[Moims-rac] Analysis of ISO 27001

Alison Macdonald alison at d-archiving.com
Wed Mar 28 06:55:34 EST 2007 

Just a quick musing on the shoe factory's needs:  Barbara's example took me
back about ?6,7 years:  I was involved in a $billion acquisition of Texon
www.texon.com - we had to work through documents many of which were many
years old - accounts, pensions scheme info, corporate documents, claims
documents, documentation on manufacturing processes & techniques (including
technical documentation, CAD drawings, SOPs, architectural drawings, health
& safety...)  .  The shoe factory company has responsibilities to
stakeholders, including its employees, which extend forward beyond 5 years
(again, pensions, possible liability claims from working environment, tax
data, etc).   For the purchasing company, the reliability (eg integrity and
authenticity) of these documents was very important, and not necessarily
taken for granted:  purchasing companies would usually require the vendor to
provide warranties about several things (eg the reliability of information),
to which financial penalties are attached.  These warranties usually have
specified durations of several years (I've seen some in double digits).

I have also worked on other instances (not Texon) where these warranties are
invoked, to the substantial cost of the previous vendor (and to the
substantial benefit of the employees).

But even for day-to-day operations, a shoe factory will need to be able to
rely on its documents over considerable spans of time.  Operationally,
however, it might never have to demonstrate integrity and authenticity (but
how can it be confident that it won't?!)  It is likely that many of the
objects/materials it needs to keep over time are relatively simple from a
preservation perspective, but not all.

I agree with Helen that it comes down to the essential properties of the
materials to be preserved.  Are these "essential properties" non-variables
..  a sine qua non?

So a trusted digital repository might support either a specified set of
properties of the materials it holds, or it could support variations.

Getting back to ISO 27001, (a) a trusted digital repository should comply
with it, and (b) the information security in that standard is more about
information security over a restricted span of time (really, the temporal
perspective is missing).

Alison

Alison Macdonald
Digital Archiving Consultancy Limited
2 Wayside Court, Twickenham UK
alison at d-archiving.com
Tel: +44-208 607 9102



-----Original Message-----
From: moims-rac-bounces at mailman.ccsds.org
[mailto:moims-rac-bounces at mailman.ccsds.org]On Behalf Of Helen Tibbo
Sent: 28 March 2007 10:19
To: 'MOIMS-Repository Audit and Certification BOF'
Subject: RE: [Moims-rac] Analysis of ISO 27001


Hello everyone. I hope to be able to join you today at the conference now
that daylight savings time has been resolved. Certainly the nature of what
is being preserved makes a difference here. It's one think to keep data
safe, another to provide long-term preservation to authentic digital
objects. This comes down, at least in part, to what we mean by "authentic"
and what the essential properties are of the materials that need to be
preserved. While the shoe factory may have just as rigorous requirements as
any other repository, it probably doesn't. Length of time to preserve is
also a factor in the complexity of what must be understood, done, and
planned for. However, in theory I think the requirements could be same; in
practice they would probably be quite different.  -Helen


Dr. Helen R. Tibbo, Professor
School of Information and Library Science
201 Manning Hall
University of North Carolina at Chapel Hill
Chapel Hill, NC 27599-3360
tibbo at ils.unc.edu
Tel: 919.962.8063
Fax: 919.962.8071

-----Original Message-----
From: moims-rac-bounces at mailman.ccsds.org
[mailto:moims-rac-bounces at mailman.ccsds.org] On Behalf Of Barbara Sierman
Sent: Tuesday, March 27, 2007 9:42 AM
To: moims-rac at mailman.ccsds.org
Subject: [Moims-rac] Analysis of ISO 27001

Dear all,

After having read the ISO 27001 and thecomments of Chris Rusbridge and David
Giaretta, I wondered whether we should not pay some attention to a
fundamental question (in my opinion): what is the difference between a long
term preservation environment and an information security management system
of let's say a shoe factory. Is there a difference? I think there is. If we
are able to determine these differences, we could also be more explicit
about the requirements.
For example: Managing a long term preservation environment, could mean that
it is important to lay down the decisions made with regard to this system,
while this information might be crucial information to the next generations,
maintaining this material. Long term preservation also means that the
management of the "repository 'has some responsibility to the next
generations. In the shoe factory this is less important, after all the
system will be replaced after 5 years and after a conversion of the data,
the factory is just working with a new system.
I'm sure there are more differences. I wonder what other people's opinion
is? May be something to discuss tomorrow?

Kind regards


Barbara Sierman
Digital Preservation Officer

Koninklijke Bibliotheek
PO Box 90407
2509 LK Den Haag, The Netherlands

+31 70 3140109
barbara.sierman at kb.nl

www.kb.nl


_______________________________________________
Moims-rac mailing list
Moims-rac at mailman.ccsds.org
http://mailman.ccsds.org/cgi-bin/mailman/listinfo/moims-rac



_______________________________________________
Moims-rac mailing list
Moims-rac at mailman.ccsds.org
http://mailman.ccsds.org/cgi-bin/mailman/listinfo/moims-rac

More information about the Moims-rac mailing list