The
International Organization for Standardization /
International Electrotechnical Commission (ISO/IEC) Joint Technical Committee (JTC)
1,
Information Technology, Subcommittee (SC)
27,
IT Security techniques, Working Group (WG) 4,
Security controls and services, has begun work on an International Standard for electronic discovery. The new standard,
ISO/IEC 27050,
Information technology - Security techniques - Electronic discovery, reflects the growing role that electronically stored data (ESI) plays in modern society throughout the world. In the U.S. this standard could be relevant to both civil and criminal proceedings, as well as patent disputes, U.S. Freedom of Information Act (FOIA) requests, and other related areas.
The development of the standard was officially approved in April 2013 at the meeting of ISO/IEC JTC 1/SC 27 WG 4 in Sophia Antipolis, France. A working draft (WD) of the standard was delivered in July and comments on that draft were processed at the WG 4 Meeting in Incheon, South Korea (KR), on October 21-25. Based on the contributions and feedback from the participating National Bodies at the KR meeting, the decision was made to subdivide the project and to continue development as a multi-part standard.
While still in an early stage, the multi-part standard is expected to address key aspects of electronic discovery in its initial four parts:
- ISO/IEC 27050-1, Information technology - Security techniques - Electronic discovery - Part 1: Overview and concepts. Part 1 will provide an overview of electronic discovery, including terminology, concepts, and processes that can be leveraged by the other parts as well as other standards.
- ISO/IEC 27050-2, Information technology - Security techniques - Electronic discovery - Part 2: Guidance for governance and management of electronic discovery. Part 2 will describe how personnel at senior levels within an organization can identify and take ownership of risks related to electronic discovery, set policy relating to electronic discovery, and achieve compliance with external and internal requirements relating to electronic discovery as well as how to implement and control electronic discovery in accordance with prevailing policies.
- ISO/IEC 27050-3, Information technology - Security techniques - Electronic discovery - Part 3: Code of Practice for electronic discovery. Part 3 will provide requirements and guidance on activities in electronic discovery, including, but not limited to identification, preservation, collection, processing, review, analysis, and production of ESI as well as specifying relevant measures that span the initial creation of ESI through its final disposition.
- ISO/IEC 27050-4, Information technology - Security techniques - Electronic discovery - Part 4: ICT readiness for electronic discovery. Part 4 will provide guidance on the ways an organization can plan and prepare for, and implement, electronic discovery from the perspective of both technology and processes.
ISO/IEC 27050 is expected to be relevant to both technical and non-technical personnel working in connection with electronic discovery and is intended to complement and not supersede existing laws and regulations in local jurisdictions. In the U.S., the standard has the potential to provide important clarification on electronic discovery related issues that have not been directly addressed in the U.S. Federal Rules of Civil Procedure (FRCP), which govern procedure for civil lawsuits in the U.S. federal court system, or in relevant state electronic discovery statutes.
The U.S. leads ISO/IEC JTC 1, with the American National Standards Institute (ANSI) holding the Secretariat and Karen Higginbottom, director of standards initiatives at Hewlett-Packard, serving as the group's chair. The InterNational Committee for Information Technology Standards (INCITS) serves as the U.S. Technical Advisory Group (TAG) to JTC 1 and its Cyber Security Technical Committee (CS1) has been delegated responsibility to interface with SC 27. INCITS is an ANSI member and accredited standards development organization.
To learn more about ISO/IEC 27050 or for information about how to get involved in the standard's development, please contact the U.S. TAG's International Representative (and Editor for ISO/IEC 27050-1 and ISO/IEC 27050-3), Eric Hibbard, CTO Security & Privacy at Hitachi Data Systems, at [email protected]. All interested stakeholders, including representatives of relevant legal and technology organizations, are strongly encouraged to take part.
