INTERNATIONAL ISO

STANDARD 30302

Second edition
2022-05

Information and documentation —

Management systems for records —
Guidelines for implementation
Information et documentation — Systèmes de gestion des documents
d'activité — Lignes directrices de mise en oeuvre

iTeh STANDARD PREVIEW

(standards.iteh.ai)
ISO 30302:2022
https://standards.iteh.ai/catalog/standards/sist/8389547b-bbb6-4b7f-ad17-a4e8a23b895f/iso-
30302-2022

Reference number
ISO 30302:2022(E)

© ISO 2022
ISO 30302:2022(E)

iTeh STANDARD PREVIEW

(standards.iteh.ai)
ISO 30302:2022
https://standards.iteh.ai/catalog/standards/sist/8389547b-bbb6-4b7f-ad17-a4e8a23b895f/iso-
30302-2022

COPYRIGHT PROTECTED DOCUMENT

© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland

ii  © ISO 2022 – All rights reserved


 ISO 30302:2022(E)

Contents Page

Foreword......................................................................................................................................................................................................................................... iv
Introduction..................................................................................................................................................................................................................................v
1 Scope.................................................................................................................................................................................................................................. 1
2 Normative references...................................................................................................................................................................................... 1
3 Terms and definitions..................................................................................................................................................................................... 1
4 Context of the organization....................................................................................................................................................................... 1
4.1 Understanding the organization and its context...................................................................................................... 1
4.1.1 General......................................................................................................................................................................................... 1
4.1.2 Records requirements.................................................................................................................................................... 3
4.2 Understanding the needs and expectations of interested parties............................................................ 5
4.3 Determining the scope of the MSR......................................................................................................................................... 6
4.4 Management system for records............................................................................................................................................. 6
5 Leadership................................................................................................................................................................................................................... 7
5.1 Leadership and commitment...................................................................................................................................................... 7
5.2 Policy................................................................................................................................................................................................................ 8
5.3 Organizational roles, responsibilities and authorities........................................................................................ 9
6 Planning...................................................................................................................................................................................................................... 10
6.1 Actions to address risks and opportunities............................................................................................................... 10
6.2 iTeh STANDARD PREVIEW
Records objectives and planning to achieve them................................................................................................ 12

Resources (standards.iteh.ai)
7 Support
......................................................................................................................................................................................................................... 13
7.1 .................................................................................................................................................................................................. 13
7.2 Competence............................................................................................................................................................................................. 14
7.3 Awareness................................................................................................................................................................................................. 15
7.4
ISO 30302:2022
Communication.................................................................................................................................................................................... 16
https://standards.iteh.ai/catalog/standards/sist/8389547b-bbb6-4b7f-ad17-a4e8a23b895f/iso-
7.5 Documented information............................................................................................................................................................ 17
30302-2022
7.5.1 General...................................................................................................................................................................................... 17
7.5.2 Creating and updating................................................................................................................................................. 19
7.5.3 Control of documented information............................................................................................................... 19
8 Operation................................................................................................................................................................................................................... 20
8.1 Operational planning and control....................................................................................................................................... 20
8.2 Determining records to be created.................................................................................................................................... 20
8.3 Designing and implementing records processes, controls and systems.......................................... 21
9 Performance evaluation............................................................................................................................................................................ 23
9.1 Monitoring, measurement, analysis and evaluation........................................................................................... 23
9.2 Internal audit......................................................................................................................................................................................... 24
9.3 Management review........................................................................................................................................................................ 25
10 Improvement.......................................................................................................................................................................................................... 26
10.1 Nonconformity and corrective actions........................................................................................................................... 26
10.2 Continual improvement................................................................................................................................................................ 27
Annex A (informative) Example of implementation of ISO 30301:2019, Annex A
requirements......................................................................................................................................................................................................... 29
Bibliography.............................................................................................................................................................................................................................. 33

© ISO 2022 – All rights reserved  iii

ISO 30302:2022(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
iTeh STANDARD PREVIEW
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
(standards.iteh.ai)
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 46, Information and documentation,
Subcommittee SC 11, Archives/records management.
ISO 30302:2022
https://standards.iteh.ai/catalog/standards/sist/8389547b-bbb6-4b7f-ad17-a4e8a23b895f/iso-
This second edition cancels and replaces the first edition (ISO 30302:2015), which has been technically
revised. 30302-2022
The main changes are as follows:
— alignment with the new edition of ISO 30301 (ISO 30301:2019);
— modification of Annex A.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

iv  © ISO 2022 – All rights reserved


 ISO 30302:2022(E)

Introduction
This document has been developed to assist users to apply the management system for records
requirements of ISO 30301. ISO 30301 specifies the requirements for a management system for records
(MSR) where an organization needs to demonstrate its ability to create and control information created,
received and maintained as evidence and as an asset by an organization, in pursuit of legal obligations
or in the course of conducting business.
The purpose of this document is to provide practical guidance on how to implement a management
system for records (MSR) within an organization in accordance with ISO 30301. This document covers
what is needed to establish and maintain an MSR. This document does not modify and/or reduce the
requirements specified in ISO 30301. An activity or documenting an activity is considered mandatory
only when it is required in ISO 30301.
The implementation of an MSR is generally executed as a project. An MSR can be implemented in
organizations with existing records systems or programmes to review and improve the management
of those systems or programmes or in organizations planning to implement a systematic and verifiable
approach to records creation and control for the first time. Guidance described in this document can
be used in both situations. An MSR can be an advisable option for addressing legal or technological
uncertainty in some cases.
It is assumed that organizations that decide to implement an MSR have made a preliminary assessment of
their existing records and records systems and have identified risks to be addressed and opportunities
for major improvements. For example, the decision to implement an MSR can be taken as a risk-
iTeh STANDARD PREVIEW
reduction measure for undertaking a major information technology platform change or outsourcing
business processes identified as high risk. Alternatively, the MSR can provide a standardized
(standards.iteh.ai)
management framework for major improvements such as integrating records processes with specific
business processes or improving control and management of records of online transactions or business
use of social media.
ISO 30302:2022
The use of this document is necessarily flexible. It depends on the size, nature and complexity of the
https://standards.iteh.ai/catalog/standards/sist/8389547b-bbb6-4b7f-ad17-a4e8a23b895f/iso-
organization and the level of maturity of the MSR, if one is already in place. Each organization's context
and complexity are unique and its specific30302-2022
contextual requirements will drive the MSR implementation.
Smaller organizations will find that the activities described in this document can be simplified. Large or
complex organizations can find that a layered management system is needed to implement and manage
the activities in this document effectively.
Guidance in this document follows the same structure as ISO 30301, describing the activities to be
undertaken to meet the requirements of ISO 30301 and how to document those activities.
Clause 4 deals with how to perform the context analysis needed to implement an MSR. From this
analysis, the scope of the MSR is defined and the relationship between implementing an MSR and other
management systems is identified.
Clause 5 explains leadership and how to gain the commitment of top management. The commitment is
expressed in a records policy and the assignment of responsibilities and authorities.
Clause 6 deals with planning the implementation of the MSR and adopting records objectives, which is
informed by high-level risk analysis, the contextual analysis (see Clause 4), and the resources available
(see Clause 7).
Clause 7 outlines the support needed for the MSR, such as resources, competence, awareness,
communication, and documented information.
Clause 8 deals with defining or reviewing and planning the operational level. It includes the analysis
to determine records to be created (see 8.2) and the design and implementation of records processes,
controls and systems. It draws on the contextual requirements and scope (see Clause 4) and is based on
the records policy (see 5.2), the risk analysis (see 6.1) and resources needed (see 7.1) to meet the records
objectives (see 6.2) in the planned implementation. Clause 8 explains how to implement requirements
in ISO 30301:2019, Annex A.

© ISO 2022 – All rights reserved  v

ISO 30302:2022(E)

Clauses 9 and 10 deal with performance evaluation and improvement against planning, objectives and
requirements defined in ISO 30301.
For each of the Clauses 4 to 10 of ISO 30301:2019, this document provides the following:
a) the activities necessary to meet the requirements of ISO 30301 – activities can be done sequentially,
while some will need to be done simultaneously;
b) inputs to the activities – these are the starting points and can be outputs from previous activities;
c) outputs of the activities – these are the results or deliverables, with special mention to mandatory
documented information, on completion of the activities.
The concepts of how to design the operational records processes are based on the principles established
by ISO 15489-1. Other documents developed by ISO/TC 46/SC 11 are the principal tools for designing,
implementing, monitoring and improving records processes, controls and systems, and can be used in
conjunction with this document for implementing the detailed operational elements of the MSR.
Organizations that have already implemented ISO 15489-1 can use this document to develop an
organizational infrastructure for managing records under the systematic and verifiable approach of
the MSR.

iTeh STANDARD PREVIEW

(standards.iteh.ai)
ISO 30302:2022
https://standards.iteh.ai/catalog/standards/sist/8389547b-bbb6-4b7f-ad17-a4e8a23b895f/iso-
30302-2022

vi  © ISO 2022 – All rights reserved


INTERNATIONAL STANDARD ISO 30302:2022(E)

Information and documentation — Management systems

for records — Guidelines for implementation

1 Scope
This document gives guidance for the implementation of an MSR in accordance with ISO 30301.
This document is intended to be used in conjunction with ISO 30301. It describes the activities to be
undertaken when designing, implementing and monitoring an MSR.
This document is intended to be used by any organization, or across organizations, implementing an
MSR. It is applicable to all types of organization (e.g. commercial enterprises, government agencies, non-
profit organizations) of all sizes. This document is intended to be used by those responsible for leading
the implementation and maintenance of the MSR. It can also help top management in making decisions
on the establishment, scope and implementation of management systems in their organization.

2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
iTeh STANDARD PREVIEW
undated references, the latest edition of the referenced document (including any amendments) applies.

(standards.iteh.ai)
ISO 30300, Information and documentation — Records management — Core concepts and vocabulary
ISO 30301, Information and documentation — Management systems for records — Requirements
ISO 30302:2022
3 https://standards.iteh.ai/catalog/standards/sist/8389547b-bbb6-4b7f-ad17-a4e8a23b895f/iso-
Terms and definitions
30302-2022
For the purposes of this document, the terms and definitions given in ISO 30300 and ISO 30301 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://​w ww​.iso​.org/​obp
— IEC Electropedia: available at https://​w ww​.electropedia​.org/​

4 Context of the organization

4.1 Understanding the organization and its context

4.1.1 General

The context of the organization should determine and drive the implementation and improvement of
an MSR. The requirements of this clause are intended to ensure the organization has considered its
context and needs as part of the implementation of an MSR. The first part of this analysis is to determine
internal and external issues relevant to the purpose of the MSR and how they affect its ability to achieve
the intended outcome.
The contextual analysis can be used to define the scope of the MSR (see 4.3). However, if the top
management determines the scope of the MSR as the starting point, before identifying contextual
issues, then the extent of the contextual analysis is defined by the scope.

© ISO 2022 – All rights reserved  1

ISO 30302:2022(E)

Contextual information should be from a reliable source that is accurate, up-to-date and complete.
Regular review of the sources of this information ensures the accuracy and reliability of the contextual
analysis.
Examples of important issues in identifying how the external context affects the MSR are:
a) how the complexity of the organization’s structure, business and legislative environment will affect
records policy, processes, systems and controls;
b) how a competitive market affects the need to demonstrate efficient processes.
Examples of internal issues effecting the MSR are:
1) how laws, regulations, policies, standards and codes affect the design of records processes, systems
and controls;
2) how the skills and competencies within the organization can affect the need for training or external
assistance;
3) how the organizational culture can affect compliance with the requirements of the MSR;
4) how the information technology infrastructure and information architecture can affect the
availability of records systems or records;
5) how rules already implemented can affect the design of the MSR; and

iTeh STANDARD PREVIEW

6) how contractual relationships affect records retention decisions or information access decisions.
Sources of information about the organization’s external context can include the following:
(standards.iteh.ai)
— laws, regulations, standards, codes of practice, rules of industry regulators, corporate governance
rules, and directives;
ISO 30302:2022
— the litigation profile of the organization and regulatory action affecting the organization;
https://standards.iteh.ai/catalog/standards/sist/8389547b-bbb6-4b7f-ad17-a4e8a23b895f/iso-
30302-2022
— economic, financial or environmental analyses from government or industry analysts; and
— media reports.
Sources of information about the organization’s internal context can include the following:
— key corporate documents such as policies, strategies, business plans, annual reports;
— audit reports;
— organizational structure, definition of roles, responsibilities and delegations;
— internal standards, guidelines, codes;
— business process maps or descriptions;
— skills assessments;
— information systems inventories;
— information or data models;
— risk analyses;
— information security framework;
— contextual analyses from implementation of other management systems standards;
— project management methodologies;

2  © ISO 2022 – All rights reserved


 ISO 30302:2022(E)

— procurement and contracting models; and

— an understanding of organizational culture (which may not be documented).
Depending on the organization, the identification of internal and external issues can have been
performed for other purposes, including the implementation of other management system standards.
In such cases, a new analysis will possibly not be needed, and an adaptation will suffice.
The contextual analysis is a continual process. It informs the establishment and systematic evaluation
of the MSR (see Clause 9) and supports the cycle of continuous improvement (see Clause 10).
Output
There is no specific requirement to document the results of the analysis, but the organization can
decide to include this in a:
— list of internal and external issues affecting the MSR;
— chapter in a manual or project plan for implementing the MSR;
— chapter in a manual of an integrated management system (including more than one standard);
— formal report on the analysis of the organization’s internal and external context and how it affects
and is affected by the MSR; and
— series of documents about the context of the organization.

4.1.2
iTeh STANDARD PREVIEW
Records requirements
(standards.iteh.ai)
Based on the analysis described in 4.1.1 as the starting point, the business needs for records and the
requirements for their creation, capture and management are assessed in relation to the business
functions. ISO 30301 requires documenting
ISO both business needs and records requirements.
30302:2022
https://standards.iteh.ai/catalog/standards/sist/8389547b-bbb6-4b7f-ad17-a4e8a23b895f/iso-
NOTE This MSS approach for context analysis and identification of requirements is compatible with the
analysis process (appraisal) proposed by ISO 15489-1 and ISO/TR 21946, which also includes elements of
30302-2022
planning (see Clause 6) and identification of the needs for records (see 8.2).

The records requirements affecting the business operation can be business, legal, regulatory or other
requirements.
Identifying business requirements should take the following into account:
a) the nature of the activities of the organization (e.g. mining, finance, public services, manufacturing,
pharmaceutical, personal services or community services);
b) the particular form or ownership of the organization (e.g. a trust, company, non-profit or
government organization);
c) the particular sector to which the organization belongs (i.e. public or private sector, non-profit);
d) the jurisdiction(s) in which the organization operates;
e) planning of future accomplishments and development of business; and
f) risk management and continuity planning.
Examples of business needs for records are as follows:
— requirements to create records to execute or complete specific processes (including web-based
transactions, as well as, but not restricted to, business transaction in emerging technologies such as
social media, mobile computing and cloud computing);
— requirements to create records for financial/operational reporting and control;

© ISO 2022 – All rights reserved  3


ISO 30302:2022(E)

— requirements to create records for internal and external reporting;

— requirements to create records to control and monitor outsourced services or processes;
— requirements to create records for analysis and planning;
— requirements to create records to provide information about the organization’s activities to specific
stakeholders, such as shareholders or clients; and
— requirements to create records that explain the conclusions and decisions made automatically by
artificial intelligence, machine learning, big data or similar algorithms.
Business requirements should be identified from the performance of current business processes and
also from the perspective of future planning and development. Special attention is needed when the
organization is implementing:
— automated processes,
— new and emerging technologies [e.g. cloud, mobile, artificial intelligence (AI), machine learning, big
data, internet of things (IoT), blockchain and distributed ledger technologies (DLT), etc.],
— freedom of information (FOI) and government transparency programs, and
— personal identifiable information (PII) protection measures.
In these cases, requirements can change and need to be discussed with the people responsible for the
iTeh STANDARD PREVIEW
development and implementation of the proposed new processes.
Examples of the business requirements are as follows:
(standards.iteh.ai)
— requirements to control and access records required in different locations and over specified
periods of time;
ISO 30302:2022
— requirements as to what evidence is needed of access to, and use of records (e.g. personal data); and
https://standards.iteh.ai/catalog/standards/sist/8389547b-bbb6-4b7f-ad17-a4e8a23b895f/iso-
30302-2022
— requirements to share and re-use information contained in records.
Determining all of the mandatory legal and regulatory requirements applicable to the organization
includes reviewing:
1) general statute and case law;
2) sector-related laws and regulations;
3) privacy and other records and data management legislation;
4) regulation of information security; and
5) legislation for electronic commerce.
Other requirements can come from voluntary standards, codes of best practice, conduct and ethics, and
other sources For example, the documented information requirements of other management systems
standards.
Output
Documentation of the identification of the business needs of records, and the identification of records
requirements is mandatory in order to conform with ISO 30301. Requirements can be documented all
together or in separate documents by type of requirement. Examples of the kind of documentation are
as follows:
— a list of requirements identified by type (e.g. business, legislative);
— a chapter in a manual or project plan for implementing the MSR;

4  © ISO 2022 – All rights reserved


 ISO 30302:2022(E)

— a formal report on identification of requirements for the MSR;

— a list of all applicable laws and regulations related to the creation and control of records; and
— a set of legal precedents on particular subject matters relevant to the organization.

4.2 Understanding the needs and expectations of interested parties

The results of the analysis described in 4.1 should help to determine the interested parties that are
relevant to the MSR as well as their requirements.
Examples of interested parties are as follows:
— employees;
— customers;
— investors;
— suppliers;
— regulators;
— competitors;
— trade and professional associations;
iTeh STANDARD PREVIEW
— academia and researchers;
— communities; and (standards.iteh.ai)
— nongovernmental organizations.
ISO 30302:2022
Each type of interested parties can have different needs and expectations in relation with records.
https://standards.iteh.ai/catalog/standards/sist/8389547b-bbb6-4b7f-ad17-a4e8a23b895f/iso-
ISO 30301 provides some general examples which include good governance, transparency, protection
30302-2022
of the legal rights and entitlements, availability of records for research, and the records documenting
significant historical and cultural events. Each organization should make its own analysis and
determine if some or all of them apply.
When addressing the needs and expectations of interested parties, the organization should take into
account:
1) how external interested parties' values or perceptions affect records retention and disposition
decisions or information access decisions;
2) how relationships with internal interested parties, values or perceptions affect the way records
are managed; and
3) how records are made available to interested parties.
Assistance in identifying needs and expectations of interested parties can be obtained from different
sources, for example:
— legal experts with knowledge of civil and common law and the interaction between them (this is
particularly important where organizations operate across multiple jurisdictions);
— employees with wide understanding of their business area;
— customer panels;
— records, information technology and systems professionals;
— auditors, risk and other compliance professionals; and

© ISO 2022 – All rights reserved  5


ISO 30302:2022(E)

— records/archives institutions or regulatory bodies.

Output
There is no specific requirement to document the results of the determination of interested parties and
their requirements, but the organization can decide to include this in:
— a formal study identifying interested parties;
— results of an enquiry on relevant needs and expectations of these interested parties; or
— a summary of identified needs and expectations.

4.3 Determining the scope of the MSR

The scope of the MSR is a decision made by top management and clearly outlines the boundaries,
applicability, inclusions, exclusions, roles and relationships of the component parts of the MSR.
The scope can be defined as a result of the contextual analysis, taking into account identified issues
(see 4.1.1), records requirements (see 4.1.2) and needs and expectations of interested parties (see 4.2)
but can also be stated by top management from the starting point before identifying issues, records
requirements and needs and expectations of interested parties.
The scope includes the following:
a)
iTeh STANDARD PREVIEW
identification of what parts or functions of the organization are included. It can be the whole
organization, an area or department, a specific function or work process or a group of them;
b) (standards.iteh.ai)
identification of relationships between organizations when MSR is established for specific functions
across organizations and the roles of each of these organizations;
c) description of how the MSR integrates withISO the 30302:2022
overall management system and with other specific
management system standards implemented by the organization (e.g. ISO 9001, ISO 14001 and
https://standards.iteh.ai/catalog/standards/sist/8389547b-bbb6-4b7f-ad17-a4e8a23b895f/iso-
ISO/IEC 27001); and
30302-2022
d) identification of any processes that affect the MSR that are outsourced and the controls for the
entities responsible for the outsourced process.
Output
Documentation of the scope is mandatory in order to conform with ISO 30301. This can be a single
document or be included in other MSR documents such as the records policy (see 5.2) or in manuals or
project plans to implement the MSR.

4.4 Management system for records

Implementation of an MSR includes establishing, maintaining and continually improving the system
following the requirements of ISO 30301. The overarching requirements are specified and related to
the set of processes that, together, form an effective management system for records in conformance
with ISO 30301.
The processes in ISO 30301 include:
— analysis and strategic planning (see Clauses 4 and 6);
— operational planning and record processes, controls and systems (see Clause 8); and
— performance evaluation processes externally provided processes, where applicable (see Clauses 9
and 10).

6  © ISO 2022 – All rights reserved


 ISO 30302:2022(E)

Output
There is no specific requirement to document the requirements in this clause because the requirements
for documentation of the management system are explicitly identified in the other clauses of this
document.
The main output of this clause is the management system for records fulfilling the requirements of
ISO 30301.

5 Leadership

5.1 Leadership and commitment

The leadership and commitment of top management to implementing the MSR is stated as explicitly and
at the same level of detail as for any other management systems implemented by the organization and
as for its other assets, e.g. human resources, finances and infrastructure.
Leadership and commitment of top management includes:
— ensuring that the records policy and records objectives are established and are compatible with the
strategic direction of the organization;

iTeh STANDARD PREVIEW

— ensuring the integration of the MSR requirements into the organization’s business processes;
— ensuring that the resources needed for the MSR are available;
—
(standards.iteh.ai)
communicating the importance of effective records management and of conforming to the MSR
requirements;
ISO 30302:2022
— https://standards.iteh.ai/catalog/standards/sist/8389547b-bbb6-4b7f-ad17-a4e8a23b895f/iso-
ensuring that the MSR achieves its intended outcome(s);
30302-2022
— directing and supporting persons to contribute to the effectiveness of the MSR;
— promoting continual improvement; and
— supporting other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility.
The requirement to demonstrate leadership and commitment of top management does not require a
specific activity to be performed but is essential for the success of the MSR. Leadership and commitment
is also implicit in other requirements of ISO 30301 relating to resources (see 7.1), communication
(see 7.4) and management review (see 9.3).
Output
There is no specific requirement to document the leadership and commitment of top management to the
MSR, except in the records policy (see 5.2), which can be considered as evidence of that commitment.
Commitment can also be demonstrated by actions or statements but depending on the nature and
complexity of the organization, evidence of leadership and commitment can be documented in:
— minutes of boards of directors or boards of management;
— statements in strategic and business plans;
— management resolutions and directives;
— budgets, business cases; and
— communication plans.

© ISO 2022 – All rights reserved  7