ISO/IEC 27050-2
ISO/IEC 27050-2:2018 — Information technology — Security techniques — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery
(first edition)
Abstract
ISO/IEC 27050 part 2 “provides guidance for technical and non-technical personnel at senior management levels within an organisation, including those with responsibility for compliance with statuary and regulatory requirements, and industry standards. [Part 2] describes how such personnel can identify and take ownership of risks related to electronic discovery, set policy and achieve compliance with corresponding external and internal requirements. It also suggests how to produce such policies in a form which can inform process control. Furthermore, it provides guidance on how to implement and control electronic discovery in accordance with the policies.”
Introduction
Part 2 guides management on identifying and treating the information risks related to eDiscovery e.g. by setting and implementing eDiscovery-related policies and complying with relevant (mostly legal) obligations and expectations.
It also offers guidance on good governance for forensics work i.e. the overarching framework or structure within which digital forensic activities take place and are managed through a controlled, repeatable and trustworthy suite of activities.
Scope
Governance and management of eDiscovery.
Structure
Main sections:
5: Electronic discovery background
6: Governance of electronic discovery
7: Management of electronic discovery
8: Risks and environmental factors
9: Compliance and review
Status
The current first edition of part 2 was published in 2018.
Commentary
Part 2 suggests a few possible metrics, although organisations are well advised to determine their own based on their objectives relating to eDiscovery, eForensics, incident management, information risks and so forth. Of all the things going on in this area, which parts and aspects are important for the business and why? What kinds of information would help management manage them? What questions are likely to need answering? Those are good clues to the metrics that would actually help, as opposed to metrics suggested by others - including ISO.
Thankfully, part 2 outlines information risks that various information security controls are intended to mitigate. However, the list of risks is incomplete, for example it fails to mention that damage, theft, loss or some other incident affecting ESI can compromise its value and admissibility in court, potentially decimating an otherwise valid case. It's a starting point though, something worth elaborating on.
Hint: metrics relating to key risks and key controls are likely to be of value to management.