposal and retention requirements for all categories of project information which have been defined as needing to be managed.

Incorporating disposal and retention requirements into the information management system is essential for ensuring compliance with regulatory standards, minimizing legal risks, and optimizing storage resources. Here’s how this can be achieved:

  1. Retention Policies: Define retention policies for each category of project information based on legal, regulatory, and business requirements. These policies specify the duration for which information should be retained before disposal and outline the conditions under which information may be retained for longer periods.
  2. Document Lifecycle Management: Implement a document lifecycle management process that defines the stages through which project information progresses, including creation, storage, retrieval, retention, and disposal. Clearly delineate responsibilities and procedures for managing documents at each stage of the lifecycle.
  3. Retention Period Determination: Determine the retention periods for different categories of project information based on factors such as legal requirements, industry standards, business needs, and historical significance. Consult legal counsel and regulatory guidelines to ensure compliance with applicable laws and regulations.
  4. Disposal Procedures: Establish procedures for securely disposing of project information at the end of its retention period or when it is no longer needed for legal, operational, or historical purposes. This may include shredding physical documents, securely deleting digital files, or transferring records to an archival repository.
  5. Secure Destruction: Ensure that disposal procedures adhere to security best practices to prevent unauthorized access or disclosure of sensitive information. Implement secure destruction methods, such as cross-cut shredding for paper documents or data wiping for digital files, and maintain audit trails of disposal activities.
  6. Archival Storage: Determine whether certain categories of project information warrant archival storage for long-term preservation or historical purposes. Establish procedures for transferring records to archival repositories, including indexing, cataloging, and metadata tagging to facilitate retrieval.
  7. Compliance Monitoring: Regularly monitor and audit compliance with disposal and retention requirements to ensure adherence to established policies and procedures. Conduct periodic reviews of retention schedules, disposal logs, and archival inventories to identify any discrepancies or non-compliance issues.
  8. Employee Training and Awareness: Provide training and awareness programs to educate employees about the importance of disposal and retention requirements and their role in complying with organizational policies. Emphasize the significance of safeguarding sensitive information and adhering to legal and regulatory mandates.

By integrating disposal and retention requirements into the information management system, organizations can effectively manage the lifecycle of project information, mitigate legal and compliance risks, and optimize storage resources.

A system should be established to ensure the integrity of groups of related information, such as those systems used for configuration management.

Establishing a system to ensure the integrity of groups of related information, such as those used for configuration management, is crucial for maintaining consistency, reliability, and accuracy in project data. Here’s how such a system can be established:

  1. Configuration Management Plan (CMP):
    • Develop a Configuration Management Plan that outlines policies, procedures, and responsibilities for managing configuration items (CIs) throughout their lifecycle.
    • Define the scope of configuration management, including the types of information to be managed, the configuration control process, and the roles and responsibilities of stakeholders.
  2. Configuration Identification:
    • Establish procedures for identifying and documenting configuration items (CIs) and their relationships within the system.
    • Assign unique identifiers or codes to each CI to facilitate tracking and traceability.
  3. Version Control:
    • Implement version control mechanisms to manage changes to configuration items over time.
    • Maintain a version history for each CI, documenting changes, revisions, and updates.
  4. Change Management:
    • Develop a Change Management process to control and track changes to configuration items.
    • Define procedures for submitting, reviewing, approving, and implementing changes, including impact assessment and risk analysis.
  5. Configuration Status Accounting:
    • Establish procedures for maintaining accurate and up-to-date records of the status and history of configuration items.
    • Track the current state and location of each CI, including its version, status, and relationships with other CIs.
  6. Configuration Audits:
    • Conduct periodic configuration audits to verify the integrity and completeness of configuration information.
    • Perform baseline audits to ensure that the current state of configuration items aligns with approved baselines.
  7. Documentation Management:
    • Implement a centralized documentation management system to store and manage configuration documentation, including specifications, requirements, designs, and test plans.
    • Ensure that documentation is version-controlled and linked to corresponding configuration items.
  8. Tools and Technology:
    • Utilize specialized configuration management tools and software to automate and streamline configuration management processes.
    • Select tools that support version control, change management, and configuration item tracking.
  9. Training and Awareness:
    • Provide training and awareness programs to educate project team members about configuration management principles, processes, and tools.
    • Ensure that stakeholders understand their roles and responsibilities in maintaining the integrity of configuration information.

By establishing a robust configuration management system, organizations can ensure the integrity, consistency, and reliability of groups of related information, facilitating effective project management and decision-making.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply