Assessing your systems' information management capability

The Business System Assessment Framework (DOCX 620 kB) helps you evaluate how well your organisation’s systems manage information. It uses a risk-based approach to find any gaps or issues. It can be applied to both new and existing systems. It’s designed for use by:

• information management practitioners
• business owners
• IT staff.

The framework:

• recognises that not all records carry equal value or risk
• should not be used for Electronic Document and Records Management Systems (EDRMS)
• aligns with ISO 16175 Part 1: Functional requirements for recordkeeping software
• supports the Building trust in the public record policy actions by:
  • ensuring business systems meet functional and minimum metadata requirements for information management (action 10)
  • identifying remaining analogue processes and plan for transformation to digital, based on business need (action 15).

The framework has 3 phases

Phase 1: Preliminary system assessment

This consists of 5 questions that see if a full assessment is needed. This is based on the risk and value of records in the system.

Phase 2: Information management functionality checklist

This assesses whether the system has the functionality needed to ensure records are trusted, discoverable and usable over time. This phase has four modules:

• Information is trusted and can be found
• Disposal is accountable
• Export/import
• Reporting.

Phase 3: Implementing solutions

Suggestions on how to resolve any functionality gaps or risks identified in Phase 2 by:

• building in functionality
• integrating with other systems
• exporting records out of the system
• managing risks through governance ie policy and procedures.

The decision to address gaps or risk will be based on your agency's risk tolerance.

Tools to help you assess your business systems

Use the framework as part of your agency’s approach to information governance. To assist with assessing your business systems, refer to the following.

Systems register

A systems register is a list of all the business systems your agency uses, including older or legacy systems. It should include key details such as:

• the system's name and version
• business owner
• the types of records it holds
• any links or dependencies it has with other systems.

Having this information helps you decide which systems to assess first—usually the ones that hold high-risk or high-value records.

Identifying all the systems in use will help you keep track of where you are up to with your assessments. If you do not have a systems register, a good starting point is to ask your:

• ICT area
• your business continuity plan
• Check-up assessments
• information review findings.

Systems information management plan

The assessment of each system should be documented in a system information management plan (DOCX 285 kB). The plan should:

• refer to your systems register and any other relevant information governance documents
• cover all relevant information about the system including software, business owners, how it will be managed over its life and details about its assessment against the framework
• extend to systems and technology hosted in the cloud, or via social media and mobile devices.

Contact us

If you have questions or feedback about the framework please contact the Agency Service Centre by using our inquiry form.

Resources

• The Business System Assessment Framework (DOCX 620 kB)
• System information management plan (DOCX 285 kB)
• Australian Government Recordkeeping Metadata Standard | naa.gov.au
• Minimum metadata set | naa.gov.au.
• Information Security Manual