The Business System Assessment Framework
The Business System Assessment Framework will enable your agency to better manage its business information through:
- assessing information and data risks and values
- identifying the systems functionality required to manage information and data appropriately
- providing solutions to address gaps in a system's ability to manage information and data
- ensuring greater accountability and transparency.
The framework recognises that not all information and data is of equal value. It has been developed so that business systems managing high-risk or high-value information and data undergo a more extensive assessment than systems managing low-risk or low-value information and data.
The framework can be used to build functional specifications for new systems and applied to existing systems. It is suitable for use by information management practitioners, business owners and ICT staff.
Note that the framework does not apply to Electronic Document and Records Management Systems (EDRMS) as they are covered by Part 2 of ISO 16175 Principles and Functional Requirements for Records in Electronic Office Environments, which requires more comprehensive functional requirements than Part 3.
Before you begin
The framework is part of a larger suite of information governance tools. To assist with assessing your business systems, you should have:
You need to identify the systems in your agency. One way of doing this is to create a systems register listing all the business systems in use in your agency including any legacy systems. The register should list key details about the system including name, version, business owner and a summary of the type of information held. It should also indicate where systems are linked to, and relied on by, other systems. The details in the systems register will help you to prioritise which systems to assess. High-risk and/or high-value systems should have priority.
Identifying all the systems in use will help you keep track of where you are up to with your assessments. If you do not have a systems register, a good place to start to identify systems would be your ICT area. You may also be able to draw on information from your business continuity plan, Check-up assessments or information review findings.
System information management plan
The assessment of each system should be documented in a system information management plan template (PDF, 152kB). The plan should:
- link to your systems register and other information governance documents
- cover all relevant information about the system including software, business owners, how it will be managed over its life and details about its assessment against the framework
- extend to systems and technology hosted in the cloud, or via social media and mobile devices.
If you have questions or feedback about the framework please contact the Agency Service Centre by using our inquiry form.