By Tim Bovy and Ian Hodges
The functional role of information and records in the contemporary world could not be more relevant to the successful implementation of ESG. Achieving a reporting system capable of measuring ESG compliance and of driving progress will rely on an evidence base from disparate sources across global supply chains with widely differing levels of integration and often unique and dynamic operational contexts. ISO 15489 is the foundational bedrock on which a successful and future-proofed ESG reporting system can be built.
Standards ensure consistency and often set a minimum benchmark. This in turn allows for reporting under common conditions and comparison within and across enterprises. They can have extraordinary value to enterprises, regulators, consumers and activists. They provide defined terms, heuristics and diagnostics of value beyond the immediate context of the specific standard they inhabit.
ESG initiatives should draw on management standards reflexively and frequently. They are a resource of considerable value in pursuing compliance, with reporting standards such as the ISO 27000 series, ISO 31000 series, and ISO 9000 series widely used.
All these standards are pertinent to ESG, while others, such as ISO 14001 (environmental management systems) and ISO 26000 (social responsibility) are specifically relevant.
Significant though these standards are, we contend that none is more foundational than ISO 15489. Described as the ‘core standard on recordkeeping’[1] and revised in 2016 to better address our increasingly digital and online organisational structures, it remains a comprehensive model for recordkeeping. Without a coherent understanding of the evidential value of records and their identification, authentication and management throughout their lifecycle, compliance with management standards is fatally compromised.
Their evidential value and authenticity are particularly important in establishing transparency and accountability. The success of any large enterprise, as we have previously noted, is contingent on its ability to respond to what it finds while demonstrating executive accountability.[2] The public and customers want to know, for example, that the authenticity of records can establish the claims an enterprise makes when faced with negative ESG consequences. “Records provide evidence of what has been done or decided on in the past and are used to prove that obligations have been met or best practice complied with. Accountability may include legal, regulatory and fiscal requirements, audits and inspections, or explanations of certain situations….Records do not have specific formats, but can be both data, documents or other forms of information. Key are the characteristics of a record, that it provides evidence of a business activity or transaction and has the qualities of a record; authenticity, reliability, integrity and useability (ISO 15489-1:2016). Records are results of business activities, but also have an impact on business activities.”[3]
ISO 15489 is almost a Cinderella standard among the many codifications of good practice in management that the International Organisation for Standards (ISO) produces. Its peers are feted by numerous cheerleaders while it is rarely celebrated other than by records managers, who themselves are often marginalised and removed from direct influence on the organisations they serve. It is too easily seen as niche, esoteric and perhaps even academic. It can feel bureaucratic and inspire that visceral shudder that so many experience when bureaucracy is mentioned. However modern organisations need to embrace bureaucracy and, as we will show, modern organisations have embraced bureaucracy.
Records managers are the bureaucrats’ bureaucrats. They are concerned with the efficient use and control of the documentary record of an organisation. The evidence that correct processes have been followed and a transparent audit trail created. They understand the value of the documents they manage and the information contained within them. They know this value changes over time, often decaying with age and occasionally gaining significance from an ability to inform later events and changed contexts as insightful precedents.
Bureaucracy, as any records manager will attest, should never be a derogatory term. It is simply the administrative system governing any large organisation. It is the rules-based rational exercise of authority through controlled (defined and repeatable) processes. Arguably, and when done well, it is the most rational and efficient way to organise any large organisation. To do it well requires a degree of vigilance over the growth of processes and a clear understanding of the goals and objectives of all administrative processes. It requires a continuous examination of the minimum administrative burden needed to achieve sound administration. Ockham’s Razor in a business context. Standards provide a framework for just this kind of assessment, and none more so than ISO 15489.
In the lexicon of standards writers, the language of ISO 15489:2016 is normative, not prescriptive. It does not tell you what to do, it tells you what you are doing. It sets out to establish a global standard for records management systems and describes the principles of records and recordkeeping required to underpin what it describes as a Management System for Records (MSR) which is itself defined in ISO 30300.
“An MSR links the management of records to organizational success and accountability by establishing a framework comprising policy, objectives and directives for records.”[4]
It is important to acknowledge the ambition of this latest version of the standard. The standard had always been indifferent to the specific technology of records and instead has sought to describe them in language applicable to both digital and physical objects. The working group producing the 2016 revision recognised that a new version could be in place for many years and, informed by a World Economic Forum paper on technological and societal changes[5], aimed to produce a standard that was forward looking and recognised the loosening of organisational, geographic and physical constraints on records management. They have placed records and recordkeeping in a context of dynamic societal and technological change, as both influenced by and influencing that context.
Reflecting on the process of drafting the current revision, one working group member wrote “We observed that when the work we do is powered by data and recorded in detail, granular and readily updatable access rules need to be executed in sophisticated ways. We saw that information and records were no longer necessarily constrained by organisational, geographic or physical limits – that new models for business were extending responsibilities for records beyond traditional organisational and jurisdictional boundaries. There were increased expectations of transparency in decision-making from business and government by the general public, customers, users of services, records’ subjects and others with an interest in how records are created, captured and managed. Expectations for information security and privacy were also becoming increasingly significant to stakeholders – both within and outside of organisational boundaries.”[6]
This insight into the functional role of information and records in the contemporary world could not be more relevant to the successful implementation of ESG. Achieving a reporting system capable of measuring ESG compliance and of driving progress will rely on an evidence base from disparate sources across global supply chains with widely differing levels of integration and often unique and dynamic operational contexts. ISO 15489 is the foundational bedrock on which a successful and future-proofed ESG reporting system can be built.
About the Authors
Tim Bovy has over 35 years of experience in designing and implementing various types of information and risk management systems for major law firms such as Clifford Chance; and for international accountancy firms such as Deloitte. He has also developed solutions for organisations such as BT, Imperial Tobacco, Rio Tinto, the Kuwaiti government, The Royal Household, and the US House of Representatives. Tim is an elected member of The Royal Institute of International Affairs, Chatham House, an Independent Think Tank based in Central London, and holds a BA degree, magna cum laude, from the University of Notre Dame, and MA and C.Phil degrees from the University of California, Davis.
Ian Hodges has worked in a variety of information management roles over a twenty-year career. He has designed and implemented records and information management systems at a national scale, developing parts of the digital archive at The National Archives (UK). At a corporate level he’s undertaken information management projects with The Royal Household and Her Majesty’s Treasury. Ian also has information rights expertise developing policies and procedures for Freedom of Information and Data Protection compliance and working as a Data Protection Officer. In addition to CISM, CIPP/E and CIPM certifications, Ian holds a BA degree from the University of Southern Queensland, a postgraduate diploma from Deakin University, Melbourne and an MA from Birkbeck, University of London.
References
[1] Kelvin Smith, Cassie Findlay, et al, Recordkeeping in the digital age: introducing the revised ISO 15489, ICA https://www.ica.org/resource/recordkeeping-in-the-digital-age-introducing-the-revised-iso-15489/
[2] Tim Bovy and Ian Hodges, “The Climate Crisis and Executive Accountability,” The European Financial Review, September 26, 2025, available at https://www.europeanfinancialreview.com/the-climate-crisis-and-executive-accountability/
[3] Tove Engval, “Records roles in Corporate Sustainability Reporting,” Mittuniversitettet, 2019 available at https://www.diva-portal.org/smash/get/diva2:1339932/FULLTEXT01.pdf
[4] ISO 15489-1 2016, Part 1: Concepts and principles, vi.
[5] World Economic Forum, Deep Shift: Technology Tipping Points and Societal Impact Survey Report, September 2015. https://www3.weforum.org/docs/WEF_GAC15_Technological_Tipping_Points_report_2015.pdf, accessed 30 November 2025..
[6] Cassie Findlay, Crunch time: the revised ISO 15489 and the future of recordkeeping, Archives and Manuscripts, 2018, vol 46 no. 2, p223.
